gotchadockerMinor
Why does Docker hub allow non-official Docker images and why do they exist?
Viewed 0 times
whynondockerexistallowhubdoesandimagesofficial
Problem
Note: also posted in Security StackExchange as there is a security aspect to this question (sorry for cross-posting).
I'm evaluating Docker images for my development and production setups.
When I research how to do something in Docker, quite often I find answers that include the author's own Docker image. For me, this is not suitable as this hinders the transparency of the solution and uncertainty of reliance on future maintenance by that author. Both of these potential issues have security implications.
While the Docker Hub, can provide a convenient centralised and well-known outlet for publishing one's own Docker images, derived from officials, what would be the advantage of using these unofficial images over the originals.
I am aware of reverse engineering tools, as described in answers on Stack Overflow and that at least some of the unofficial Docker images have an associated GitHub repo that apparently shows how the Docker image was built. But this is an inconvenient level of "indirection" or friction to being really sure (if at all possible) as to the contents of the Docker image.
I'm evaluating Docker images for my development and production setups.
When I research how to do something in Docker, quite often I find answers that include the author's own Docker image. For me, this is not suitable as this hinders the transparency of the solution and uncertainty of reliance on future maintenance by that author. Both of these potential issues have security implications.
While the Docker Hub, can provide a convenient centralised and well-known outlet for publishing one's own Docker images, derived from officials, what would be the advantage of using these unofficial images over the originals.
I am aware of reverse engineering tools, as described in answers on Stack Overflow and that at least some of the unofficial Docker images have an associated GitHub repo that apparently shows how the Docker image was built. But this is an inconvenient level of "indirection" or friction to being really sure (if at all possible) as to the contents of the Docker image.
Solution
As with most elements of Information Security, there is a balancing act between usability and security; an increase in usability often results in a correlated decrease in security and visa versa.
As a thought experiment...
I can make any server 100% secure by wiping the hard drives, putting it through a shredder and then melting down all of the components parts. It also makes it 0% usable.
Docker Hub is no different, the desire is to make these images accessible for the common good, at the cost of traceability and provenance of the images. Fortunately, there are several tools such as JFrog Artifactory and Sonatype Nexus Lifecycle which enable you to apply governance to any Open Source repository (i.e. Docker Hub, Nuget, NPM, etc).
One aspect that I think Docker Hub gets wrong, that other sites get right, namely NPM, is presenting clear information about what Source Repository an image is generated from, that I suspect is due to the decoupled nature of Docker Images from the source code that generates them.
As a thought experiment...
I can make any server 100% secure by wiping the hard drives, putting it through a shredder and then melting down all of the components parts. It also makes it 0% usable.
Docker Hub is no different, the desire is to make these images accessible for the common good, at the cost of traceability and provenance of the images. Fortunately, there are several tools such as JFrog Artifactory and Sonatype Nexus Lifecycle which enable you to apply governance to any Open Source repository (i.e. Docker Hub, Nuget, NPM, etc).
One aspect that I think Docker Hub gets wrong, that other sites get right, namely NPM, is presenting clear information about what Source Repository an image is generated from, that I suspect is due to the decoupled nature of Docker Images from the source code that generates them.
Context
StackExchange DevOps Q#9508, answer score: 6
Revisions (0)
No revisions yet.