This pull request includes a small improvement for the Dockerfile, which should help improve the security of container and reduce the risk of potential attacks.
In detail:
I added --no-install-recommends to remove unnecessary apt packages, that were not needed for the container's functionality. Not only can this change trim your image size but it also can also reduce the attack surface.
4.3 Ensure that unnecessary packages are not installed in the containerDescription:
Containers should have as small a footprint as possible, and should not contain unnecessary software packages which could increase their attack surface.
Rationale:
Unnecessary software should not be installed into containers, as doing so increases their attack surface. Only packages strictly necessary for the correct operation of the application being deployed should be installed.
The differences between two builds are summarized in the below table:
Before improvement
After improvement
Newly intalled packages
16
15
Image size
450MB
450MB
Build time
104s
88s
Removed unnecessary packages after the improvement: libpng-tools.
I hope that you find them useful. Please let me know if you have any concerns.
Hi,
This pull request includes a small improvement for the Dockerfile, which should help improve the security of container and reduce the risk of potential attacks.
In detail:
--no-install-recommends
to remove unnecessaryapt
packages, that were not needed for the container's functionality. Not only can this change trim your image size but it also can also reduce the attack surface.As quoted from CIS Docker Benchmark v1.5.0:
libpng-tools
.I hope that you find them useful. Please let me know if you have any concerns.
Thank you.