This pull request includes a small improvement for the Dockerfile, which should help improve the security of container and reduce the risk of potential attacks.
In detail:
I added --no-install-recommends to remove unnecessary apt packages, that were not needed for the container's functionality. Not only can this change trim your image size but it also can also reduce the attack surface.
4.3 Ensure that unnecessary packages are not installed in the containerDescription:
Containers should have as small a footprint as possible, and should not contain unnecessary software packages which could increase their attack surface.
Rationale:
Unnecessary software should not be installed into containers, as doing so increases their attack surface. Only packages strictly necessary for the correct operation of the application being deployed should be installed.
I generated Dockerfiles from the new template file, and I selected one of them (enterprise/couchbase-server/6.0.5/Dockerfile) for testing the improvement impact on process.
The differences between two builds are summarized in the below table:
Before improvement
After improvement
Newly intalled packages
48
38
Image size
921MB
913MB
Build time
110s
97s
Removed unnecessary packages after the improvement:
Hi,
This pull request includes a small improvement for the Dockerfile, which should help improve the security of container and reduce the risk of potential attacks.
In detail:
--no-install-recommends
to remove unnecessaryapt
packages, that were not needed for the container's functionality. Not only can this change trim your image size but it also can also reduce the attack surface.As quoted from CIS Docker Benchmark v1.5.0:
I generated Dockerfiles from the new template file, and I selected one of them (
enterprise/couchbase-server/6.0.5/Dockerfile
) for testing the improvement impact on process. The differences between two builds are summarized in the below table:I hope that you find them useful. Please let me know if you have any concerns.
Thank you.