There are a lot of ways to secure a container image for runtime :
- Inherit from a distroless image base
- Default user of image is not-root ( USER 1001)
- If the image expose a port, it must be above 1024 because ports under 1024 requires root.
- Files used by the main process must be owned by random user and root group (chown 1001:0)
I search on a Nginx image that complies with these criteria,
I found 2 images however .. :
- docker.io/kyos0109/nginx-distroless : which focus only on the 1st way.
- docker.io/nginxinc/docker-nginx-unprivileged: which focus on all ways except the first.
As consequence, I built a new image which leverages these two images and applies all security ways.
Then, the image has been created and you can use it :
docker pull abdennour/nginx-distroless-unprivileged:1.18
The user guide is available also. You can find there documentation and some examples about how to use the image, how to spin off containers out of it and how to extend it.
Secure Nginx image abdennour/nginx-distroless-unprivileged Running on port 8080 and does not accept ports below 1024…
Happy hardening !