🦗 🤶🏾 🥐 Praktik terbaik untuk menulis Dockerfile yang aman 👊🏻 🍼 🥄

Pada artikel ini, kita akan melihat opsi tidak aman untuk menulis Dockerfile Anda sendiri, serta praktik terbaik, termasuk bekerja dengan rahasia dan membangun di alat analisis statis. Namun, tidak cukup hanya memiliki dokumen praktik terbaik untuk menulis Dockerfile yang aman. Pertama-tama, Anda perlu mengatur budaya pengkodean. Ini termasuk, misalnya, memformalkan dan mengendalikan proses penggunaan komponen pihak ketiga, mengatur Bill-of-Materials (SBOM) Perangkat Lunak Anda sendiri, membangun prinsip untuk menulis gambar dasar Anda sendiri, penggunaan fungsi aman yang konsisten, dan sebagainya. Dalam hal ini, model penilaian kematangan BSIMM dapat berfungsi sebagai titik awal untuk mengatur proses . Namun artikel ini akan fokus pada aspek teknis.

Dockerfile

LABEL latest

latest

, , . , . :

FROM redis@sha256:3479bbcab384fa343b52743b933661335448f816
LABEL version 1.0
LABEL description "Test image for labels"

LABEL, , . LABEL securitytxt

.

LABEL securitytxt="https://www.example.com/.well-known/security.txt"

security.txt , . , . .

apt-get upgrade

, yum update

, , . , , . , . Software Composition Analysis (SCA).

RUN apt-get install cowsay=3.03+dfsg1-6

cowsay=3.03+dfsg1-6

libcowsay

, .

curl wget ( "-", ). Zero trust, ( ). , , :

RUN wget http://somesite.com/some-packet/install.sh | sh

, , , GNU Privacy Guard (GPG). , .

-, . - GPG, . , Node.js:

RUN gpg --keyserver pool.sks-keyservers.net \
--recv-keys 7937DFD2AB06298B2293C3187D33FF9D0246406D \
            114F43EE0176B71C7BC219DD50A3051F888C628D

ENV NODE_VERSION 0.10.38
ENV NPM_VERSION 2.10.0
RUN curl -SLO "http://nodejs.org/dist/v$NODE_VERSION/node-v \
$NODE_VERSION-linux-x64.tar.gz" \
&& curl -SLO "http://nodejs.org/dist/v$NODE_VERSION/\SHASUMS256.txt.asc" \
&& gpg --verify SHASUMS256.txt.asc \
&& grep " node-v$NODE_VERSION-linux-x64.tar.gz$" SHASUMS256.txt.asc | sha256sum -c -

, :

GPG-
Node.js
- Node.js SHA256
GPG- , - ,
, - sha256sum

, , . , , .

deb rpm. GPG, - .

GPG- .

RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 \
--recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
RUN echo "deb http://nginx.org/packages/mainline/debian/\
jessie nginx" >> /etc/apt/sources.list

, , .

SHA256:

RUN curl -sSL -o redis.tar.gz \
http://download.redis.io/releases/redis-3.0.1.tar.gz \
&& echo "0e21be5d7c5e6ab6adcbed257619897db59be9e1ded7ef6fd1582d0cdb5e5bb7 \
*redis.tar.gz" | sha256sum -c -

ADD

ADD

, , . , , zip- . zip- (DoS) , .

ADD

, URL , , "-":

ADD https://cloudberry.engineering/absolutely-trust-me.tar.gz

COPY

, , SCA .

USER Dockerfile

, shell , root', . , USER

. , root .

RUN groupadd -r user_grp &amp;&amp; 
useradd -r -g user_grp user
USER user

gosu sudo

gosu , root Dockerfile , .

chown

entrypoint-, root, - redis.

#!/bin/bash
set -e
if [ "$1" = 'redis-server' ];
  then
    chown -R redis . 
    exec gosu redis "$@"
  fi
exec "$@"

- , sudo su, gosu fork , :

$ docker run -it --rm ubuntu:trusty su -c 'exec ps aux'
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  46636  2688 ?        Ss+  02:22   0:00 su -c exec ps a
root         6  0.0  0.0  15576  2220 ?        Rs   02:22   0:00 ps aux
$ docker run -it --rm ubuntu:trusty sudo ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  3.0  0.0  46020  3144 ?        Ss+  02:22   0:00 sudo ps aux
root         7  0.0  0.0  15576  2172 ?        R+   02:22   0:00 ps aux
$ docker run -it --rm -v $PWD/gosu-amd64:/usr/local/bin/gosu:ro ubuntu:trusty gosu root ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   7140   768 ?        Rs+  02:22   0:00 ps aux

, . , gosu sudo, fork' Linux PAM pam_open_session()

pam_close_session()

. gosu sudo .

Distroless images

Linux- (Ubuntu, Debian, Alpine) Disroless-. , (, bash). , , . "" Trivy, Clair .

, , . , , UNIX- Alpine. , , , .

, multi-stage , . .

Docker-slim, .

ENV

. wget. , . , , API Docker:

# docker inspect ubuntu -f {{json .Config.Env}}
["SECRET=mypassword", ...]

, /proc

. Vault, , HashiCorp Vault Conjur, .

(multi-stage) , . - , . .

#builder
FROM ubuntu as intermediate

WORKDIR /app
COPY secret/key /tmp/
RUN scp -i /tmp/key build@acme/files .

#runner
FROM ubuntu
WORKDIR /app
COPY --from=intermediate /app .

- , .

BuildKit

Docker 18.09 BuildKit, , .

# syntax = docker/dockerfile:1.0-experimental
FROM alpine

# shows secret from default secret location
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecre

# shows secret from custom secret location
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar

buildkit --secret

.

$ docker build --no-cache --progress=plain --secret id=mysecret,src=mysecret.txt .

Docker.

, , . , .dockerignore

. .git

, .aws

, .env

.

COPY . .

- Twitter Vine. 2016 DockerHub vinewww, Vine, API .

Dockerfile

Dockerfile, . :

Hadolint - Dockerfile. security Docker (). .

Conftest - , Dockerfile. Dockerfile Rego, , , Open Policy Agent . , . Conftest , , . .

. :

Docker.

Dockerfile Pentest-in-Docker. . - debian:wheazy

, Debian, Bash, (RCE). www-data, reverse-shell. - sudo, www-data root . USER

Dockerfile - - root , API Docker.

Praktik terbaik untuk menulis Dockerfile yang aman

Dockerfile

LABEL latest

ADD

USER Dockerfile

gosu sudo

Distroless images

BuildKit

Dockerfile

More articles: