Optimizing Container Security: Crafting Lean and Secure Images

Unlock the Secrets to Lightweight & Robust Container Deployments

Developing lean and secure container images is essential. This process involves implementing several best practices that are designed to reduce the attack surface and enhance performance. Such practices are crucial for maintaining the security and efficiency of container-based applications, a key concern in modern software deployment strategies. Let’s dive into them with 9+1 practical examples!

As a follow-up to my previous article about The Rise of Containerization, I decided to put together a list of principles worth following when building a docker image.

A Dockerfile is basically a script containing a series of instructions on how to build a Docker image. Below are the 9+1 principles I follow when writing a Dockerfile to ensure my container images are lean & secure.

1. Use Specific Versions in Dependencies: Specify exact versions for your base image and any dependencies. This practice avoids unexpected updates that could introduce vulnerabilities or compatibility issues.

FROM node:21-alpine
RUN npm install express@4.18.2

2. Avoid Running as Root: Design your container to run as a non-root user. Running as root can be a major security risk, as it grants the container elevated privileges that can be exploited.

RUN adduser -D resourcefulswe
USER resourcefulswe

3. Leverage cache mechanisms to your advantage: Layers in Docker represent the modifications made by each build step, built upon the layer created by the previous step in the Dockerfile. In Docker, if a build step in the Dockerfile has not changed since the last build, Docker will reuse the existing layer created for that specific step. As a result, for subsequent steps, Docker will base its operations on this pre-existing layer instead of generating a new layer for each build. This reuse of layers is a key optimization in Docker's build process, avoiding unnecessary duplication and reducing build times. Therefore order of instructions does matter to Docker's caching mechanism. Make sure you place instructions that change less frequently (like copying & installing dependencies) at the top makes a difference.

COPY package.json yarn.lock ./
RUN yarn install
COPY . .

4. Minimize Layers: Combine commands into a single RUN instruction where it makes sense, to reduce the number of layers, making the image smaller and more efficient.

RUN apt-get update
RUN apt-get install -y package1
RUN apt-get install -y package2

RUN apt-get update \
 && apt-get install -y package1 package2 \ 
 && rm -rf /var/lib/apt/lists/*

Note how the above example cleans up the apt cache as well, as it does not make any sense to keep a cache within the Docker image - that will not be reused.

5. Use specific base images: Start with the smallest and most relevant base image to reduce the overall size and potential attack surface. As an example an alpine flavor of the image will be much smaller compared to a Debian version. But be careful with alpine, sometimes it may cause you additional headaches: with Python you may see compatibility issues. This is due to Python library dependencies on binaries written in C/C++ that depend on system standard libraries most commonly glibc (GNU C Library). Alpine does not use glibc, but musl libc which is designed to by lightweight, but all dependencies using glibc must be recompiled from the the source.

6. Clean Up as You Go: Remove unnecessary files and packages within the same RUN instruction to keep the image size down. A good example would be the same used for minimizing layers or using --no-cache-dir with the pip install command .

RUN pip install --no-cache-dir -r requirements.txt

7. Use Multi-Stage Builds: Multi-stage builds in Docker allow you to use one image as a building environment and another as a lean runtime environment. This approach helps to keep your production images free of unnecessary build dependencies and to reduce the attack-vector.

FROM node:14 as builder
COPY . /app
WORKDIR /app
RUN npm install && npm run build

FROM nginx:alpine
COPY --from=builder /app/build /usr/share/nginx/html

8. Scan for Vulnerabilities: Regularly scan your container images for vulnerabilities using tools like Trivy, Clair, or Docker's own scanning capabilities. This helps you identify security issues promptly. Make sure to automate the scanning process - scan after image build and scan production images regularly.

9. Keep Images Up to Date: To mitigate or even prevent vulnerabilities ensure you regularly update your images to include the latest security patches. Automate this process as much as possible to ensure timely updates.

10. Documentation: This is my +1. I apply the general principles for Dockerfiles as well: Make sure to document key decisions, how the container should be configured, and what environment variables it uses to save some headaches for your future self & fellow maintainers.

These principles are important because they ensure that the Docker images are efficient, secure, and maintainable.