varnish / docker-varnish

Official docker image
https://hub.docker.com/_/varnish
82 stars 34 forks source link

Chore: reduce attack surface and size for Docker image #63

Closed bqcuong closed 1 year ago

bqcuong commented 1 year ago

Hi,

This pull request includes a small improvement for the Dockerfile, which should help improve the security of container and reduce the risk of potential attacks.

In detail:

As quoted from CIS Docker Benchmark v1.5.0:

4.3 Ensure that unnecessary packages are not installed in the container Description: Containers should have as small a footprint as possible, and should not contain unnecessary software packages which could increase their attack surface. Rationale: Unnecessary software should not be installed into containers, as doing so increases their attack surface. Only packages strictly necessary for the correct operation of the application being deployed should be installed.

The differences between two builds are summarized in the below table: Before improvement After improvement
Newly intalled packages 433 236
Image size 263MB 251MB
Build time 138s 119s

I hope that you find them useful. Please let me know if you have any concerns.

Thank you.

gquintard commented 1 year ago

I was expecting that one :-D Thanks for your work.

Can you update all the Dockerfile.tmpl files, and run ./populate.sh dockerfiles before committing? As it is, we'll lose your changes the next time somebody updates something.

bqcuong commented 1 year ago

I updated all the Dockerfile templates, ran the populate script.

Should we merge?

gquintard commented 1 year ago

looks good, thanks!