From bbb4262fc702f26853559ef48dbe693b6c9b54ba Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Mon, 4 Apr 2022 04:07:59 +0200 Subject: [PATCH] improvement --- content/posts/docker-hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/docker-hardening.md b/content/posts/docker-hardening.md index 4f992b8..6bf06dd 100644 --- a/content/posts/docker-hardening.md +++ b/content/posts/docker-hardening.md @@ -62,7 +62,7 @@ USER nobody ENTRYPOINT ["/my_app"] ``` -The main drawback of using minimal images is the lack of tools that help with debugging, which also constitute the very attack surface we're trying to get rid of. The trade-off is probably not worth the hassle for development-focused containers, and if you're running such images in production, you have to be confident enough to operate with them. Note that the image `gcr.io/distroless` has a `:debug` tag to help in that regard. +The main drawback of using minimal images is the lack of tools that help with debugging, which also constitute the very attack surface we're trying to get rid of. The trade-off is probably not worth the hassle for development-focused containers, and if you're running such images in production, you have to be confident enough to operate with them. Note that the `gcr.io/distroless` images have a `:debug` tag to help in that regard. ### Keeping images up-to-date The two other points are highly problematic, because most software vendors just publish an image on release, and forget about it. You should take it up to them if you're running images that are versioned but not regularly updated. I'd say running scheduled builds **once a week** is the bare minimum to make sure dependencies stay up-to-date. Alpine Linux is a better choice than most other "stable" distributions because it usually has more recent packages.