Creating Secure Docker Images

Introduction to Docker

Tim Sangster

Software Engineer @ DataCamp

Inherent Security

A compromised container can access the host if it breaks out of the virtualization layer.

Making secure images

Attackers can exceptionally break out of a container.

Additional security measures can lower this risk

Becomes especially important once exposing running containers to the Internet.

Images from a trusted source

Creating secure images -> Start with an image from a trusted source

Docker Hub filters:

Docker Hub has three Trusted Content filters, Docker Official Images, Verified Publisher images and Sponsored OSS images

Keep software up-to-date

Even the super popular Ubuntu image was only updated 14 days ago. The also extremely popular mariaDB image was updated over a month ago.

Keep images minimal

Adding unnecessary packages reduces security

Ubuntu with:

Python2.7
Python3.11
Java default-jre
Java openjdk-11
Java openjdk-8
Airflow
Our pipeline application

Installing only essential packages improves security

Ubuntu with:

Python3.11
Our pipeline application

Don't run applications as root

Allowing root access to an image defeats keeping the image up-to-date and minimal.

Instead, make containers start as a user with fewer permissions:

FROM ubuntu # User is set to root by default.
RUN apt-get update
RUN apt-get install python3
USER repl # We switch the user after installing what we need for our use-case.
CMD python3 pipeline.py

Let's practice!

Introduction to Docker