Two thumbs up to the note on watching what you pull from public registries. They're certainly safe more often than not, but sometimes it's better to start with the OS you know and love (and know is updated and secure), and installing your own packages and specific versions of those packages. Nothing makes me cringe more than seeing a Dockerfile that starts off with a "yum update -y" at the top, grabbing the latest updates without having any idea how that's going to affect the built container, from an operational or security perspective.
Google is also working on a set of container images that don't even include an OS as the base image. The images only include a small set of libraries needed to run applications written in various languages. And that's it. No need for an OS or even apt or yum in the images themselves.
Two thumbs up to the note on watching what you pull from public registries. They're certainly safe more often than not, but sometimes it's better to start with the OS you know and love (and know is updated and secure), and installing your own packages and specific versions of those packages. Nothing makes me cringe more than seeing a Dockerfile that starts off with a "yum update -y" at the top, grabbing the latest updates without having any idea how that's going to affect the built container, from an operational or security perspective.
You touch on a very important point and a common trend I see with newcomers to containers that prompt me to iterate key concepts:
To this point, Docker published a set of best practices for writing Dockerfiles. It's worth a read once newcomers have a handle on basic docker usage.
Google is also working on a set of container images that don't even include an OS as the base image. The images only include a small set of libraries needed to run applications written in various languages. And that's it. No need for an OS or even
apt
oryum
in the images themselves.Check out GoogleContainerTools/Distroless and this CNCF talk