CentOS Question posted in
The official documentation can be found here.

Docker- parent image for Node.js based Images – CentOS

I’m trying to create a Node.js based docker image. For that, I’m looking for options for Parent image. Security is one of the main considerations in the image and we wanted to harden the image by not allowing shell or bash in the container.

Google Distroless does provide this option, but Distroless-NodeJS is in the experimental stage and not recommended for production.

Possible options I could think of are (compromising Distroless feature):

With that being said,

  • Is there any alternative for Distroless?

  • What are the best options for the parent image for Node.js based docker image?

Any pointers would be helpful.

Tags:

3

Answers


  1. 0

    One option would be to start with a Node image that meets your requirements, then delete anything that you don’t want (sh, bash, etc.)

    At the extreme end you could add the following to your Dockerfile:

    RUN /bin/rm -R /bin/*

    Although I am not certain that this wouldn’t interfere with the running of node.

    On the official Node image (excl Apline) you have /bin/bash, /bin/dash and /bin/sh (a symlink to /bin/dash). Just deleting these 3 flies would be sufficient to prevent shell access.

    The Alpine version has a symlink /bin/sh -> /bin/busybox. You could delete this symlink, but it may not run without busybox.

    Login or Signup to reply.
  2. 0

    I think you can build an image from scratch which only contains your node application and required dependency, nothing more even no ls or pwd etc.

    FROM node as builder

WORKDIR /app

COPY . ./

RUN npm install --prod

FROM astefanutti/scratch-node

COPY --from=builder /app /app
WORKDIR /app
ENTRYPOINT ["node", "bin/www"]

    scratch-node

    So if someone tries to get the shell,like,

    docker run --entrypoint bash -it my_node_scratch

    Will get error

    docker: Error response from daemon: OCI runtime create failed:
    container_linux.go:348: starting container process caused “exec:
    “bash”: executable file not found in $PATH”: unknown.

    Login or Signup to reply.
  3. 0

    I am referring this from official Node.js docker image.
    Create a docker file in your project.
    Then build and run docker image:

    docker build - t test-nodejs-app
docker run -it --rm --name running-app test-nodejs-app

    If you prefer docker compose:

    Version: "2"

Services:
    node:
       image: "node:8"
       user: "node"
       working_dir: /home/node/app
       environment:
          - NODE_ENV=production
       volumes:
          - ./:/home/node/app
       expose:
          - "8081"
       command: "npm start"

    Run the compose file:

    docker-compose up -d
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search