catalog.redhat.com Open in urlscan Pro
2a02:26f0:480:d::210:f146  Public Scan

Submitted URL: https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8-minimal/images/8.6-854
Effective URL: https://catalog.redhat.com/
Submission: On March 25 via api from GB — Scanned from GB

Form analysis 1 forms found in the DOM

<form class="pf-c-form" style="margin-top:16px" id="ecoFeedbackForm"><input type="hidden" name="form_build_id" value="form-Se0bIPh-L26lbPDwUP218Z2oRfKjEYbIRvKBM4Eo1R8"> <input type="hidden" name="form_token"
    value="w3-skVyKDZSGJUXAawp-QF6jqc-WeSZqCxXqWnqMaBg"> <input type="hidden" name="form_id" value="rhec_feedback_entityform_edit_form">
  <div style="display:flex" class="mobile-stack">
    <div class="pf-c-form__group" style="flex:1;padding-right:16px"><label class="pf-c-form__label" for="field_eco_company[und][0][value]"><span class="pf-c-form__label-text">Your company/organization</span></label>
      <div class="pf-c-form__horizontal-group"><input class="pf-c-form-control" id="company" name="field_eco_company[und][0][value]"></div>
    </div>
    <div class="pf-c-form__group" style="flex:1"><label class="pf-c-form__label" for="field_eco_role[und][0][value]"><span class="pf-c-form__label-text">Your role</span></label>
      <div class="pf-c-form__horizontal-group"><select class="pf-c-form-control" style="padding-left:8px" id="role" name="field_eco_role[und][0][value]">
          <option value="">Select your role</option>
          <option value="Architect">Architect</option>
          <option value="Developer">Developer</option>
          <option value="DevOps Engineer">DevOps Engineer</option>
          <option value="Product Manager">Product Manager</option>
          <option value="Systems Administrator">Systems Administrator</option>
          <option value="Other">Other</option>
        </select></div>
    </div>
  </div>
  <div class="pf-c-form__group"><label class="pf-c-form__label" for="field_eco_what_is_working_well[und][0][value]"><span class="pf-c-form__label-text">What is working well?</span></label>
    <div class="pf-c-form__horizontal-group"><textarea class="pf-c-form-control" type="text" id="workingWell" name="field_eco_what_is_working_well[und][0][value]" aria-label="textarea example"></textarea></div>
  </div>
  <div class="pf-c-form__group"><label class="pf-c-form__label" for="field_eco_how_can_we_improve[und][0][value]"><span class="pf-c-form__label-text">How can we continue to improve?</span></label>
    <div class="pf-c-form__horizontal-group"><textarea class="pf-c-form-control" type="text" id="toImprove" name="field_eco_how_can_we_improve[und][0][value]" aria-label="textarea example"></textarea></div>
  </div>
  <div class="pf-c-form__group"><label class="pf-c-form__label" for="field_eco_email[und][0][value]"><span class="pf-c-form__label-text">Email address (optional)</span></label>
    <div class="pf-c-form__horizontal-group pf-c-form__horizontal-group--email"><input class="pf-c-form-control" type="email" id="email" name="field_eco_email[und][0][value]">
      <p>We may follow up with you if we need more information to act on your feedback.</p>
    </div>
  </div>
  <div class="pf-c-form__group hidden"><label class="pf-c-form__label" for="field_eco_describe_your_issue[und][0][value]"><span class="pf-c-form__label-text">Describe your issue (optional)</span></label>
    <div class="pf-c-form__horizontal-group"><textarea class="pf-c-form-control" type="text" id="toDescribeIssue" name="field_eco_describe_your_issue[und][0][value]" aria-label="textarea example"></textarea></div>
  </div>
  <div class="pf-c-form__group">
    <div class="pf-c-form__actions">
      <div class="cover-spinner__container"><pfe-progress-indicator indeterminate="" size="md" pfelement="" class="PFElement" on="light"></pfe-progress-indicator></div><button class="pf-c-button pf-m-primary" id="ecoFeedbackFormSubmitBtn"
        disabled="true">Submit</button> <button class="pf-c-button pf-m-secondary" type="button" id="modalClose">Cancel</button>
    </div>
  </div>
</form>

Text Content

Skip to navigation Skip to contentYou need to enable JavaScript to run this app.
 * Platforms & industries
   
   
   RED HAT ENTERPRISE LINUX
   
    * Certified software
    * Certified hardware
    * Cloud & service providers
   
   
   RED HAT OPENSHIFT
   
    * Certified software
    * Cloud & service providers
   
   
   RED HAT OPENSTACK
   
    * Certified software
    * Certified hardware
    * Cloud & service providers
   
   
   INDUSTRIES AND SEGMENTS
   
    * Telecommunications

 * Hardware
   
   
   BY CATEGORY
   
    * Servers
    * Edge systems
    * Workstations
    * Components
   
   
   FEATURED LISTS
   
    * Red Hat Enterprise Linux 8 certified servers
    * Red Hat OpenStack 16 certified servers
    * Red Hat Virtualization 4 certified servers
   
   Explore certified hardware
 * Software
   
   
   BY CATEGORY
   
    * OpenShift operators
    * Helm charts
    * Containerized applications
    * OpenStack infrastructure
    * Standalone applications
    * Container images
    * Vulnerability scanners
   
   
   FEATURED LISTS
   
    * OpenShift operators for Red Hat OpenShift 4
    * Standalone applications for Red Hat Enterprise Linux 9
    * CNF certified for Red Hat OpenShift
    * VNF certified for Red Hat OpenStack
   
   
   BASE IMAGES
   
    * About base images
    * Red Hat Universal Base Image 9
    * Red Hat Universal Base Image 8
    * Red Hat Universal Base Image 7
   
   Explore certified softwareManage container registry service accounts
 * Cloud & service providers
   
   
   BY CONSUMPTION TYPE
   
    * Upload an image
    * On demand
   
   
   FEATURED LISTS
   
    * Certified for Red Hat Enterprise Linux 9
   
   
   LEARN MORE
   
    * Red Hat Cloud Access
   
   Explore certified cloud

Help

Resources


RESOURCES

 * Blog
 * Partner podcast


MORE TO EXPLORE

 * All blogs
 * Events and webinars
 * Training and certification
 * Newsroom
 * Resource library
 * Customer success stories

All Red Hat
Back to menu

 * You are here
   
   
   
   
   RED HAT
   
   Learn about our open source products, services, and company.

 * You are here
   
   
   
   
   RED HAT CUSTOMER PORTAL
   
   Get product support and knowledge from the open source experts.

 * You are here
   
   
   
   
   RED HAT DEVELOPER
   
   Read developer tutorials and download Red Hat software for cloud application
   development.

 * You are here
   
   
   
   
   RED HAT PARTNER CONNECT
   
   Become a Red Hat partner and get support in building customer solutions.

--------------------------------------------------------------------------------


 * PRODUCTS
   
   
   * ANSIBLE.COM
     
     Learn about and try our IT automation product.


 * TRY, BUY, SELL
   
   
   * RED HAT HYBRID CLOUD
     
     Access technical how-tos, tutorials, and learning paths focused on Red
     Hat’s hybrid cloud managed services.
   
   
   * RED HAT STORE
     
     Buy select Red Hat products and services online.
   
   
   * RED HAT MARKETPLACE
     
     Try, buy, sell, and manage certified enterprise software for
     container-based environments.


 * COMMUNITY & OPEN SOURCE
   
   
   * THE ENTERPRISERS PROJECT
     
     Read analysis and advice articles written by CIOs, for CIOs.
   
   
   * OPENSOURCE.COM
     
     Read articles on a range of topics about open source.


 *  
   
   
   * RED HAT SUMMIT
     
     Register for and learn about our annual open source IT industry event.
   
   
   * RED HAT ECOSYSTEM CATALOG
     
     Find hardware, software, and cloud providers―and download container
     images―certified to perform with Red Hat technologies.


TESTED. CERTIFIED. SUPPORTED.

Build on Red Hat platforms and technologies with certified, enterprise-grade
products you need to achieve your business outcomes. We make it easy for you to
explore and find certified products from our large and robust ecosystem of
enterprise hardware, software, and cloud and service providers.


BROWSE BY PLATFORM

The leading enterprise Linux operating system, certified on hundreds of clouds
and with thousands of vendors.

Explore

Red Hat® OpenShift® is an enterprise-ready Kubernetes container platform with
full-stack automated operations to manage hybrid cloud, multicloud, and edge
deployments.

Explore

Red Hat® OpenStack® Platform virtualizes resources from industry-standard
hardware, organizes those resources into clouds, and manages them so users can
access what they need—when they need it.

Explore

Red Hat® Ansible® Automation Platform is a foundation for building and operating
automation across an organization.

Explore


STABLE ANYWHERE. AVAILABLE EVERYWHERE.

Red Hat Enterprise Linux 9 has arrived. Browse the latest products certified for
Red Hat Enterprise Linux 9. Learn more

Certified hardwareCertified softwareCertified cloud


BROWSE BY CATEGORY


CERTIFIED HARDWARE

Bare metal, appliances, and other hardware from Red Hat partners is certified
and supported for Red Hat technologies.

Explore


CERTIFIED SOFTWARE

OpenShift operators, containerized applications, and traditional software
certified to run on Red Hat platforms.

Explore


CERTIFIED CLOUD AND SERVICE PROVIDERS

Run your applications on Red Hat platforms and technologies in supported clouds
and cloud service providers.

Explore


RED HAT BLOGS


10 TIPS FOR WRITING SECURE, MAINTAINABLE DOCKERFILES

By Anthony Gimei|Published Thu, 23 Mar 2023 07:00:00 +0000



This article provides tips and best practices for creating secure Dockerfiles
that are highly maintainable. Like code, Dockerfiles change over time and,
therefore, should be written in such a way that makes them easy to update in the
future. It is also important that the images that they create are secure and do
not contain unnecessary vulnerabilities that increase the attack surface for
your application. The image produced should be as small as possible because the
image(s) must be stored remotely and transported in the network. Also, they must
not be blotted. Finally, the Dockerfile, like any well-written code, should be
easy to understand and use.


10 TIPS AND BEST PRACTICES FOR DOCKERFILES

The following list describes tips and best practices for creating secure
Dockerfiles that are highly maintainable.


1. USE THE CURRENT RELEASE BASE UPSTREAM IMAGE

Always use the most current release base upstream image to provide security. Red
Hat recommends:

 * Use the latest release of a base image. This release should contain the
   latest security patches available when the base image is built. When a new
   release of the base image is available, rebuild the application image to
   incorporate the base image's latest release because that release contains the
   latest fixes.
 * Conduct vulnerability scanning. Scan a base or application image to confirm
   that it doesn't contain any known security vulnerabilities.


2. USE A SPECIFIC IMAGE TAG OR VERSION

Use a specific tag or version for your image, not "latest". This gives your
image traceability. When troubleshooting the running container, the exact image
will be obvious.

Examples:

 * Do this:  nginx:1.23.1
 * Don't do this:  nginx:latest


3. RUN IMAGES AS USER

For security purposes, always ensure that your images run as non-root by
defining USER in your Dockerfile. Additionally, set the permissions for the
files and directories to the user. Because the Docker daemon runs as root, the
Docker images run as root by default. This means if a process in the container
goes rogue or gets hijacked and accesses the host, it will run with root access.
This is certainly not secure.

However, Podman is daemonless and rootless by design and, therefore, more
secure.

The following is an example.

 * Add USER to your Dockerfile.
 * Skipped configurations are indicated by:  ...

...

USER 1001

RUN chown -R 1001:0 /some/directory

chmod -R g=u /some/directory

...




4. CHOOSE BASE IMAGES WITHOUT THE FULL OS

Always choose the smallest base images that do not contain the complete or
full-blown OS with system utilities installed. You can install the specific
tools and utilities needed for your application in the Dockerfile build. This
will reduce possible vulnerabilities and the attack surface of your image.


5. USE MULTI-STAGE DOCKERFILES

Build images using multi-stage Dockerfiles to keep the image small. For example,
for a Java application running in Open Liberty, use one stage to do the compile
and build, and another stage to copy the binary artifact(s) and dependencies
into the image, discarding all nonessential artifacts. Another example is, for
an Angular application, run the npm install and build in one stage and copy the
built artifacts in the next stage.

 * Example: Open Liberty Java application

FROM registry.access.redhat.com/ubi8/openjdk-8:latest as builder

USER 0

WORKDIR /tmp/app

COPY src/ src/

COPY pom.xml pom.xml

RUN mvn clean package

...

FROM quay.io/ohthree/open-liberty:22.0.0.4

...

COPY --from=builder /tmp/app/src/main/liberty/config/server.xml /config/

COPY --from=builder /tmp/app/target/*.war /config/apps/

RUN \

    chown -R 1001:0 /config && \

    chmod -R g=u /config


# Run as non-root user

USER 1001

EXPOSE 9081




6. USE DOCKER IGNORE FILE

Use a .dockerignore file to ignore files that do not need to be added to the
image.


7. SCAN FOR VULNERABILITIES

Scan your images for known vulnerabilities.

 * Podman integrates with multiple open-source scanning tools. For example, you
   can use Synk or Trivy.
 * Docker integrates with its own plugin local machine. Install the plugin, then
   run the following command: 

$ docker scan myappimage:1.0


8. AUTOMATE SCANS

Automated scanning tools should also be implemented in the CI pipeline and on
the enterprise registry. We also recommend deploying runtime scanning on
applications in case a vulnerability is uncovered in the future.


9. ORGANIZE YOUR DOCKER COMMANDS

Organize your Docker commands, especially the COPY command, in such a way that
the files that change most frequently are at the bottom. This will speed up the
build process. The reason for this is to take advantage of the Docker build
process and speed up future builds.

Each Docker build command creates a layer that is cached to be reused in the
next build, designed to speed up subsequent builds. The caveat is that, in the
subsequent build, if a command encounters a change, all commands after that will
run and recreate new layers and cached, replacing the old ones even if they did
not contain any changes. Having the most volatile COPY statements later in the
Dockerfile maximize build caching.


10. CONCATENATE RUN COMMANDS

Concatenate RUN commands to make your Dockerfile more readable and create fewer
layers. Fewer layers mean a smaller container image. As mentioned previously,
each RUN statement in the Dockerfile creates a layer that gets cached.
Concatenating reduces the number of layers.

The following are examples of what to do and not to do.

 * Don't do this:

...

RUN yum --disablerepo=* --enablerepo=”rhel-7-server-rpms”

RUN yum update

RUN yum install -yl httpd

...

 * Do this instead:

...

RUN yum --disablerepo=* --enablerepo=”rhel-7-server-rpms” && yum update && yum install -yl httpd

...

 * Even better, do this for readability:

...

RUN yum --disablerepo=* --enablerepo=”rhel-7-server-rpms” && \

    yum update && \

    yum install -yl httpd

...


FIND MORE RESOURCES

We hope that these tips will help you build more secure Dockerfiles. Visit
the Docker website for more information. See what we are doing on the Red Hat
Developers Site. You can learn more about containerizing applications at Red Hat
DO 180 training. If you have a question, feel free to comment below. We welcome
your feedback.

The post 10 tips for writing secure, maintainable Dockerfiles appeared first on
Red Hat Developer.







Read the articleView more blog posts



RED HAT MARKETPLACE

Red Hat® Marketplace is a single source to try, buy, and manage certified
operators for Red Hat OpenShift®. It offers responsive support, streamlined
billing and contracting, simplified governance, and a single dashboard across
clouds.

Explore Red Hat Marketplace



WHY CHOOSE RED HAT CERTIFIED SOLUTIONS?

Built and tested to exacting standards. Ready to deploy in your environment with
confidence.

Detailed interoperability, compatibility, and security details to choose the
right solutions for your business needs.

Fully supported by the provider while maintaining your relationship with Red
Hat’s global support services.


PARTNER WITH RED HAT

We provide a variety of partner resources to assist you through the
certification process to deliver the best possible experience to our mutual
customers. Join the Red Hat Certified Ecosystem and showcase your product to
millions of potential clients, customers, sellers, and developers.

Learn more about how Red Hat Partner Connect can help you succeed
Timestamp: Wed Mar 22 16:09:50 UTC 2023SHA: headVersion: 1.193
LinkedInYouTubeFacebookTwitter


PLATFORMS

 * Red Hat Enterprise Linux
 * Red Hat OpenShift
 * Red Hat OpenStack Platform


PRODUCTS & SERVICES

 * Certified hardware
 * Certified software
 * Certified cloud & service providers


TRY, BUY, SELL

 * Product trial center
 * Red Hat Store
 * Red Hat Marketplace
 * Partner with us
 * Contact sales
 * Contact training
 * Contact consulting


HELP

 * My account
 * Customer support
 * Partner resources
 * Developer resources
 * Training and certification
 * Learning community
 * Catalog documentation
 * Resource library


ABOUT RED HAT ECOSYSTEM CATALOG

The Red Hat Ecosystem Catalog is the official source for discovering and
learning more about the Red Hat Ecosystem of both Red Hat and certified
third-party products and services.

We’re the world’s leading provider of enterprise open source solutions—including
Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make
it easier for enterprises to work across platforms and environments, from the
core datacenter to the network edge.


RED HAT LEGAL AND PRIVACY LINKS

 * About Red Hat
 * Jobs
 * Events
 * Locations
 * Contact Red Hat
 * Red Hat Blog
 * Diversity, equity, and inclusion
 * Cool Stuff Store
 * Red Hat Summit


RED HAT LEGAL AND PRIVACY LINKS

 * Privacy statement
 * Terms of use
 * All policies and guidelines
 * Digital accessibility



SUCCESS ALERT: THANK YOU FOR YOUR FEEDBACK!

Have feedback?


YOUR FEEDBACK IS IMPORTANT TO US

Your company/organization

Your role
Select your roleArchitectDeveloperDevOps EngineerProduct ManagerSystems
AdministratorOther
What is working well?

How can we continue to improve?

Email address (optional)

We may follow up with you if we need more information to act on your feedback.

Describe your issue (optional)


Submit Cancel