ãããã« / Distroless ã€ã¡ãŒãž
ãããã«ã€ã¡ãŒãžïŒDistroless ã€ã¡ãŒãžãšãåŒã°ããïŒã¯ãããã±ãŒãžãããŒãžã£ãã·ã§ã«ãããã«ã¯åºç€ãšãªã OS ãã£ã¹ããªãã¥ãŒã·ã§ã³ãšãã£ãäžèŠãªã³ã³ããŒãã³ããåãèœãšããã³ã³ããã€ã¡ãŒãžã§ãã
Docker Hardened ImagesïŒDHIïŒã¯ããã®ãããã«ã¢ãããŒããæ¡çšããããšã§ãè匱æ§ãæžãããã»ãã¥ã¢ãªãœãããŠã§ã¢ããªããªãŒãå®çŸããŠããŸãã
Docker Official Images ã Docker Verified Publisher Images ããåæ§ã«ãããã«åãšã»ãã¥ãªãã£ã«é¢ãããã¹ããã©ã¯ãã£ã¹ã«åŸã£ãŠããŸãã
ãã ããããå¹ åºããŠãŒã¹ã±ãŒã¹ãšã®äºææ§ãç¶æããããã«ãDHI ã»ã©åŸ¹åºããŠåãèœãšãããŠããªãå ŽåããããŸãã
ãããã« / Distroless ã€ã¡ãŒãžãšã¯ïŒ
åŸæ¥ã®ã³ã³ããã€ã¡ãŒãžã¯ãã¢ããªã±ãŒã·ã§ã³ã®å®è¡ã«å¿ èŠä»¥äžã®ãã®ãå«ã ãã« OS ãæèŒããŠããããšãå€ããããŸãã ããã«å¯ŸããŠããããã« / Distroless ã€ã¡ãŒãžã«ã¯ä»¥äžã®ã¿ãå«ãŸããŸãïŒ
-
ã¢ããªã±ãŒã·ã§ã³ã®ãã€ããª
-
å®è¡ã«å¿ èŠãªäŸåé¢ä¿ïŒäŸïŒlibcãJavaãPythonïŒ
-
æç€ºçã«å¿ èŠãšãããèšå®ãã¡ã¿ããŒã¿
äžæ¹ã§ãéåžžã¯ä»¥äžãé€å€ãããŸã:
-
OS ããŒã«ïŒäŸïŒ
ls
ãps
ãcat
ïŒ -
ã·ã§ã«ïŒäŸïŒ
sh
ãbash
ïŒ -
ããã±ãŒãžãããŒãžã£ïŒäŸïŒ
apt
ãapk
ïŒ -
ãããã°çšãŠãŒãã£ãªãã£ïŒäŸïŒ
curl
ãwget
ãstrace
ïŒ
Docker Hardened Images ã¯ãã®ã¢ãã«ã«åºã¥ããŠèšèšãããŠãããããå°ãããããã»ãã¥ã¢ãªå®è¡ç°å¢ãæäŸããŸãã
åŸãããã¡ãªãã
ã¡ãªãã | 説æ |
---|---|
æ»æå¯Ÿè±¡é åã®çž®å° | ã³ã³ããŒãã³ããå°ãªãã»ã©è匱æ§ãæžããCVE ã®é²åºãæå°éã«æããããŸãã |
èµ·åã®é«éå | ã€ã¡ãŒãžãµã€ãºãå°ãããããpull ãšèµ·åãããéããªããŸãã |
ã»ãã¥ãªãã£ã®åäž | ã·ã§ã«ãããã±ãŒãžãããŒãžã£ããªãããšã§ã䟵害ãããå Žåã§ãæ»æè ãã§ããããšãå¶éã§ããŸãã |
ã³ã³ãã©ã€ã¢ã³ã¹ã®åäž | SBOM ãã¢ãã¹ããŒã·ã§ã³ã«ããç£æ»ãæ€èšŒã容æã«ãªããŸãã |
äžè¬çãªãã¬ãŒããªããžã®å¯Ÿå¿
ãããã« / Distroless ã€ã¡ãŒãžã¯åŒ·åãªã»ãã¥ãªãã£äžã®å©ç¹ããããããŸãããã³ã³ããã®æ±ãæ¹ã«åœ±é¿ãäžããããšããããŸãã
Docker Hardened Images ã¯ãçç£æ§ãç¶æãã€ã€ã»ãã¥ãªãã£ã匷åã§ããããèšèšãããŠããŸãã
èª²é¡ | Docker Hardened Images ã®æ¯æŽæ¹æ³ |
---|---|
ãããã°æ§ | Hardened ã€ã¡ãŒãžã¯ããã©ã«ãã§ã·ã§ã«ã CLI ããŒã«ãå«ã¿ãŸããã Docker Debug ã䜿çšããŠãäžæçã«ãããã°çšãµã€ãã«ãŒãã¢ã¿ããããããšã§ãå ã®ã³ã³ããã倿Žããã«ãã©ãã«ã·ã¥ãŒãã£ã³ã°ã§ããŸãã |
æ £ã芪ããã ç°å¢ | DHI 㯠Alpine ã Debian ãªã©è€æ°ã®ããŒã¹ã€ã¡ãŒãžããµããŒãããŠãããããããŒããã³ã°ã®æ©æµãåãã€ã€ãäœ¿ãæ £ããç°å¢ãéžæã§ããŸãã |
æè»æ§ | å®è¡æã®äžå€æ§ã¯ã³ã³ããã®ã»ãã¥ãªãã£ã匷åããŸãããã«ãã¹ããŒãžãã«ãã CI/CD ãæŽ»çšããŠå€æŽã管çããéçºäžã¯å¿ èŠã«å¿ããŠéçºè åãã®ããŒã¹ã€ã¡ãŒãžãå©çšããããšãå¯èœã§ãã |
ããããªãºã ãšå®çšçãªããŒã«ããã©ã³ã¹ããçµã¿åãããããšã§ãDocker Hardened Images ã¯ã»ãã¥ãªãã£ãä¿¡é Œæ§ãæãªãããšãªããã¢ãã³ãªéçºã¯ãŒã¯ãããŒãæ¯æŽããŸãã
ãããã«ã€ã¡ãŒãžã䜿çšããéã®ãã¹ããã©ã¯ãã£ã¹
-
ãã«ãã¹ããŒãžãã«ããæŽ»çšãããã«ãæãšå®è¡æã®ç°å¢ãåé¢ãã
-
ã€ã³ã¿ã©ã¯ãã£ããªç¢ºèªã§ã¯ãªããCI ãã€ãã©ã€ã³ãéããŠã€ã¡ãŒãžã®æåãæ€èšŒãã
-
å®è¡æã«å¿ èŠãªäŸåé¢ä¿ã¯ Dockerfile å ã§æç€ºçã«èšè¿°ãã
-
Docker Scout ãæŽ»çšããŠããããã«ã€ã¡ãŒãžã§ãã£ãŠãç¶ç¶çã« CVE ãç£èŠãã
Docker Hardened Images ãéããŠãããã« / Distroless ã€ã¡ãŒãžãæ¡çšããããšã§ãããã»ãã¥ã¢ã§äºæž¬å¯èœãæ¬çªå¯Ÿå¿å¯èœãªã³ã³ããç°å¢ãå®çŸã§ããŸãã
ããã¯ãèªååã»æç¢ºæ§ã»ãªã¹ã¯åæžãéèŠããèšèšã«åºã¥ããŠããŸãã