Discussion on: Docker Security Best-Practices

[Peter Benjamin (they/them)]

You touch on a very important point and a common trend I see with newcomers to containers that prompt me to iterate key concepts:

1. Don't treat containers the same way you would treat virtual machines.
2. Containers should be immutable images with the absolute minimal number of dependencies needed to run a single application.

To this point, Docker published a set of best practices for writing Dockerfiles. It's worth a read once newcomers have a handle on basic docker usage.

Google is also working on a set of container images that don't even include an OS as the base image. The images only include a small set of libraries needed to run applications written in various languages. And that's it. No need for an OS or even apt or yum in the images themselves.

Check out GoogleContainerTools/Distroless and this CNCF talk