Clever Geek Handbook

Best practices for writing a secure Dockerfile

In this article, we will look at unsafe options for writing your own Dockerfile, as well as best practices, including working with secrets and building in static analysis tools. However, it is not enough to have a best practice document to write a secure Dockerfile. First of all, you need to organize a culture of coding. This includes, for example, formalizing and controlling the process of using third-party components, organizing your own Software Bill-of-Materials (SBOM), building principles for writing your own base images, consistent use of safe functions, and so on. In this case, the BSIMM maturity assessment model can serve as a starting point for organizing processes . However, this article will focus on the technical aspects.





Dockerfile

LABEL latest

latest



, , . , . :





FROM redis@sha256:3479bbcab384fa343b52743b933661335448f816
LABEL version 1.0
LABEL description "Test image for labels"

LABEL, , . LABEL securitytxt



.





LABEL securitytxt="https://www.example.com/.well-known/security.txt"

security.txt , . , . .





apt-get upgrade



, yum update



, , . , , . , . Software Composition Analysis (SCA).





:





RUN apt-get install cowsay=3.03+dfsg1-6

cowsay=3.03+dfsg1-6



libcowsay



, .





curl wget ( "-", ). Zero trust, ( ). , , :





RUN wget http://somesite.com/some-packet/install.sh | sh

, , , GNU Privacy Guard (GPG). , .





-, . - GPG, . , Node.js:





RUN gpg --keyserver pool.sks-keyservers.net \
--recv-keys 7937DFD2AB06298B2293C3187D33FF9D0246406D \
            114F43EE0176B71C7BC219DD50A3051F888C628D

ENV NODE_VERSION 0.10.38
ENV NPM_VERSION 2.10.0
RUN curl -SLO "http://nodejs.org/dist/v$NODE_VERSION/node-v \
$NODE_VERSION-linux-x64.tar.gz" \
&& curl -SLO "http://nodejs.org/dist/v$NODE_VERSION/\SHASUMS256.txt.asc" \
&& gpg --verify SHASUMS256.txt.asc \
&& grep " node-v$NODE_VERSION-linux-x64.tar.gz$" SHASUMS256.txt.asc | sha256sum -c -

, :





  1. GPG-





  2. Node.js





  3. - Node.js SHA256





  4. GPG- , - ,





  5. , - sha256sum





, , . , , .





deb rpm. GPG, - .





GPG- .





RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 \
--recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
RUN echo "deb http://nginx.org/packages/mainline/debian/\
jessie nginx" >> /etc/apt/sources.list

, , .





SHA256:





RUN curl -sSL -o redis.tar.gz \
http://download.redis.io/releases/redis-3.0.1.tar.gz \
&& echo "0e21be5d7c5e6ab6adcbed257619897db59be9e1ded7ef6fd1582d0cdb5e5bb7 \
*redis.tar.gz" | sha256sum -c -

ADD

ADD



, , . , , zip- . zip- (DoS) , .





ADD



, URL , , "-":





ADD https://cloudberry.engineering/absolutely-trust-me.tar.gz

COPY



, , SCA .





USER Dockerfile

, shell , root', . , USER



. , root .





RUN groupadd -r user_grp && 
useradd -r -g user_grp user
USER user

gosu sudo

gosu , root Dockerfile , .





chown



entrypoint-, root, - redis.





#!/bin/bash
set -e
if [ "$1" = 'redis-server' ];
  then
    chown -R redis . 
    exec gosu redis "$@"
  fi
exec "$@"

- , sudo su, gosu fork , :





$ docker run -it --rm ubuntu:trusty su -c 'exec ps aux'
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  46636  2688 ?        Ss+  02:22   0:00 su -c exec ps a
root         6  0.0  0.0  15576  2220 ?        Rs   02:22   0:00 ps aux
$ docker run -it --rm ubuntu:trusty sudo ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  3.0  0.0  46020  3144 ?        Ss+  02:22   0:00 sudo ps aux
root         7  0.0  0.0  15576  2172 ?        R+   02:22   0:00 ps aux
$ docker run -it --rm -v $PWD/gosu-amd64:/usr/local/bin/gosu:ro ubuntu:trusty gosu root ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   7140   768 ?        Rs+  02:22   0:00 ps aux

, . , gosu sudo, fork' Linux PAM pam_open_session()



 pam_close_session()



. gosu sudo .





Distroless images

Linux- (Ubuntu, Debian, Alpine) Disroless-. , (, bash). , , . "" Trivy, Clair .





, , . , , UNIX- Alpine. , , , .





:





, multi-stage , . .





Docker-slim, .





ENV



. wget. , . , , API Docker:





# docker inspect ubuntu -f {{json .Config.Env}}
["SECRET=mypassword", ...]

, /proc



. Vault, , HashiCorp Vault Conjur, .





(multi-stage) , . - , . .





#builder
FROM ubuntu as intermediate

WORKDIR /app
COPY secret/key /tmp/
RUN scp -i /tmp/key build@acme/files .

#runner
FROM ubuntu
WORKDIR /app
COPY --from=intermediate /app .

- , .





BuildKit

Docker 18.09 BuildKit, , .





:





# syntax = docker/dockerfile:1.0-experimental
FROM alpine

# shows secret from default secret location
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecre

# shows secret from custom secret location
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar

buildkit --secret



.





:





$ docker build --no-cache --progress=plain --secret id=mysecret,src=mysecret.txt .

Docker.





, , . , .dockerignore



. .git



, .aws



, .env



. 





COPY . .

- Twitter Vine. 2016 DockerHub vinewww, Vine, API .





Dockerfile

Dockerfile, . :





  • Hadolint





  • Conftest





Hadolint - Dockerfile. security Docker (). .





Conftest - , Dockerfile. Dockerfile Rego, , , Open Policy Agent . , . Conftest , , . .





. :





Docker.





Dockerfile Pentest-in-Docker. . - debian:wheazy



, Debian, Bash, (RCE). www-data, reverse-shell. - sudo, www-data root . USER



Dockerfile - - root , API Docker.





  • DevSecOps Wine -





  • DevSecOps Chat - , DevSecOps





  • AppSec Chat - ,





  • Docker Security Best Practices from the Dockerfile





  • 10 Docker Security Best Practices





  • Docker Security. Using Containers Safely in Production





  • Liz Rice. Container Security: Fundamental Technology Concepts that Protect Containerized Applications.















More articles:


All Articles