VSHN.timer #144: Build, Scan, and Share Containers

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

This week we’re going to talk about the latest trends in container workflows for DevOps teams.

1. CI/CD pipelines take care of the most critical parts of the software development lifecycle. These days, developers also build container images within pipelines, and deploy them right away. This article in the Red Hat Hybrid Cloud Blog explains how to use Buildah and Kaniko to build container images directly in OpenShift.

https://cloud.redhat.com/blog/how-to-build-container-images-in-isolated-environments-using-red-hat-openshift-sandboxed-container

2. Once you’ve built your container images, you might want to use one of the various mechanisms available for automatic vulnerability scanning. Clair is an open source vulnerability scanner by Red Hat, used in Quay.io for example, and this blog post describes how it works and why you should use it.

https://www.redhat.com/en/blog/scanning-container-image-vulnerabilities-clair

3. The Chainguard team has just published a new whitepaper explaining the nature, causes, and effects of vulnerabilities in container images. They pinpoint a root cause for headaches: the base images you refer to in the FROM statement of your Dockerfile. Be careful out there.

https://blog.chainguard.dev/zero-security-debt-for-container-images-is-possible/

4. We have all heard that running privileged containers is a bad idea (and guess what: it is) but have you ever seen the code required to escape a container and access its host? Jordy Zomer wrote a fantastic blog post with detailed instructions. Remember: don’t run privileged containers. You’ve been warned.

https://pwning.systems/posts/escaping-containers-for-fun/

5. Podman is a great tool. Not only you can use it to build containers images, you can also inspect containers at runtime with it, and even better, you can use it to share container images with teammates without using a registry.

https://www.redhat.com/sysadmin/podman-transfer-container-images-without-registry

What workflow do you use to build and share your container images? Do you scan your container images for vulnerabilities? Would you like to share some tips and tricks with our readers? Get in touch with us, and see you next week for another edition of VSHN.timer.

PS: would you like to receive VSHN.timer every Monday in your inbox? Sign up for our weekly VSHN.timer newsletter.

PS²: do you prefer reading VSHN.timer in your favorite RSS reader? Subscribe to this feed.

PS³: check out our previous VSHN.timer editions about Containers: #12, #17, #40, #51, #54, #71, #81, #108, and #124.