Flattening Docker images
As surely you know, when you work with Docker images each layer is built above the previous one until we get the final image. This has some cons:
- The final image grow up
- Secrets are expose
The final image grows up
In the beginning, this kind of thinks does not matter, but, when the amount of images scale this becomes a technical doubt that will be well-handled, on the contrary, this going to be a pain in the ass.
Secrets are exposed
So, let’s say that we want to remove the sensitive data and this is not feasible by removing via commands. So, What we should do?
Short answer: Remove before-created layers.
So, let me explain this simple process. Imagine that you have a Dockerfile like shown in the picture. The secret is saved to a file, show it, and then removed.
Built as always :)
Docker shows all the steps required to get the final image (layers).
If we issue the history command from the image, we could see all steps and images identifiers, so if we run these image, we could get the secret without troubles.
Removing previous layers
It’s time to flatten!
Run the final image with a /bin/true command as a parameter, export it and import it as a pipeline. Pay attention to the result container id.
docker run -d mysecureimage /bin/true
c101557c0b9b7139a3b897273dbe294ac02ce83139a7013dff06c0c470cb2b93
docker export c101 | docker import - mysecureimage
The previous image demonstrates that there are not more layers and our final image is secure and light. Now, we could promote it to production!
