Chapter 6. Container Images

If you have been using Docker or Kubernetes, you are likely to be familiar with the idea of container images that you store in a registry. In this chapter we’re going to explore container images, looking at what they contain and how container runtimes like Docker or runc use them.

With an understanding of what images are under your belt, you’re ready to think about the security implications of building, storing, and retrieving images—and there are a lot of attack vectors related to these steps. You’ll learn about best practices for ensuring that builds and images don’t compromise your overall system.

Root Filesystem and Image Configuration

There are two parts to a container image: the root filesystem and some configuration.

If you followed along with the examples in Chapter 4, you downloaded a copy of the Alpine root filesystem and used this as the contents of root inside your container. In general, when you start a container you instantiate it from a container image, and the image includes the root filesystem. If you run docker run -it alpine sh and compare it to what’s inside your hand-built container, you will see the same layout of directories and files, and they will match completely if the version of Alpine is the same.

If, like many people, you have come to containers through the use of Docker, you’ll be used to the idea of building images based on the instructions in a Dockerfile. Some Dockerfile commands (like FROM, ADD, COPY, or RUN) modify ...

Get Container Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.