explicit syntax
This commit is contained in:
parent
f2f2445707
commit
e8c335adb9
@ -61,7 +61,7 @@ For these reasons, good practices were established:
|
||||
|
||||
However, distroless images are not suited for every application. In my experience though, distroless is an excellent option with pure Go binaries. Going with minimal images drastically reduces the available attack surface in the container. For example, here's a [multi-stage Dockerfile](https://docs.docker.com/develop/develop-images/multistage-build/) resulting in a minimal non-root image for a simple Go project:
|
||||
|
||||
```
|
||||
```Dockerfile
|
||||
FROM golang:alpine as build
|
||||
WORKDIR /app
|
||||
COPY . .
|
||||
@ -219,7 +219,7 @@ A platform like ptrace or KVM is used to intercept system calls and redirect the
|
||||
|
||||
The security model of gVisor is comparable to what you would expect from a virtual machine. It is also very easy to [install and use](https://gvisor.dev/docs/user_guide/install/). The path to runsc along with its different configuration flags (`runsc flags`) should be added to `/etc/docker/daemon.json`:
|
||||
|
||||
```
|
||||
```json
|
||||
"runtimes": {
|
||||
"runsc-ptrace": {
|
||||
"path": "/usr/local/bin/runsc",
|
||||
|
@ -106,7 +106,7 @@ Their client also lacks **TLS certificate pinning**, unlike Play Store which imp
|
||||
|
||||
It is an important security feature that is also straightforward to implement using the [declarative network security configuration](https://developer.android.com/training/articles/security-config) available since Android 7.0 (API level 24). See how GrapheneOS pins both root and CA certificates in their [app repository client](https://github.com/GrapheneOS/Apps):
|
||||
|
||||
```
|
||||
```xml
|
||||
<!-- res/xml/network_security_config.xml -->
|
||||
<network-security-config>
|
||||
<base-config cleartextTrafficPermitted="false"/>
|
||||
|
Loading…
Reference in New Issue
Block a user