So for a long time working with containers, I learned many tips and tricks about good practices to build a good image. I know today many DevOps professionals talking about Kubernetes, Clusters, Rancher, etc…
And forget the base for any cluster, build a good image with minimum best practices, in this article I try to explain and show some things to do this.
...
Best Practice
Let's discuss the concept of best practices, which is common in the technology industry. We have encountered this term many times in various services and tools used by us. Adhering to best practices can help you follow a set of steps that many developers have already gone through (and even suffered 😂), and they know what constitutes a good practice. The beauty of open source is that you can find well-written documentation, which serves as an excellent example.
Using best practices for building containers can be confusing at first. But let’s break it down into just 3 parts:
1. build small containers with only what’s needed;
2. focus on security;
3. consider using a linter for extra vigilance and security scan;
My goal is to present a practical approach to container best practices, including demonstrations of specific tools and instructions on how to use them.
1 — Build a Small Container
Building a small container is the first step you can start a best practice, working with a small image can help you in many situations, like performance improvement, enhanced security, build time, and of course the performance size, but how I can do this?
This is very simple, start using the official base image from the Docker Hub repository:
Here you can find the official images of any language, service, or system that you need, for example, if I build an image for my Python code, is just get the image, an example of how to search for a good image for you:
Working with Alpine images is amazing, your images work like you need and are very small and performative, just try.
2 — Focus on Security
Talking about security using containers may be a challenge today, many DevOps, Developers create images without using official images, and using official images in your application helps you prevent many security issues. But using just official images can’t prevent issues problem, most companies start using an image but don’t upgrade, just use it. For example, I have worked for a company that used an official image of Ubuntu, but used version 12.04 (this version doesn’t have more support), and the security risk is very high.
But how I can keep my images secure?
- Always use official images (Python, Ubuntu, NodeJS, etc…);
- Keep your images updated;
- Always use a security scan on your images (I use Trivy, it’s open source and works amazing, basically this tool generates a report about security issues found in your image):
An example using the docker command:
docker run -u 0 — rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image — exit-code 1 — severity HIGH imagename:latest
- Non-Root Acces, one of the most important practices that ends up being forgotten nowadays;
- NEVER EVER USE CREDENTIALS OR TOKENS IN YOUR IMAGE FIXED (OR IN YOUR REPO)!
- Using if necessary multi-stage builds;
- Always apply the minimum privilege of who needs access to the image (always work with a private repo);
- If your company and you are crazy about security, consider using the Cosing to keep your images assigned example here.
3 — Use a linter and security scan
In the topic above I have explained the importance of using a security scan in your images using a Trivy, but if want to keep a good image I recommend also using a linter scan in my actual scenario I use Hadolint, the Hadolint is an amazing tool to get improvements in your image.
like: don’t use many RUN commands on your Dockerfile.
A simple example how to use a Hadonlint:
docker run — rm -i hadolint/hadolint < Dockerfile
Conclusion
Of course, every I’m writing here isn't mandatory, but can help many DevOps, Developers, and container lovers build a good image with the minimum best practices. If you want more about containers and best practices always use documentation
I hope this helps everyone and keeps your image updated 😁🐳!
Top comments (0)