Monday, 9 November 2015

Packer, Vagrant, CentOS, VirtualBox, Docker and so on

At work we're using Docker to easily package our applications into predictable, repeatable bunches, the recipes for which can also easily be pushed into Git, complete with diffs, code reviews, pull requests etc. This is pretty cool and Docker is pretty cool.

Looking deeper into how Docker works I noticed this post called Docker image insecurity. I don't know if the situation is still the same as described there, but it was (and maybe is) pretty bad. However, it seems that in a big company setting, one would not want to rely on public Docker images anyway; creating your own private Docker registry, containing only images properly vetted and verified by your company's security team along with each of their dockerfiles, should still be alright.

Out of interest I put on my techops hat (for the first time in a long time) and started looking at how one might arrive at such a secure Docker image, starting from scratch. As it happens I didn't quite get to the Docker part. Rather, I figured out how to use Packer to download and verify a Linux ISO image, which can then be automatically installed into a virtual machine and used as a base image. This answers a different but potentially related question: given such a known-good complete VM image, smaller Docker images could then be partitioned off on a "list of files" basis, for example using one of the many Docker image creation scripts, or just rolling your own. This would enable the entire chain of software to be specified in the config files stored in your internal repository, easily verified by your security team and easily improved and tweaked by developers and techops.

I think the main reason to use tools like Packer and Docker is that they enable easy automation of otherwise tedious and error-prone installation and creation of base systems, and that they also make this process easy enough to verify and secure, given proper support for checksums etc (which hopefully exists in Docker by now). This should make all our lives easier.

No comments:

Post a Comment