With the growing adoption of public cloud services, Docker containers have become a popular way to develop and deploy new applications. Numbers are backing up the fact that Docker adaptation is growing: Docker Index reported 11 billion pulls in July 2020.1 Docker provides developers an easy way to package, deploy and run their applications in a consistent manner. While the numbers prove the adoption, let’s look at best practices to leverage your container environment while keeping it secure.
By default, Docker executes the container with the root user. If your service doesn’t have any reason to have root privilege, it is recommended to create a non-root user to minimize exposure. You can use the
USER instruction in your Dockerfile. If the specific user doesn’t exist, don’t forget to create that user inside Dockerfile.
For example in an Ubuntu image, you can create a non-root user and execute as the user with the following:
RUN useradd -rm -d /home/nonroot -s /bin/bash -g root -G sudo -u 1001 nonroot USER nonroot WORKDIR /home/nonroot
Trust is a real concern when pulling an image from a registry. To verify images before pulling, set the DOCKER_CONTENT_TRUST environment variable to 1. This way, users only work with signed images. Organizations can sign and verify their images during their release process.
$ export DOCKER_CONTENT_TRUST=1
While minimizing images reduces the size and enables faster deploy times, containers also have a smaller attack surface by limiting the exposure. Don’t forget to use multi-stage builds and remove package manager cache to reduce the size further.
Docker Hub hosts over 7 million repositories.2 With that many options, it is easy to pull a poorly written base image. To avoid unwanted consequences, it is important to use trusted secure images.
Unfortunately, there are widespread vulnerabilities when it comes to using pre-built Docker images. Using image scanning tools is highly recommended to quickly identify and fix vulnerabilities. Implement a policy to enforce frequent image scanning. With tools like Clair or Snyk you can integrate the image scanning process in your CI/CD pipeline.
You can also leverage Amazon ECR image scanning to scan your Docker container images against Common Vulnerabilities and Exposures (CVEs). You can check our previous blog post on Container Image Scanning with Amazon ECR to learn how to configure, assess and store image findings on AWS easily.
Amazon ECR enables you to scan your Docker container images against CVEs easily. Here are the steps for configuring, assessing and storing your image findings.www.sufle.io/blog/container-image-scanning
Avoid using the latest tag for your base image. With the changes on the image over time, using the latest tag might cause inconsistencies and break changes in your environment. Use the most specific version possible for the image. Also do not forget to use fixed versions while installing packages with package managers to produce deterministic builds.
An AWS Certified Developer Associate, Burak is an experienced software engineer. With his experience in various industries including global technology companies, he follows his passion for going beyond the limits to build excellent products with collaboration and knowledge sharing.
Cookies are small files that are sent to and stored in your computer by the websites you visit. Next time you visit the site, your browser will read the cookie and relay the information back to the website or element that originally set the cookie.
Cookies allow us to recognize you automatically whenever you visit our site so that we can personalize your experience and provide you with better service.