docker.md

Docker

• Best practices for writing Dockerfiles
• Using Kaniko for Container Builds on Kubernetes
• Control startup and shutdown order in Compose

Tools

• Harbor - cloud native registry
• Portus- authorization service and frontend for Docker registry
• kaniko - Build Images In Kubernetes
• Watchtower - process for automating Docker container base image updates
• 5 Docker Utilities You Should Know
• DockerSlim - Minify and Secure Docker containers
• Container Structure Tests - provide a powerful framework to validate the structure of a container image
• cosign - Container Signing, Verification and Storage in an OCI registry
• dive - tool for exploring container image layers' contents

Utilities to be used inside containers

• su-exec - switch user and group id, setgroups and exec

Development

• Registry token authentication specification
• Heroku Docker Registry Client
• Google Golang library for working with container registries
• genuinetools Docker registry v2 command line client

Courses

• Stephen Grider - Udemy - Docker casts

Pin Docker version

apt-get install docker-ce="18.06.0ce3-0~ubuntu"

Base images

• Distroless Docker Images

Images

• linuxserver.io - community images

Docker-compose

• Awesome Docker Compose Examples

Security

• Vulnerability Static Analysis for Containers
• trivy - Simple and Comprehensive Vulnerability Scanner for Containers
• Banyan Collector - framework for static analysis of Docker images
• Docker Bench

Content trust

export DOCKER_CONTENT_TRUST=1

BuildKit Dockerfile syntax

export DOCKER_BUILDKIT=1

Go

Two stage build from alpine and scratch

# syntax=docker/dockerfile:1.3
ARG GO_VERSION=1.17.2

FROM golang:${GO_VERSION}-alpine AS builder

RUN --mount=type=cache,target=/var/cache/apk apk add -U ca-certificates tzdata upx

WORKDIR /app
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod go mod tidy

COPY . .
RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags='-s -w -extldflags "-static"' -o /app/app . && \
  upx /app/app

FROM scratch

COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group
COPY --from=builder /app/app /usr/bin/app

USER 65534:65534

ENTRYPOINT ["app"]

Second stage from distroless

FROM gcr.io/distroless/static

COPY --from=builder /app/app /app

USER nonroot:nonroot

ENTRYPOINT ["/app"]

Use :debug tag which providers busybox sh.

Svelte Kit

Two stage build

# syntax=docker/dockerfile:1.3
FROM node:18-alpine

WORKDIR /app

COPY . .

RUN --mount=type=cache,target=~/.npm npm ci && \
    npm audit fix && \
    npm run build


FROM node:18-alpine

WORKDIR /app

COPY --from=0 /app/package*.json ./

RUN --mount=type=cache,target=~/.npm npm ci --production --ignore-scripts && \
    npm audit fix

COPY --from=0 /app/build ./

EXPOSE 3000

USER 1000:1000

ENTRYPOINT ["node"]

CMD ["index.js"]

Install from apt

wget -qO - https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo dd of=/usr/share/keyrings/docker-archive-keyring.gpg

echo 'deb [ arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg ] https://download.docker.com/linux/ubuntu jammy stable' | sudo tee /etc/apt/sources.list.d/docker.list

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Enable buildx plugin

export DOCKER_BUILDKIT=1
export BUILDKIT_PROGRESS=plain

Install trivy from apt

wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo dd of=/usr/share/keyrings/trivy-archive-keyring.gpg

echo 'deb [ signed-by=/usr/share/keyrings/trivy-archive-keyring.gpg ] https://aquasecurity.github.io/trivy-repo/deb jammy main' | sudo tee -a /etc/apt/sources.list.d/trivy.list

sudo apt-get update
sudo apt-get install trivy