Hardening your public container registry images with quay.io, an alternative for Docker Hub
When local Container Registry is not an option, deploy images on a public registry with fewer worries about data leaks.
How’s everything going? I hope all good!
Today I want to go back on vulnerability scans, a topic that seems to be usually forgotten by newcomers on the development of microservices for data analytics pipelines. Nothing wrong with focusing on smaller images; I also believe in having smaller images is better.
However, slimmer images and secure environments are not synonyms (unfortunately). And here, I would like to present quay.io, a Red-hat public Container Registry Image Repository with Clair under the hood. Running automated vulnerability scans on pushed Container Images. It becomes a good alternative for cases when creating a secured focused local Container Registry is not a viable option.
We will see why choosing quay.io for small projects instead of Docker Hub could be a good idea — ending up pushing a local Container Image into quay.io with the help of podman. So let’s get going.
What does Docker Hub do?
Docker Hub is a public container registry; it is a remote container registry for containerized applications we build locally. This tutorial will use podman due to its native support for rootless containers. However, you can replace podman for docker to replicate the commands if docker is your preferred container runtime tool — more information on how to run docker rootless on this link.
Let us pick Python as an example. Below we can see the landing page for tags management at Docker Hub. It has some helpful information like the Operational System and the command to pull the desired tag locally.
Repository tag details on Docker Hub for Python
What does Quay provide?
We can see some interesting extra information such as “security scan” and “manifest” on the similar landing page for the repository tags, as shown below.
As Quay.io uses Clair to scan their images, we will narrow our analysis to only this tool. Clair is an open-source project managed by MITRE Corporation focused on scanning vulnerabilities based on the “Common Vulnerabilities Exposures” database (CVE, for short). Go to this page for more detailed information on vulnerabilities stored in this database. I would also invite you to check their official website on this link.
As mentioned, we can have the entries of CVE found vulnerabilities on the container, providing its CVE database detailed information such as package found and severity score, listing some.
Further analysis of packages used by the image is possible without any extra configuration, as shown below.
How to deploy a Streamlit image on quay.io
For our tutorial, we will upload a containerized Streamlit application. This application provides an interactive dashboard upon which you can test your Machine Learning models. For more information, please discover more about it at their official homepage.
The usual steps are to first log into your quay.io account (previously created account used to login into quay.io).
It is then needed to inform the id of a running container or one that successfully ran your application as this deployment is of a specific version of our application. The return of command “podman ps -a” will provide all containers running or running on our environment.
Once we define the desired id, we then commit our image locally to push it into our quay.io destination repository. A good practice to be adopted here is to have a base image more generalist and different versions better suited for your end-users needs.
Below are the security scan results for our application on our newly deployed version found by quay.io scans with no extra configuration.
Conclusions
Here we saw quay.io as an alternative for those more concerned about the security scans. Due to its native implementation of Clair, it becomes easier to deploy your containerized applications while running vulnerability checks without any extra configuration. Also, the functionalities showed here could be locally deployed as an additional service on your Kubernetes pod, for example.
Doing so, extra tools like Cilium, Calico could add additional layers of security checks, and some could even extend Clair’s capabilities enabling the management of user-defined policies with Anchore. It is good to point out that Quay.io has Docker Hub distributions as the source for some images available on quay.io, with extra security scans in place. A good example is the “minideb” image found on this link. Making quay.io an option to Docker Hub when security checks on containerized applications are challenging to check.
See you guys next time.
Resources:
What is Container Registry — https://searchcloudcomputing.techtarget.com/definition/container-registry
Should you use the — user flag in rootless containers? — https://www.redhat.com/sysadmin/user-flag-rootless-containers
What is a CVE? — https://www.redhat.com/en/topics/security/what-is-cve
How to push images into quay.io — https://quay.io/tutorial/
Mitre Corporation — https://www.mitre.org/
Podman Documentation — https://podman.io/
What is Cillium — https://docs.cilium.io/en/v1.10.0-rc1/intro/#intro
What is Callico — https://docs.projectcalico.org/about/about-calico
Anchore Open Source Main Page — https://anchore.com/opensource/
Quay.io minideb image — https://quay.io/repository/bitnami/minideb
Making some sense from microservices and monolithic architectures — brief storytelling — https://danielpaes.ca/making-some-sense-from-microservices-and-monolithic-architectures-a-brief-storytelling-1caf2c16aa49
