A presentation at Cloud Native Madison Meetup by Melissa McKay
DISTROLESS IMAGES Securing Your Docker Images Melissa McKay Developer Advocate @JFrog
MELISSA MCKAY Developer Advocate @JFrog Java Champion Docker Captain @melissajmckay linkedin.com/in/melissajmckay
THE AGENDA • Container History • Containers in Real Life • Container Gotchas • Distroless Images
ALL ABOUT … CONTAINERS
SHARING LIMITED RESOURCES 1979 / 1982- chroot
PROGRESS TOWARD VIRTUALIZATION ▪ 2000 - FreeBSD jail ▪ 2004 - Solaris Zones / snapshots ▪ 2006 - Google Process Containers / cgroups ▪ 2008 - IBM LinuX Containers (LXC) ▪ 2013 - Docker (open source!) - Google LMCTFY (open source!) ▪ 2014 - Docker trades LXC for libcontainer ▪ … more stuff happened 1 201 7 a v a J 2014 Java 8 ▪ June 2015 - Open Container Project/Initiative (OCI) ○ Runtime Specification (runtime-spec) ○ Image Specification (image-spec) ▪ … even more stuff happened and is still happening!
WHAT EXACTLY IS A CONTAINER? 12
CONTAINER COMPONENTS TARBALL OF A FILESYSTEM LINUX FEATURES • namespaces • cgroups • Union File systems Mix these together to create and run a container! Voila! https://docs.docker.com/get-started/overview/ 13
FILESYSTEM DETAILS … … NOTE: On OSX, containers will actually be running in a tiny Linux VM (use screen) screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty 14
FILESYSTEM DETAILS … … 15
FILESYSTEM DETAILS 16
CONTAINER GOTCHAS 17
CONTAINER GOTCHAS - RUNNING AS ROOT 18
CONTAINER GOTCHAS - NO CONSTRAINTS 19
CONTAINER GOTCHAS - NEVER UPDATING 20
CONTAINER GOTCHAS - JAVA/JVM GOTCHAS 21
CONTAINER GOTCHAS - IMAGE BLOAT 22
DISTROLESS WHAT’S IN YOUR CONTAINER? 23
DISTROLESS IMAGES - AND MULTISTAGE BUILDS • Waste Not Want Not (smaller images) • No Shell • No Exec https://github.com/GoogleContainerTools/distroless (examples) 24
MANAGING YOUR IMAGES - REMOTE BY DEFAULT https://dzone.com/refcardz/getting-started-with-container-registries START FREE: https://bit.ly/MelissaWKSHP 25
Q&A THANK YOU! Melissa McKay @melissajmckay linkedin.com/in/melissajmckay
for free. You
can too.