hadolint VS podman

Dockerfile should be checked during development by automated scanners (Kics, Hadolint, Conftest)

Linters are an effective way to catch (security) bugs early on in your development process. For most programming languages using linters is pretty standard. Hadolint is a linter for your Dockerfiles and is found on github here.

Best practices for writing Dockerfiles are being followed more and more often according to this paper after mining more than 10 million Dockerfiles on Docker Hub and GitHub. However, there is still room for improvement. This is where linters come in as useful tools for static code analysis. Hadolint lists lots of rules for Dockerfiles and is available as a VS Code extension.

Hadolint

Switching to the root USER opens up certain security risks if an attacker gets access to the container. In order to mitigate this, switch back to a non privileged user after running the commands you need as root. – Hadolint rule DL3002

Hadolint for more SAST like : https://github.com/hadolint/hadolint

Hadolint is another. It's built atop shellcheck.

https://github.com/hadolint/hadolint

I use Hadolint[1] as a CI job to check if my Dockerfiles follow the good "rules". But there is one rule that annoys me the most and which is also present in this article, is the pinned OS package version rule[2]. While I understand its interest, I struggle to handle this problem.

When I build new images and it failed because the pinned version is not available anymore, I have to dig into Debian or Ubuntu packages websites to find the new ones as they don't keep the old packages online.

I know I could ask Hadolint to ignore this rule but I don't like this and I think it's important to stick to a certain version of a package to avoid problems. I'm just trying to find any tip that could make me use pinned version and avoid this search every time. Does apt-get install allows wildcard for example?

1: https://github.com/hadolint/hadolint

2: https://github.com/hadolint/hadolint/wiki/DL3008

Another useful resource is hadolint (https://github.com/hadolint/hadolint), which not only gives additional recommendations, but also a way to enforce this.

RUN curl -sSL "https://github.com/hadolint/hadolint/releases/download/$HADO..." -o /usr/bin/hadolint

For containers, there's a Podman guide on the new openSUSE documentation site as well as a getting started guide, documentation and talks on the official Podman site https://podman.io/

As a convenience, this guide uses podman as a replacement for the Docker CLI. Podman has the distinct advantage of being a daemonless container engine that can run without requiring root privilege escalation. It is still possible to use the Docker CLI with this guide by replacing the Podman command "podman" with "docker".

JFYI, with podman [0] you can get all the security benefits mentioned in the article with containers.

This is pretty neat and I love how cleanly the application code reads. I’m curious: is the Erlang VM super fast? I would have expected VM startup time to dominate the overall time to start.

[0]: https://podman.io/

I had however already some experience with docker beforehand. So knowing Docker and docker-compose was a big help. I would recommend learning about containerization anyway. So if you do not know anything about containerization then I suggest to start with that. Today there is aside from Docker itself there are also other tools that work similarly like podman and buildah that do not require root privileges. I would personally recommend podman as it is compatible with docker in most ways.

Now, 9 months later, when containers work - they're great. When they don't work - yes, they are hideous undebuggable black boxes! destroy the container and let cephadm make a new one and hope that the problem isn't in cephadm making the containers themselves... we did have to switch from RUNC container runtime to the CRUN after the 16.2.6 update because yeah, every time a container was launched it would crash immediately.