Some basic, secure & up-to-date Docker images
I have used the last few quiet days to complete a task that I have been postponing for some time already. And because I may not be the only one needing this, I will share all the details in this post.
In my work with containerized build pipelines (mostly with GitLab CI), I often use tools like curl, kubectl or helm which needs to be served by small and secure Docker images. For example, when you call another project pipeline (curl) or deploying your application into your Kubernetes cluster (kubectl, helm). Until now I always used available images from Docker Hub. Sometimes none-official ones, sometimes without knowing the source, sometimes outdated ones. I know this is not a really good idea but I have never found time to build something nice except just creating a Dockerfile and manually building an image which will, therefore, be outdated soon as well.
Secure and up-to-date
The main reason why I built my own images are security concerns. Mainly because of using outdated images without knowing their source. Therefore, I built my solution with security in mind. And because I also would like to share the images with everyone I decided to put the Dockerfiles, the build pipeline and everything else into a public repository. You can access it here: https://gitlab.com/nmeisenzahl/dockerfiles
Every image in this repository will be rebuilt weekly. The images are based on the latest Alpine image and every included package will be installed in the latest available version. The build pipeline will only build and upload the image after a successful vulnerability scan.
This means that all images which are part of this repository will be at least updated and scanned ones a week. Until now, the images are not signed. I know there are still things to improve but at least it’s a good start.
The images are stored in a Docker Registry which is part of the repository. You can access it here: https://gitlab.com/nmeisenzahl/dockerfiles/container_registry
I will not use this repository for all of my Dockerfiles (most of them are used for a specific use case) but to store some basic images which might be helpful for others. I will start with three images which I’m using (as already mentioned above) with my GitLab CI pipelines. Those are:
An image based on Alpine serving curl as entry point.
docker run --rm registry.gitlab.com/nmeisenzahl/dockerfiles/curl “http://google.de"
An image based on my curl image serving kubectl as entry point. You will need to mount your kubectl configuration to use it with your cluster. I’m using this image with Gitab CI which provides this automatically, therefore, I skipped any further configuration options/envs.
docker run --rm registry.gitlab.com/nmeisenzahl/dockerfiles/kubectl get pods
An image based on my kubectl image serving helm as entry point.
docker run --rm registry.gitlab.com/nmeisenzahl/dockerfiles/helm list
The images are based on each other. Therefore, they will reuse some layers which will save you some disk space and time.
Please let me know if there are any other images that may be of interest!
More technical details
As already mentioned above everything is stored in the public repository. There you will find all Dockerfiles, the build pipeline (including the status of the last builts) and the Docker Registry.
All Dockerfiles are including the Microscanner by Aqua which I use to scan the image for known vulnerabilities. Any vulnerabilities which is listed as high will force the build pipeline to fail.
The images build itself is based on Kaniko which allows me to build Docker images in a Container without using DinD and privileged mode. You can find some more details on Kaniko in one of my last posts. Until now, I will only provide a latest tag for every image.
The build pipeline is based on GitLab CI and is therefore also part of the repository. It runs scheduled (every Sunday 1 am CET) as well as triggered by a commit into the master branch.