2

At my company, we have hardened containers created by the security team, and I would like to extend the hardened container with another docker image. For example, if we have a hardened Debian container, and I want to add Apache, how do I do this?

I understand I can use FROM to use a base, but the examples I've seen, don't add another level of published images to an existing base, but specific commands. Do I just go to the official Dockerhub Apache (HTTP) image and just copy and paste the commands from the github repo? I'm assuming there's a cleaner way (but not sure if there is).

For example, do I

FROM mycompanyprivaterepo/Debian:latest
//some command?
FROM httpd
docker build -t mynewimagewithapache

UPDATE: After attempting via apt-get apache2 per some comments, it kept hanging on interactive questions, Solved with the help of comments using: My Dockerfile:

FROM myprivaterepo/hardened-ubuntu
RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get -qq install apache2

and building via:

$ docker build -t hardened-ubuntu-apache
Kit
  • 20,354
  • 4
  • 60
  • 103
benishky
  • 901
  • 1
  • 11
  • 23
  • 1
    Generally, you would use `RUN` inside your dockerfile, and run the `apt-get` package manager to install apache. Have you tried that? – Nick ODell Sep 20 '21 at 18:54
  • @NickODell. I haven't, I assumed there was a specific docker command for this type of activity. I'm assuming something as easy as: RUN apt-get -y install httpd? Anything after? Or just move to the build directly after? – benishky Sep 20 '21 at 19:14
  • `I assumed there was a specific docker command for this type of activity.` I don't think so. The only way to combine multiple images is to use a multistage build. But using a multistage build is generally a bad idea if you have some simpler alternative, like using a package manager. Have you tried something like [this example](https://gist.github.com/nickodell/bb31d507627bd28ebde3966c5ca18e9f)? – Nick ODell Sep 20 '21 at 20:38
  • @NickODell I tried, but installation hangs with an interactive question ('Choose Geographic area'), I thought -y would handle it, but apparently not. – benishky Sep 20 '21 at 21:16
  • That's debconf. Either set debconf to non-interactive or set your timezone. https://askubuntu.com/questions/909277/avoiding-user-interaction-with-tzdata-when-installing-certbot-in-a-docker-contai – Nick ODell Sep 20 '21 at 21:26
  • Thanks @NickODell its working now with non-interactive. – benishky Sep 21 '21 at 17:52

1 Answers1

-2

Well, as far as I understood, you cannot use multi-stage builds and just

COPY --from=base-image /path/to/file/you-are-interested-in /path/inside/new-stage-image

in order to copy the required data to your preferred image. If this is the case, then you have to create your own Dockerfile with base image as your company mycompanyprivaterepo/Debian:latest, and then just create some layers on top of it in order to install required software, using RUN.

Mikhail2048
  • 1,715
  • 1
  • 9
  • 26
  • `COPY`ing individual files doesn't really work for most software packages. If there's a binary in `/usr/bin`, plus support code in `/usr/libexec` and common modules in `/usr/share` and configuration in `/etc`, there's a lot of pieces to manually copy across. – David Maze Sep 20 '21 at 19:32
  • I did not mean copying the software packages themselves, of course it will not work. I mean some configuration yaml or toml files and e.t.c – Mikhail2048 Sep 20 '21 at 19:37