Question 84181 in Docker Question posted in
The official documentation can be found here.

Docker's ability to create multi-arch images, how does that play with best security practices?

Within docker-compose.yml, you can point to a specific docker image and tag and the Docker will pick the correct image based on the host’s architecture, i.e. arm64 vs amd64. We’ve all learned that in order to be secure, you should point to an image tag as well as a specific SHA so that you always download the same one due to tags being mutable. But those SHAs are for specific architectures. So how are people now configuring their docker-compose.yml files to work on different architectures?

Within our engineering team, we created a small script that wraps docker-compose to derive which arch the host is on, and then we maintain secondary docker-compose.yml files that are arch-specific and point to the correct image SHAs.

Tags:

2

Answers


  1. 0

    I’m not sure I understand your question. Basically, nothing has changed. Before, you had one tag, now you have N tags depending on how many architectures you support. But the core concept is the same.

    Just to add an example, take postgres image for example. Check the tags, and you can see that latest also has 8 different hashes for different architectures.

    And if your question is rather about how to use the same compose file for different architectures, you can just use environment variables for the tags and have different configuration files. Have a look at https://docs.docker.com/compose/environment-variables/

    Login or Signup to reply.
  2. 0

    docker-compose can be called from every directory that contain a Dockerfile for example

    #42sh: ls
-> Dockerfile
#42sh: docker-compose build    
-> Building...!
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search