[Cialug] Automatic container updates
Will
staticphantom at gmail.com
Mon Apr 25 23:24:16 UTC 2022
I've been getting DEEP into this topic lately as well as following some
acquintencies with Chainguard on the SLSA and SBOM specs. Basically,
according to some of the latest Chainguard white papers, you want to build
on demand and directly from the repository.
I have some basic proofs of concept but ideally, if you're pulling from
Docker hub, you're doing it wrong. If you're pulling a tarball, you're
likely doing it wrong. With that said, much of what is used for practices
certified for Iron Bank ARE doing it wrong (great from a starting
perspective) but much less wrong. Iron Bank certified images must build
every 4 hours to meet requirements.
On Mon, Apr 25, 2022 at 7:11 PM Adam Shannon <adam at ashannon.us> wrote:
> When building an image Docker and Podman can automatically pull (--pull) a
> newer revision of a tag. Useful if you're using debian:stable or
> alpine:3.15 as a base image.
>
> There are some robots (e.g. renovate) that can open pull requests with
> updated Dockerfile/Podfile contents.
>
> https://docs.podman.io/en/latest/markdown/podman-build.1.html#pull
>
> ------- Original Message -------
> On Monday, April 25th, 2022 at 5:51 PM, Andy Denner <linux-list at upeke.com>
> wrote:
>
>
> >
> >
> > So what I have heard for the standard process is to have your CI/CD
> > process that builds your images set as a scheduled task to build your
> > container periodically. (if it is a local docker instance and no ci/cd
> > you could do the same with cron). Cycling and refreshing your
> > containers also helps enforce the cattle not pets idea.
> >
> > Some of the more security forward places have a policy to not have any
> > containers sitting around that are older than x (i.e. 90 days).
> >
> > L. V. Lammert wrote on 4/25/2022 3:33 PM:
> >
> > > Been using Greenbone for security scans, .. but if the version running
> is
> > > not current, the scans are useless and, unfortunately, the tag is not
> > > useful:
> > >
> > > securecompliance/gvm debian-master-data-full b6e23911f4f6 4 months ago
> 6.12GB
> > >
> > > What's the best way to check for a new version and automatically pull?
> > >
> > > Thanks!
> > >
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>
More information about the Cialug
mailing list