Security Best Practices for the Docker container


(Daytona) #1

Hello Devs,

Some of the things I’ve done are enabling https, using start_tls for emails, and implementing a remote web application firewall.

What I would like to know more about is when running discourse in a docker container and on a fresh “launcher app rebuild” I notice that all packages are not up to date for the ubuntu 14.04 image.

I connect to the container with “launcher ssh app” and then “run apt-get update; apt-get upgrade” and there’s 32MB of updates.

Nothing seems broken after updating.

Do I have to manually implement automatic updates inside the container with ssh? Or can I run some docker commands to do this? I was reading the launcher script and it kind of reminds me of Ansible.

Thanks,

Daytona


(Jeff Atwood) #2

This question has come up before, and I believe the consensus was that the surface of the Docker container that interfaces with the real, outside world is so small – just the web ports, really – that frequent security updates are not needed.

You’d only have a problem if there was a vulnerability in NGINX.

We do issue Discourse Docker image updates periodically if things come up like Heartbleed and you can get those via git pull.

Any comment @supermathie?


(Daytona) #3

I know that the kernel for the docker image is the host kernel but things like glibc seem to be separate in the docker container. This would need to be updated.


(Sam Saffron) #4

If we implemented auto-updates we would break a lot of the stability docker has to offer. The beauty of the current system is that we know exactly what version of everything exists everywhere, if we implemented auto-update we would lose that.

If you wish update versions on bootstrap, nothing is stopping you adding a couple of exec commands. If you wish to implement a cron job that checks and updates daily you can do that via adding a cron job, cron is running in the container.

We update the docker container when any urgent security holes are out there and I do plan another base image release (probably this week)


(Daytona) #5

So when there is a security update we need to git new source and rebuild? I’m pretty new to docker so I’m just trying to figure things out.


(Sam Saffron) #6

nope, when there is a security update you run:

cd /var/discourse
git pull
./launcher rebuild app