docker.md

Docker

• Best practices for writing Dockerfiles
• Using Kaniko for Container Builds on Kubernetes
• Control startup and shutdown order in Compose

Tools

• Harbor - cloud native registry
• Portus- authorization service and frontend for Docker registry
• kaniko - Build Images In Kubernetes
• Watchtower - process for automating Docker container base image updates
• 5 Docker Utilities You Should Know
• DockerSlim - Minify and Secure Docker containers
• Container Structure Tests - provide a powerful framework to validate the structure of a container image
• cosign - Container Signing, Verification and Storage in an OCI registry
• dive - tool for exploring container image layers' contents

Utilities to be used inside containers

• su-exec - switch user and group id, setgroups and exec

Development

• Registry token authentication specification
• Heroku Docker Registry Client
• Google Golang library for working with container registries
• genuinetools Docker registry v2 command line client

Courses

• Stephen Grider - Udemy - Docker casts

Pin Docker version

apt-get install docker-ce="18.06.0ce3-0~ubuntu"

Base images

• Distroless Docker Images

Security

• Vulnerability Static Analysis for Containers
• trivy - Simple and Comprehensive Vulnerability Scanner for Containers
• Banyan Collector - framework for static analysis of Docker images
• Docker Bench

Content trust

export DOCKER_CONTENT_TRUST=1

BuildKit Dockerfile syntax

export DOCKER_BUILDKIT=1

Go

Two stage build from alpine and scratch

# syntax=docker/dockerfile:1.3
ARG GO_VERSION=1.17.2

FROM golang:${GO_VERSION}-alpine AS builder

RUN --mount=type=cache,target=/var/cache/apk apk add -U ca-certificates tzdata upx

WORKDIR /app
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod go mod tidy

COPY . .
RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags='-s -w -extldflags "-static"' -o /app/app . && \
  upx /app/app

FROM scratch

COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group
COPY --from=builder /app/app /usr/bin/app

USER 65534:65534

ENTRYPOINT ["app"]

Second stage from distroless

FROM gcr.io/distroless/static

COPY --from=builder /app/app /app

USER nonroot:nonroot

ENTRYPOINT ["/app"]

Use :debug tag which providers busybox sh.