Hacker News new | ask | show | jobs
by pella 888 days ago
Please add

- Security warnings:

like: Note that ports which are not bound to the host (i.e., -p 5432:5432 instead of -p 127.0.0.1:5432:5432) will be accessible from the outside. This also applies if you configured UFW to block this specific port, as Docker manages its own iptables rules. https://docs.docker.com/network/packet-filtering-firewalls/

- using trivy scanner: "trivy image --ignore-unfixed ... "

---------------------

Why the security is important?

- https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/ : "Some of those Docker engines weren’t configured with authentication, which make them a perfect target for Kinsing attacks."

- https://sysdig.com/blog/cloud-defense-in-depth/ ( JULY 4, 2023: Cloud Defense in Depth: Lessons from the Kinsing Malware )

- https://thenewstack.io/kinsing-malware-targets-kubernetes/ ( Jan 13th, 2023 , Kinsing Malware Targets Kubernetes )

- https://stackoverflow.com/search?q=kinsing
1 comments
MrLA 888 days ago
Author here. This is actually a good point, we will add this in the near future. Thanks for your input.
link
mschuster91 888 days ago
I'd also fix the very first example. Stuff like LABEL, ENV, EXPOSE, CMD or ENTRYPOINT that rarely ever changes should be at the top, followed by ARG, prior to the first ADD/COPY/RUN statements. That way, you can re-use layer caching more efficiently.

In general, I think it's also a good general idea to keep yourself to one, maximum two RUN statements per image - I've seen it way too many times that some junior writes RUN apt update, RUN apt install -yf foo, RUN apt clean... which will leave all the intermediate crap from apt still part of the final image as the third command (the apt clean) will just set tombstone files [1][2] in the layer's overlay image.

(Side note, it boggles my mind why you can't tell Docker to flatten multiple subsequent "metadata only" layers like LABEL/ENV/CMD/ENTRYPOINT/ARG into one single one)

Additionally, I'd add a warning for multi-stage builds that ARG needs to be redeclared in following stages (a simple ARG xyz is sufficient, no need to repeat a default value), and that CMD/ENTRYPOINT set in the first stage for some reason tend to be overwritten in a stage that is FROM first-stage.

[1] https://github.com/aws-samples/linux-container-primitives-pr...

[2] https://jvns.ca/blog/2019/11/18/how-containers-work--overlay...

link
pella 887 days ago
Sometimes, following a security vulnerability, users end up in intense discussions with the maintainers of Docker images. It's challenging to navigate such situations effectively. The apparent simplicity of Docker images can be deceptive and pose risks. It's important to exercise caution to avoid potential problems.

See:

"Docker Hub image for version 12.4 contains a cryptominer [Confirmed!]"

https://github.com/docker-library/postgres/issues/770

link
flumpcakes 885 days ago
I would have thought people would have investigated more than just jumping to opening issues. There is obviously a skill issue here.
link