All geek questions in one place

How can I deal with security updates in docker containers?

We want to avoid including "yum update" in dockerfiile since it can generate another container based on when the docker images are created, but obviously this can create security problems if the underlying system needs to be updated. Is the best option to really have a system-wide image of the base system and update it? The problem will be that with every security update, you will need to recreate and deploy all applications throughout the organization.

An alternative that seems a bit to me would be to simply ignore security updates in the container and worry only about them on the host machine. The idea here is that in order for an attacker to get into the container, the host machine must have a vulnerability, another vulnerability in the docker engine to get into the container, and then an additional vulnerability for using something in the container, which seems like an incredibly unlikely series of events. With the advent of seccomp username and profile omissions, this seems to further reduce the risk.

In any case, how can I deal with security updates in containers, with minimal impact on the CI / CD pipeline, or, ideally, not redistribute the entire infrastructure so often?

+5
source share
2 answers

You can reduce the uniqueness of an assembly by introducing an intermediate update level.

Create an image like this:

FROM centos:latest RUN yum update -y

Create an image, mark it and click. Now your assemblies will not change unless you decide to change them.

You can either point your other Dockerfiles to myimage:latest to receive automatic updates as soon as you decide to do this, or specify a specific version.

The way to configure my CI system is that a successful (manual) assembly of the base image with updates starts the assembly of any images that depend on it.

Reported security issue? Verify that an updated package is available or a temporary fix in the Docker file. Run assembly. After a while, you will have patched versions of all your applications ready for deployment.

+1
source

Most major distributions often release a new base image, which includes the latest critical updates and security fixes as needed. This means that you can simply pull out the last base image to get these corrections and restore your image.

But also, since your containers use yum, you can use yum to manage the packages you are updating. Yum lets you install a release version so that you can bind your updates to a specific OS version.

For example, if you are using RHEL 7.2, you might have a Docker file that looks something like this:

 FROM rhel:7.2 RUN echo "7.2" > /etc/yum/vars/releasever RUN yum update -y && yum clean all

This ensures that you stay on RHEL 7.2 and receive only critical package updates, even if you perform a full yum update.

For more information on the available yum variables or other configuration options, simply browse the yum.conf man page.

In addition, if you need finer control over updates, you can check out the yum-plugin-versionlock package, but this more than likely overwhelms your needs.

+1
source

Source: https://habr.com/ru/post/1244319/

More articles:


All Articles