Local Docker Tips & Tricks

Image for post
Image for post
Photo by Guillaume Bolduc on Unsplash

Aliases and Laziness (a.k.a efficiency)

Image for post
Image for post

Hadolint

Image for post
Image for post

Troubleshooting and Inspecting

Image for post
Image for post

Reasonable Security via Clair

function clair() {
docker run -p 5432:5432 -d --name clair-db arminc/clair-db:latest
sleep 5
docker run --rm -p 6060:6060 --link clair-db:postgres -d --name clair arminc/clair-local-scan:latest
}
$ clair
$ clair_scan debian:buster-slim
docker run --rm -i -t --link clair:clair -v /var/run/docker.sock:/var/run/docker.sock quay.io/usr42/clair-container-scan
[
{
"image": "debian:buster-slim",
"vulnerabilities": [
{
"featurename": "glibc",
"featureversion": "2.28-10",
"vulnerability": "CVE-2016-10228",
"namespace": "debian:10",
"description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
"link": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
"severity": "Low",
"fixedby": ""
},
{
"featurename": "shadow",
"featureversion": "1:4.5-1.1",
"vulnerability": "CVE-2018-7169",
"namespace": "debian:10",
"description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-7169",
"severity": "Low",
"fixedby": ""
}
]
}
]
Image for post
Image for post

Finally

Written by

Problem Solver, Coder, Tinkerer. DevOps Evangelist.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store