创建一次性容器_使用一次性容器提高密码保护

创建一次性容器

It is undeniable that containers have had a big impact on today’s software engineering. From infrastructure to deployments and development, containers introduced many benefits and challenges along the way. Some of the challenges we found at passbolt revolve around how to harden the containers and how to make them smaller.

不可否认，容器对当今的软件工程产生了巨大的影响。从基础架构到部署和开发，容器在此过程中带来了许多好处和挑战。我们在passbolt上发现的一些挑战围绕如何硬化容器以及如何使其变小。

Nowadays docker images look more like small virtual machines rather than just an encapsulated process running in a container. This is usually convenient for the vast majority of vendors. However, reducing the size of passbolt container images would:

如今，Docker映像看起来更像是小型虚拟机，而不仅仅是运行在容器中的封装过程。通常，这对于绝大多数供应商来说很方便。但是，减小密码容器图像的大小将：

Reduce the disk usage.
减少磁盘使用量。
Improve build times on CI.
缩短CI的构建时间。
Minimize network usage when pulling and pushing images.
拉和推图像时最大程度地减少网络使用。
Decrease the attack surface (by reducing the number of services).
减少攻击面(通过减少服务数量)。
Simplify the patching process (by reducing the number of dependencies).
简化修补过程(通过减少依赖性数量)。
Enhance signal to noise ratio when running vulnerability scanners (as false positives will be less likely).
运行漏洞扫描程序时，提高信噪比(因为不太可能出现误报)。
Help establish the provenance of what it is installed in your container to just what you need.
帮助您确定容器中所安装内容的来源以及所需的内容。

Most GNU/linux distributions publish the so called ‘-slim’ images which is already a good approach to reduce the dependencies your image ships. The alpine container images go in this same direction. However, alpine didn’t work well for us in the past so we were looking for something else to run a very small production workload.

大多数GNU / linux发行版都发布了所谓的“ -slim”映像，这已经是减少映像附带的依赖的好方法。高山容器图像沿相同方向移动。但是， alpine过去对我们来说效果不佳，因此我们正在寻找其他方法来处理非常小的生产工作量。

输入最少的“无损”图像 (Enter minimal “distroless” images)

The distroless project initially started by Google provides a way to build docker images using a software building tool called bazel.

最初由Google启动的distroless项目提供了一种使用名为bazel的软件构建工具构建docker映像的方法。

{Fast, Correct} — Choose two

{快速，正确}-选择两个

As per the distroless project’s readme:

根据非发行版项目的自述文件：

”Distroless” images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.

“无发行版”映像仅包含您的应用程序及其运行时依赖项。它们不包含程序包管理器，shell或您期望在标准Linux发行版中找到的任何其他程序。

The framework that the distroless project proposes had some benefits for us:

这个无坚不摧的项目提出的框架为我们带来了一些好处：

It is based on debian packages.
它基于debian软件包。
We can continue using the nginx / php-fpm stack which is known for us.
我们可以继续使用我们所熟知的nginx / php-fpm堆栈。
As it is based on debian packages we still rely on a solid project that will continue the patching of dependencies passbolt requires.
由于它基于debian软件包，因此我们仍然依赖于一个可靠的项目，该项目将继续修补passbolt所需的依赖项。
We can take advantage of our recently published debian package.
我们可以利用我们最近发布的debian软件包。
As it forces you to pin debian snapshots, builds are deterministic.
由于它迫使您固定Debian快照，因此构建是确定性的。

It had some drawbacks:

它有一些缺点：

We had to build what they call “lang image” as there was no php-fpm distroless image. A pull request is pending approval.
由于没有php-fpm发行版映像，因此我们必须构建他们所谓的“ lang映像”。拉取请求正在等待批准。
We introduce a new tool to learn / dependency with bazel.
我们引入了一种新的工具来学习/依赖bazel。

The concept of the distroless images is that deb files are nothing more than a compressed file that contains some files and a directory structure.

无损映像的概念是deb文件不过是包含一些文件和目录结构的压缩文件。

Think about an empty file system where you untar your debs. We are setting a container that is just one process running so we just need to untar in such container as many dependencies to make this process to run without errors. As long as your process finds all the libraries on the expected locations you are good to go.

考虑一个空文件系统，您可以在其中解压缩Deb。我们正在设置一个仅运行一个进程的容器，因此我们只需要在该容器中解压缩尽可能多的依赖项，即可使该进程运行而不会出错。只要您的过程在预期的位置上找到所有库，您就可以开始使用。

So first we needed to create a base php-fpm distroless image or what they call it a “lang image”. In our case the php-fpm image contained the minimum and what we thought were popular extensions:

因此，首先我们需要创建一个基本的php-fpm distroless映像或他们称为“ lang映像”的映像。在我们的例子中，php-fpm映像包含最小值，并且我们认为是流行的扩展：

php-cli or php-fpm binary as entrypoint
php-cli或php-fpm二进制文件作为入口点
Php extensions: php-json, php-mysql, php-common (package that contains a bunch of common extensions) and some more. The list is here
php扩展名：php-json，php-mysql，php-common(包含一堆常见扩展名的软件包)等。清单在这里
Configuration files:
配置文件：

— A /etc/passwd file with an entry for www-data
—带有www-data条目的/ etc / passwd文件

— A
- 一个

www.conf pool to set up some parameters of the php-fpm process
www.conf池来设置php-fpm进程的一些参数

That’s it! Do not expect to find anything else such as bash or any other shell or common linux utilities.

而已！不要期望找到其他东西，例如bash或任何其他shell或常见的linux实用程序。

Then we used this php-fpm image to build our passbolt-fpm images on top of it. During the process we though that with just a distroless FPM version of passbolt would be enough. However, we realized soon enough that users would need some extra container images for admin tasks such as running migrations, create users and other command line utilities.

然后，我们使用此php-fpm图像在其顶部构建passbolt-fpm图像。在此过程中，尽管如此，仅使用发行版的FPM版本的passbolt就足够了。但是，我们很快意识到用户将需要一些额外的容器映像来执行管理任务，例如运行迁移，创建用户和其他命令行实用程序。

Both passbolt-fpm and passbolt-cli container images are very similar with a few different packages:

passbolt-fpm和passbolt-cli容器映像在几个不同的软件包中非常相似：

Gnupg
努格
Extra php-extensions: php-gnupg, php-intl, php-redis
额外的php扩展名：php-gnupg，php-intl，php-redis
Bash (only for passbolt-cli image)
Bash(仅适用于passbolt-cli图像)

图片大小 (Image sizes)

Comparing the sizes the reduction is quite big:

比较大小，减少量很大：

On the above chart we have used:

在上面的图表中，我们使用了：

passbolt/passbolt current docker image based on php:7.3.21-fpm image
基于php：7.3.21-fpm映像的passbolt / passbolt当前docker映像
passbolt_debian_buster local image created based on debian:buster-slim image
基于debian：buster-slim映像创建的passbolt_debian_buster本地映像
bazel/experimental/passbolt-fpm distroless image
bazel / experimental / passbolt-fpm distroless image

漏洞扫描 (Vulnerability scan)

For the tests we used aquasec’s trivy and we obtained the following results:

对于测试，我们使用了Aquaqua的Trivy，并获得了以下结果：

Vulnerability scanning is usually a very noisy step, assessing if a library that is bundled in your container is producing a risk or not is time consuming. Reducing the number of positives helps teams to assess easier if an image can be promoted to production environments.

漏洞扫描通常是一个非常嘈杂的步骤，它评估捆绑在您的容器中的库是否正在产生风险，这很耗时。减少肯定的数量有助于团队评估是否可以将图像提升到生产环境。

动手测试 (Hands on test)

If all the above sounds nice to you we have published the code to build all the distroless images:

如果以上听起来对您都很好，我们已经发布了代码以构建所有发行版本的图像：

php-fpm distroless
php-fpm发行版
passbolt-fpm distroless
passbolt-fpm发行版
passbolt-cli distroless
passbolt-cli发行版

We also have published a docker “labs” repo where you can find all the docker images already built:

我们还发布了一个docker“实验室”仓库，您可以在其中找到所有已构建的docker映像：

Passbolt labs docker repo
Passbolt Labs Docker存储库

And we also branched off our official passbolt-docker repo with a docker-compose.yml you can use to launch the whole stack of distroless passbolt images:

我们还通过docker-compose.yml扩展了我们的官方passbolt-docker存储库，您可以使用它启动整个一堆的distrost密码图像：

Docker-compose for distroless
Docker-组成坚决的

This way you will be able to launch the whole passbolt stack using docker-compose. Keep in mind there are some caveats described on the readme.

这样，您将能够使用docker-compose启动整个密码栈。请记住，自述文件中描述了一些警告。

未来的工作 (Future work)

We are aware there are other solutions to make php images smaller and we hope to publish more articles on the topic in the future.

我们知道还有其他解决方案可以使php图像更小，并且我们希望将来会发布更多有关该主题的文章。

Our plan is to continue pushing this approach on our hosted solutions and keep it always open for the community to build better tailored solutions and use them on premises if they think it fits their use cases.

我们的计划是继续在托管解决方案上采用这种方法，并始终向社区开放，以使社区能够构建更好的量身定制的解决方案，并在他们认为适合其用例的前提下在场所中使用它们。

As always your feedback is very valuable for us, drop us a line on the community forum or in the passbolt distroless repo.

一如既往，您的反馈对我们非常有价值，请在社区论坛或passbolt distroless回购上给我们留言。