From 9727d117387891cfe23c6efdc81c8f9d3685848a Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Thu, 31 Mar 2022 00:28:13 +0200 Subject: [PATCH] oops --- content/posts/docker-hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/docker-hardening.md b/content/posts/docker-hardening.md index 9acb57f..a62cdd6 100644 --- a/content/posts/docker-hardening.md +++ b/content/posts/docker-hardening.md @@ -35,7 +35,7 @@ Containers are made from images, and images are typically built from a Dockerfil Images are what make containers, well, containers. Containers made from the same image should behave similary on different machines. Images can have **tags**, which are useful for software versioning. The usage of generic tags such as `latest` is often discouraged because it defeats the purpose of the expected behavior of the container. Tags are not necessarily immutable by design, and they shouldn't be (more on that below). **Digest**, however, is the attribute of an immutable image, and is often generated with the SHA-256 algorithm. -Now onto why tags shouldn't be immutable: as written above, containers bring us an abstraction over the OS dependencies that are used by the packaged software. That is nice indeed, but this shouldn't lure us into into believing that we can forget security updates. The fact is, **there is still an OS to care about**, and we can't just think of the container as a simple package tool for software. +Now onto why tags shouldn't be immutable: as written above, containers bring us an abstraction over the OS dependencies that are used by the packaged software. That is nice indeed, but this shouldn't lure us into believing that we can forget security updates. The fact is, **there is still an OS to care about**, and we can't just think of the container as a simple package tool for software. For these reasons, good practices were established: - An image should be as minimal as possible (Alpine Linux, or scratch/distroless).