container-security
Resources for the O'Reilly Container Security book
Container Images
Experiment with secrets built into a Dockerfile
Build the Dockerfile:
docker build -t sensitive .
If you run docker run --rm -it sensitive ls /password.txt, the sensitive password is not included in the filesystem, but that doesn’t mean it’s not included in the image!
Use secret mounts
docker build --secret id=MY_SECRET,source=secret.txt -t not-sensitive -f secret.Dockerfile .
References
- p. 70 — Kubernetes docs: Configure Pods and Containers
- p. 71 — Open Container Initiative
- p. 71 — Skopeo
- p. 72 — Filesystem bundle from OCI runtime-spec
- p. 72 — umoci
- p. 72 — umoci rootless
- p. 75 - Podman: A more secure way to run containers
- p. 75 — Docker Build: build drivers
- p. 75 — Docker rootless mode
- p. 74 — Podman
- p. 75 — Buildah
- p. 75 - Building Container Images with Podman and Buildah
- p. 75 — Bazel
- p. 75 — NixOS
- p. 75 — ko
- p. 75 — Jib: getting started
- p. 75 — GitLab CI: Build images in rootless mode with BuildKit
- p. 76 — Images and Layers
- p. 76 — Spot the Docker difference. Can you use the Docker Registry to…
- p. 79 — Docker Build: build secrets
- p. 80 — Harbor
- p. 80 — Docker Hub