Containers are the industry standard. They are a unit of software that packages up an application’s code and all its dependencies for it to run reliably from one environment to another. More specifically, a Docker container image is used as a stand-alone, lightweight software package with everything needed to run your application.
Organizations from banking to e-commerce want to learn more about how containers are used in their applications. They are focused on moving from more manually-based IT tasks to software applications. Containers help enable many processes on this software, such as automating the test, configure, and runtime operations. They are the leading choice to run microservices-based applications and are used in platforms like AWS, ECS, and Kubernetes. To help you better understand and work with containers, we’ve compiled a list of 10 security and performance best practices for Docker Containers.
Choose images with the fewest possible OS libraries and tools to minimize the attack surface and risk to containers.
Create a dedicated user and group on the image with minimal permissions to run the application. Use the same user to run the process.
For example, the Node.js image that has a generic Node user built-in:
FROM node: 10-alpine
CMD node index.js
Based on the way containers are designed, i.e., to run immutable code, they have the advantage of consuming fewer resources and starting faster than a traditional application server. Its escalation and resilience mechanism is based on the speed with which instances can be created and destroyed, and the load derived from them.
If a Docker instance is used to store information, it will not be available in case of load balancing in another instance. This is something that the platform can do automatically when and if it needs to. If it scales by consumption, the information will be lost when destroying and restarting the container. This is also something that the platform can do automatically when it detects failures in order to keep the system available. This also makes storing information in a Docker instance risky.
Instead, Docker allows information to persist in external stores such as databases or online services. It also supports the ability to mount persistent volumes. However, it is good to keep in mind that it generates performance problems and decreases the quality of the application design. For those reasons, mounting persistent volumes is a practice that should be avoided and should only be used as a last resort.
When relying on docker images, it is essential to confirm that the image being used is the image the editor put in and that no one has manipulated it. Always verify the authenticity of the images you click.
As part of your continuous integration, you should scan your Docker images for any known vulnerabilities. You can use Snyk, an open-source tool, to do this. Snyk will look for security vulnerabilities in open-source application libraries and Docker images.
How to use Snyk to scan Docker images:
$ snyk test –docker node: 10 –file = path / to / Dockerfile
Use Snyk to monitor and alert on recently disclosed vulnerabilities in a docker image:
$ snyk monitor –docker node: 10
It is easy to accidentally leak tokens and keys in images when compiling. To ensure safety, follow these guidelines:
Docker image owners can push new versions to the same tags, leading to inconsistent images during builds and making it difficult to track whether a vulnerability has been fixed. Fixed labels can mitigate this problem.
Random URLs used for ADD could lead to malicious data sources or MITM attacks. Additionally, ADD can unpack local files, which may not be expected and lead to path and Zip Slip vulnerabilities. Instead, use COPY, unless ADD is specifically required.
Using multi-stage builds to produce smaller, cleaner images will minimize the attack surface for clustered docker image dependencies.
Use Hadolint Linter, a static code analysis tool, to automatically apply Dockerfile best practices. This will detect problems and alert you when they are found in a Dockerfile.
Understanding containers is critical when you are automating your applications. By following these best practices, you will ensure that your containers not only perform optimally but are also as secure as possible.
2018, Cryptoland Theme by Artureanec - Ninetheme