1. Creating Secure Docker Images
Containers don't make everything automatically secure. Let's look at what security containers give us inherently and where we still need to be vigilant.
2. Inherent Security
Docker inherently provides more security over running applications locally because there is an extra layer of isolation between the application and our operating system.
This makes it much safer to open an application or archive from an unknown source in a container in comparison to doing the same on your local machine.
However, that doesn't mean it is 100% safe to do so. A malicious payload can escape the container's isolation and infect the host.
3. Making secure images
Attackers breaking out of a container to the host operating system is the main risk of using containers. Docker and other container providers spend extensive resources on making their containers as secure as possible.
Additionally, there are several things we, the creators and users of images and containers, can do to make both more secure.
The safety measures we'll be discussing next might seem like they won't do much if we're just sharing images with colleagues or using them to run workloads locally. However, a widespread use case for images is running them on remote machines and allowing external access. For example, to run a database or a pipeline in a production environment. It is in those scenarios that the following safety measures become critical.
4. Images from a trusted source
The first step to creating a secure image is choosing the right image to start from. Anybody on the Internet can provide images for us to use or build on top of. However, using images from an untrusted source is a security risk.
The official Docker Hub registry provides thousands of images and allows the filtering of Trusted Content in three different ways. All three Trusted Content filters will give us images we consider safe for the most use-cases.
5. Keep software up-to-date
Even images downloaded from the official Docker Hub Repository aren't always up-to-date. Applications release updates all the time, and even operating system updates aren't incorporated into images the minute of their release.
In the slide, you can see the extremely popular Docker Official Images Ubuntu and Mariadb, which were updated two weeks and a month ago. While it could be the case no safety-related updates have been made to anything installed in these images since then, best practice is to update the software to its latest version in images ourselves.
6. Keep images minimal
What's better than ensuring all software in our image is updated? Having less of it. There is no safer piece of software than one we haven't installed. When creating a secure image, ensure you only install the software you need for its current use case. This also means we will have to keep less software up to date.
7. Don't run applications as root
All previous measures are of little use if we allow anybody who gets access to a container to install anything they want.
The solution is not to leave the user in our images as root. Often it is needed to install and configure applications as root; after that, the user in our image should be changed to a user with fewer permissions.
If, for example, we change the user before the CMD instruction that starts our pipeline, we ensure that any malicious code in the pipeline does not have root access in our container.
8. Let's practice!
Keeping these best practices in mind will put you on the right track to safely working with Docker. Let's practice.