Home > Software engineering >  Docker's ability to create multi-arch images, how does that play with best security practices?
Docker's ability to create multi-arch images, how does that play with best security practices?

Time:03-11

Within docker-compose.yml, you can point to a specific docker image and tag and the Docker will pick the correct image based on the host's architecture, i.e. arm64 vs amd64. We've all learned that in order to be secure, you should point to an image tag as well as a specific SHA so that you always download the same one due to tags being mutable. But those SHAs are for specific architectures. So how are people now configuring their docker-compose.yml files to work on different architectures?

Within our engineering team, we created a small script that wraps docker-compose to derive which arch the host is on, and then we maintain secondary docker-compose.yml files that are arch-specific and point to the correct image SHAs.

CodePudding user response:

I'm not sure I understand your question. Basically, nothing has changed. Before, you had one tag, now you have N tags depending on how many architectures you support. But the core concept is the same.

Just to add an example, take postgres image for example. Check the tags, and you can see that latest also has 8 different hashes for different architectures.

And if your question is rather about how to use the same compose file for different architectures, you can just use environment variables for the tags and have different configuration files. Have a look at https://docs.docker.com/compose/environment-variables/

CodePudding user response:

Use the digest with the docker image pull command.

For example:

docker image pull alpine:3.15.0@sha256:2689e157117d2da668ad4699549e55eba1ceb79cb7862368b30919f0488213f4

Can also be used in the Dockerfile like so:

FROM alpine:3.15.0@sha256:2689e157117d2da668ad4699549e55eba1ceb79cb7862368b30919f0488213f4

While pulling, you can also provide the architecture using the --platform linux/arm64 flag, but I don't believe this changes the digest.

CodePudding user response:

docker-compose can be called from every directory that contain a Dockerfile for example

#42sh: ls
-> Dockerfile
#42sh: docker-compose build    
-> Building...!
  • Related