Post-Image

Advanced Docker Tips: Pt.1 - Dealing with pre-built docker images.

With the increasing use of docker in cloud environments, I decided to write down some of my experiences and knowledge that I’ve gained from the work I’ve done and that I’ve seen others I work with do. If you are racking your brain out on your production docker project, stop. I’ve already done that for you in this series of articles.

Pre-built Images

You can find an assortment of pre-built and tested images on Docker Hub and other public registries that come with all the pre-installed tools you will need. While the mainstream images are updated regularly, they generally don’t get updated every time a critical security patch becomes available. While the non-mainstream images only get updated when the core application changes. OS patching is generally missed and is the most significant security issue with using docker images. I have seen 3-year-old images get used in production without any modification.

Do not use a docker image from a registry without performing your own OS updates. You will want to create a Dockerfile that references the pre-build image in the FROM line, then use a package manager to install all available updates. Use the most current pre-built image as there will be fewer updates to install and keep your image small.


Updates

Each distribution uses a different package manager, so the steps to install updates will differ between distribution. You will need to figure out what distribution your base image is using and what package manager it provides.

No matter what platform you are using, you will want to perform these three main steps.

  1. Checks for updates
  2. Install updates
  3. Remove any cached files

Below is an example of patching on a Ubuntu-based image using the apt package manager. I include this example as it is quite involved compared to other package managers. Apt isn’t designed to clean up after itself.

 RUN apt-get update -qq \          # Get an updated list of available packages
     && apt-get upgrade -y \       # Install any available patches
     && apt-get clean \            # Clean up
     && rm -rf /var/cache/apt/archives/* \
     && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
     && truncate -s 0 /var/log/*log

You may have noticed I am using a single RUN command. That is because I want to perform all of the steps within the same layer to keep the image size as small as possible.

With all of the above changes, you might think that will solve all of your problems, but you would be mistaken. In the next article, I explain how docker handles these updates and how caching will solve the issues that arise from the above changes.

 

About James MacGowan

James started out as a web developer with an interest in hardware and open sourced software development. He made the switch to IT infrastructure and spent many years with server virtualization, networking, storage, and domain management.
After exhausting all challenges and learning opportunities provided by traditional IT infrastructure and a desire to fully utilize his developer background, he made the switch to cloud computing.
For the last 3 years he has been dedicated to automating and providing secure cloud solutions on AWS and Azure for our clients.

Share This Article

Comments