Dockerfile hardening for smaller safer containers

2475 views

                  FROM ruby:3.3.1-slim AS base

RUN apt-get update \
  && apt-get install -y --no-install-recommends build-essential libpq-dev \
  && rm -rf /var/lib/apt/lists/*

WORKDIR /app
RUN groupadd --system app && useradd --system --gid app --create-home app

COPY Gemfile Gemfile.lock ./
RUN bundle config set deployment 'true' && bundle install --without development test

COPY . .
RUN chown -R app:app /app

USER app
CMD ["bundle", "exec", "puma", "-C", "config/puma.rb"]

Container security starts with the image build. I use small trusted bases, non-root users, explicit file ownership, and multi-stage builds that leave tooling behind. The fewer packages and privileges in the final image, the less there is to exploit.

Kai Nakamura

More from Kai Nakamura

Dockerfile hardening for smaller safer containers

0 Comments

More from Kai Nakamura