Building containers that are secure, stable, and lean requires diligence in your Dockerfile practices. By reducing the attack surface and leveraging container isolation features, you can significantly enhance the integrity of your deployment pipeline.
Here are 12 essential rules for building robust containers, categorized for clarity.
π Security & Least Privilege
These rules minimize the potential damage if a container is compromised.
1. Avoid Running as Root (Principle of Least Privilege) π§
By default, container processes run as the root user inside the container. If an attacker gains control of your application, they gain root access within that environment.
Practice: Use the
USERinstruction (USER nodeor a custom UID/GID) to switch to a non-root user before running your application.Analogy: Your production application should only have the key to the specific room it needs to operate in, not the master key to the entire server infrastructure.
2. Never Mount the Docker Socket π
Mounting the Docker socket (/var/run/docker.sock) grants the container full, unrestricted root access to the host machine via the Docker API. This is the single biggest security risk in container orchestration.
Analogy: This is like giving a driver the ability to override all safety protocols of the car from the passenger seat. Avoid this practice entirely unless absolutely necessary and managed by highly restrictive security policies.
3. Manage Secrets Securely at Runtime π
Never bake secrets (API keys, passwords, private keys) into the Dockerfile using ENV or by directly copying them. Secrets embedded in image layers are permanent and easily recoverable.
Practice: Use a dedicated secret management tool (Jenkins
withCredentials, Kubernetes Secrets, Docker Secrets) to inject sensitive values only at the moment the container starts and never persist them in the image.
4. Add Security Scanning and Assurance π (New Rule)
Integrate tools like Clair, Trivy, or Snyk into your CI/CD pipeline to automatically scan images for known vulnerabilities (CVEs) immediately after creation.
Practice: If a vulnerability is found, confirm whether it impacts the running application. Always prefer patching over ignoring.
Analogy: This is like having a metal detector and X-ray machine at the entrance to your secure area, checking every new visitor (image) for known threats.
π οΈ Optimization & Integrity
These rules ensure image quality, size, and traceability.
5. Implement Multi-Stage Builds πͺ
This technique isolates the build tools and dependencies (e.g., compilers, Node.js packages) from the final runtime environment.
Practice: Start with a large build image, perform all compiling/downloading, then switch to a minimal second image, copying only the final compiled assets (e.g., the
distfolder or binary).Benefit: Results in a dramatically smaller, more secure, and cleaner final image.
6. Choose Minimal and Audited Base Images π¦
The smaller the base image, the smaller the attack surface.
Practice: Use lightweight images like Alpine or official images with the
-slimtag (node:22-slim). Verify the image's community and maintenance status.
7. Lock Down Your Dependencies (Fixed Tags) β
Never use floating tags like latest or generic major versions like node:22. These tags can change without notice, leading to inconsistent, unpredictable, or broken builds.
Practice: Use fixed, explicit version tags (e.g.,
FROM node:22.4.0-alpine). This optimizes caching and ensures reproducibility.
8. Optimize Caching and Layer Reduction π¨
The order of commands in your Dockerfile affects cache efficiency.
Practice: Place instructions that change infrequently (e.g., copying
package.jsonand runningnpm ci) first. Also, use the&&operator to combine multipleRUNcommands into a single layer, reducing image size.
9. Use .dockerignore Judiciously ποΈ
This file prevents irrelevant files (source code, build history, .git folders, logs) from being sent to the Docker daemon.
Benefit: Speeds up the build process and prevents accidental inclusion of sensitive or unnecessary data into the image context.
10. Implement Digital Image Signatures βοΈ (New Rule)
Verify that the images you pull are genuinely from the source you trust and haven't been tampered with.
Practice: Use tools like Docker Content Trust (Notary) or Tuf/Sigstore to sign your production images. Configure your hosts to only run images with a valid signature.
Analogy: This is like checking the security seal on a pharmaceutical package before using it. If the signature doesn't match, the image is rejected.
π¦ Health & Maintainability
These rules improve operational stability.
11. Implement HEALTHCHECK β€οΈ
A container can be running, but the application inside might be deadlocked or failing. An explicit health check tells the orchestrator (Kubernetes/Docker Swarm) if the application is ready to serve traffic.
Practice: Add a
HEALTHCHECKinstruction that executes a command (e.g., a simplecurlrequest) that returns an exit code of0for success.
12. Separate CMD and ENTRYPOINT β‘οΈ
Use ENTRYPOINT to define the binary or program that is always executed, and CMD for the default arguments passed to that program.
Benefit: This keeps the container predictable and easy to manage. It allows users to easily override the command arguments without having to know or specify the main executable binary.
There are also other security measure. You can find another interesting one there
Top comments (0)