Skip to content

Latest commit

 

History

History
42 lines (35 loc) · 1.7 KB

README.md

File metadata and controls

42 lines (35 loc) · 1.7 KB

ironpeakservices/iron-alpine

Hardened alpine linux baseimage for Docker.

Note: If you use Golang, build statically and use iron-scratch. If you are using Java/Python/NodeJS/dotnet, use a distroless image instead.

# you can pull a global version (3), a series version (3.13) or a specific version (3.13.2)
docker pull ghcr.io/ironpeakservices/iron-alpine/iron-alpine:3
docker pull ghcr.io/ironpeakservices/iron-alpine/iron-alpine:3.13
docker pull ghcr.io/ironpeakservices/iron-alpine/iron-alpine:3.13.2

How is this different?

  • ca-certificates included
  • /app for everything app-related; /app/conf, /app/tmp, /app/data
  • no interactive shells for users
  • removed unneccessary accounts, only 'app' and 'root' users
  • removed crontabs
  • removed dangerous commands and utilities
  • strictened permissions on system files and directories
  • removed temporary shadow/passwd/group
  • removed suid/guid files
  • removed init scripts
  • removed kernel tunables
  • removed /root/
  • removed fstab
  • post-install.sh:
    • removes apk manager after installation
    • sets permissions on /app after installation

Example

docker pull ghcr.io/ironpeakservices/iron-alpine:1.0.0

See the nginx example.

Update policy

Updates to the official alpine docker image are automatically created as a pull request and trigger linting & a docker build. When those checks complete without errors, a merge into master will trigger a deploy with the same version to packages.

Additional

If you want, you can also enable vulnerability scanning during your build (for free). Take a look at https://github.com/aquasecurity/microscanner