From a33d78554c97d5ed1664dfe72bb9cda8e8057000 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Mon, 4 Apr 2022 05:31:39 +0200 Subject: [PATCH] improvement --- content/posts/docker-hardening.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/content/posts/docker-hardening.md b/content/posts/docker-hardening.md index 6bf06dd..c88d35f 100644 --- a/content/posts/docker-hardening.md +++ b/content/posts/docker-hardening.md @@ -36,6 +36,13 @@ Containers are made from images, and images are typically built from a Dockerfil ### Images, immutability and versioning Images are what make containers, well, containers. Containers made from the same image should behave similary on different machines. Images can have **tags**, which are useful for software versioning. The usage of generic tags such as `latest` is often discouraged because it defeats the purpose of the expected behavior of the container. Tags are not necessarily immutable by design, and they shouldn't be (more on that below). **Digest**, however, is the attribute of an immutable image, and is often generated with the SHA-256 algorithm. +``` +docker.io/library/golang:1.17.1@sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25 + ^ ^ ^ ^ + | | | | + Registry Image Tag Digest (immutable) +``` + Now onto why tags shouldn't be immutable: as written above, containers bring us an abstraction over the OS dependencies that are used by the packaged software. That is nice indeed, but this shouldn't lure us into believing that we can forget security updates. The fact is, **there is still a whole OS to care about**, and we can't just think of the container as a simple package tool for software. For these reasons, good practices were established: