Container Security
Reduce the Attack Surface of Your Container Images
Follow along as Chuck Losh, Solutions Architect, walks through a new way of thinking in how to construct distroless images from Google, using an example of a multi-stage Dockerfile method.
As a cloud security engineer, we should always be looking for ways to reduce our attack surface, and continue to add to speed of service. That is the DevSecOps way! Customers continue to embrace cloud services and cloud native application development at a rapidly increasing rate. People are draining their datacenters and deploying container based applications hosted on public cloud services. Recently, while working with a customer in architecting some solutions to help protect their container and application based workloads, I came across a new way of thinking in how to construct distroless images from Google. These images can be build in a couple ways. One way is with Bazel, or you can also use native Docker build tools and build with what is called a multi-stage DockerFile.
Here is an example of a multi-stage DockerFile method. This is a nodeJS based test from the official Google GitHub repo for distroless containers. https://github.com/GoogleContainerTools/distroless/tree/master/examples/nodejs
In testing, I went ahead and cloned the repo shown below in Microsoft Visual Studio Code from the Google repo.
Then, I proceeded to run the docker build command to do the multi-stage build. The multi-stage build uses a NodeJS distro based image and copies in the application code from the repo. After that is complete, the temporary build-env is copied into a lightweight distroless image from Google gcr.io/distroless/nodejs. You can see the build output below.
What I found that was interesting is the result of the reduction of the size of the distroless image. See below, after looking at my local docker images repository after building I was astonished! You can see that the build stage image is 903MB, and after copying the build environment into the Google tagged distroless image the reduction in size is down to 81.2MB. Wow! This is almost like taking off all the trial software packed on a new computer! All the distroless image contains is my application and associated nodeJS dependencies. All Linux shells, package managers, etc in the nodeJS image are stripped out and removed. Pretty amazing stuff!
Lastly, here is the running container.
When you run this on a container image scanner the distroless image comes back more clean with a reduced attack surface. I can see how this is now rapidly becoming accepted as a security best practice in how to to deploy your applications in container images. I hope you enjoyed this experiment! I invite you to try out other examples in the Distroless Google repo cited this this article. Clone away! If you are interested in scanning your resulting container images, I would invite you to check out our Trend Micro Cloud One Solutions. Namely, the Cloud One Container Image Security solution would be great to check out! Thank you!
References:
https://github.com/GoogleContainerTools/distroless
https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-container-image-security.html
https://docs.docker.com/develop/develop-images/multistage-build/
