Docker File Best Practices with Spring boot Example!

Maheshwar Ligade's photo
Maheshwar Ligade
·

4 min read

Table of contents

In this article, we are going to talk about docker best practices from a security perspective, As a developer developing product securely is hygienic practice every developer should follow.

Here are some best practices for Docker security while writing a Dockerfile:

Theory:

  1. Use a minimal base image: Start with a minimal base image that only contains the necessary components for your application. This helps reduce the attack surface and potential vulnerabilities.

  2. Keep the Docker image up to date: Regularly update the base image and any software packages or libraries used in your application to ensure that known vulnerabilities are patched.

  3. Use official images: Whenever possible, use official Docker images that are maintained by the software vendors themselves. These images are typically more secure and are regularly updated with security patches.

  4. Remove unnecessary packages and files: Remove any packages or files that are not needed in the final image to reduce the attack surface and the size of the image.

  5. Use multi-stage builds: Use multi-stage builds to separate the build environment from the runtime environment. This helps reduce the size of the final image and removes any unnecessary build tools or dependencies.

  6. Set user permissions: Use the USER instruction to set a non-root user for the application. This helps reduce the risk of privilege escalation in the event of a security breach.

  7. Use COPY instead of ADD: Use the COPY instruction instead of ADD as it is more secure. ADD allows for additional functionality like unpacking archives and retrieving files from remote URLs, which can introduce security risks.

  8. Avoid using the latest tag: Use specific version tags instead of the latest tag for the base image and any other software packages or libraries used in your application. This helps ensure that the same version of the software is used in the development, testing, and production environments.

  9. Use a trusted registry: Use a trusted registry for storing and distributing Docker images. Public registries may be vulnerable to attacks such as man-in-the-middle attacks or DNS spoofing.

  10. Scan for vulnerabilities: Use a tool to scan the Docker image for vulnerabilities before deploying it in production. There are several open-source and commercial tools available for vulnerability scanning, such as Aqua Security's Trivy, Anchore Engine, and Clair.

By following these best practices, you can help ensure that your Docker images are more secure and less vulnerable to attacks.

Example:

In this example, we demonstrate the spring boot sample docker file by following best practices:

# Use a minimal base image
FROM adoptopenjdk:11-jre-hotspot-alpine3.13

# Set the working directory
WORKDIR /app

# Copy the Spring Boot application JAR file to the container
COPY target/my-spring-boot-app.jar .

# Set non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser

# Set the entrypoint command to run the Spring Boot application
ENTRYPOINT ["java", "-jar", "my-spring-boot-app.jar"]

In this example, we're using the adoptopenjdk:11-jre-hotspot-alpine3.13 base image, which is a minimal image that only includes the Java Runtime Environment. We then set the working directory, copy the Spring Boot application JAR file to the container, and set a non-root user for running the application.

Finally, we set the entry point command to run the Spring Boot application JAR file using the java command.

To build this Docker image, you can run the following command in the same directory as the Dockerfile:

docker build -t my-spring-boot-app .

This will create a Docker image with the tag my-spring-boot-app. You can then run the Docker container using the following command:

docker run -p 8080:8080 my-spring-boot-app

This will start the Spring Boot application on port 8080 inside the Docker container, which you can access from your host machine using localhost:8080.

There are more points but as a developer, you can follow these while developing the docker file at least. For more advanced options you can tools to scan static and dynamic docker image or container.

I hope this helps, you!!

More such articles:

https://medium.com/techwasti

https://www.youtube.com/channel/UCiTaHm1AYqMS4F4L9zyO7qA

https://www.techwasti.com/

\==========================**=========================

If this article adds any value to you then please clap and comment.

Let’s connect on Stackoverflow, LinkedIn, & Twitter.

Did you find this article valuable?

Support techwasti by becoming a sponsor. Any amount is appreciated!

SpringbootDockerCloudProgramming BlogsDevops