I'm diving into building a Docker image that prioritizes security. I know the basics, like not running as root and minimizing the attack surface. Using a non-privileged user is pretty straightforward, but it's crucial to implement this from the beginning rather than de-escalating privileges with tools like Gosu. I'm considering using a distroless base image to keep things simple, but I'm also aware that I can't include a shell since that's a security no-no. Instead, I want to implement necessary setups with a statically compiled binary in a language like Go or Rust. Regular patching seems essential as well. I'm curious if others agree with this approach and if there are any other important factors I should keep in mind?
5 Answers
Two main points to consider: First, an effective secure image often needs at least two types of users - one for the app and another for read-only access. Second, while distroless or scratch images are great, vulnerabilities could still lurk in the build dependencies, so regular checks are necessary.
Using multistage builds can really help! You can run installation scripts in one stage and keep your final image clean by only copying over what's necessary.
Good point, but consider cases like setting up a database where you'd want to include a shell script for user and database creation. That complicates it a bit.
If security is your prime concern, take a look at using Apptainer instead of Docker. It has some special advantages for high-performance computing environments.
I’m curious about that! Why do you think Apptainer is a better fit for security?
Don't forget about seccomp profiles! Along with using a non-root user, applying profiles can restrict system calls the container can make, effectively acting as a firewall for your application’s system calls.
Starting from scratch can be a solid approach. Just remember that distroless and minimal images might still inherit vulnerabilities from their base layers. Continuous scanning and patching are essential to maintain security.
Absolutely! Consistent rebuilding and updates are key. By the way, what’s Echo? Is there a link to check it out?
I feel you on that! While you might not need two distinct users, having different file ownerships can protect your container better.