Pitfalls and Best Practices
Most Important Point
- Do not put sensitive information like keys or tokens into your VCS repositories or images Use environment variables for these purposes instead
runhas several options for environment variables. The option
env-fileis considered to be one way to make sensitive information available in your containers via a confidential file.
- Similarly, the Compose file or command may contain
keys or options for environment variables.
env-fileare considered to be ways to provide sensitive information to your containers.
Choosing a Good Starting Point
Carefully picked base images for custom containers can help to avoid many security and maintenance issues.
Choose images from trusted repositories and prefer official images from trusted publishers. This reduces the chance of an image being intentionally created to spread malicious software.
Pay attention to the maintenance status of the images you select. Images that have not been updated for a long time can carry security risks and are likely to cause compatibility issues.
Use the smallest base image possible. For example,
alpineDocker images which are based on
Alpine Linux(and therefore also on
BusyBox, a suite of Unix utilities shipped in a single executable, and
musl libcas its C standard library, which is only partially binary compatible with
glibc) are considered to be smaller that images based on most other Linux distributions. Furthermore,
slimimages are images optimized in size with minimal packages installed that are needed to run the container.
Create Minimal and Well-Focussed Containers
Each container is supposed to run one application only. This makes it easier to maintain and manage them and reduces the time and resources required to generate, start and run them. * Make your images as small as possible * Only install the packages that are absolutely necessary * The image size can be further kept low by clearing caches (e.g. of the package manager) * More complex applications can be decoupled by splitting them over several containers and connecting them via networks * Caution! This is an advanced topic with its own pitfalls.
Leverage the Benefits of Automation
Containers can automatically be created with CI/CD toolchains (e.g. from GitLab, GitHub, Jenkins…) this can serve to reduce the amount of work involved while maintaining and updating your containers. Especially in combination with version control and automated backing up and pushing to registries, these solutions help to reduce the amount of tedious labour involved with creating containers to a minimum.
When working with containers there may always be some files or processes being
leftover or residual occupying memory and storage.
Cleaning up can help reduce the workload on your system and free up disk space.
* Prune your images (
podman image prune or even
podman image prune -a)
and containers (
podman container prune) from time to time to free up
storage on your system
* Use the option
rm of the
run-command to remove stopped containers
* Clean up the used volumes regularly