The First 10M Pulls: Building The Official Curl Image for Docker Hub
0 likes664 views
The document discusses the creation and implementation of the official curl image for Docker Hub, detailing the design decisions, security considerations, and the build process. It highlights the use of multi-stage builds for minimal image size and includes references to security vulnerabilities and testing procedures. Additionally, the document outlines lessons learned and future steps for enhancing the curl docker image.
The First 10M Pulls: Building The Official Curl Image for Docker Hub
- 1. The First 10M Pulls: Building the Official curl Image for Docker Hub James Fuller, webcomposite s.r.o.
- 2. Have you ever ? > curl https://curl.haxx.se
- 3. CURL DEMO
- 4. curl demo
- 5. curl / libcurl command line tool and library for transferring data with URLs
- 6. Daniel Stenberg - https://daniel.haxx.se/blog/2020/04/30/the-state-of-curl-2020/
- 7. Daniel Stenberg - https://daniel.haxx.se/blog/2020/04/30/the-state-of-curl-2020/
- 8. Daniel Stenberg - https://daniel.haxx.se/blog/2020/04/30/the-state-of-curl-2020/
- 9. Daniel Stenberg - https://daniel.haxx.se/blog/2020/04/30/the-state-of-curl-2020/
- 11. Daniel Stenberg - https://daniel.haxx.se/blog/2020/04/30/the-state-of-curl-2020/
- 12. Have you ever ? >docker run curlimages/curl https://curl.haxx.se
- 13. curl docker demo
- 15. Agenda ● Introduction ● Design ● Implementation ● Lessons learned ● Next steps ● Questions
- 16. James Fuller, webcomposite s.r.o. c/C++/python/fp bigdata, semantics, network http://jim.fuller.name @_james_fuller jim.fuller@webcomposite.com functional programming Lead Engineer HTTP database semantics data network
- 17. Who is curl/libcurl ? Benevolent dictator for lifeDaniel Stenberg ‘BDFL’ :
- 18. curl src - https://github.com/curl/ curl
- 19. curl-docker src - https://github.com/curl/curl-docker
- 21. Why curl docker image ? https://twitter.com/jpmens/status/1166301485178728448
- 22. Design
- 23. Design decisions base image vs end user consumption ? ‘homebrew’ vs builder framework ?
- 24. Design concerns test docker image ensure docker image is ‘secure’
- 25. Mitigate security risk Rui Shu, Xiaohui Gu and William Enck – “A Study of Security Vulnerabilities on Docker Hub”, March 2017 https://dl.acm.org/doi/pdf/10.1145/3029806.3029832
- 26. Implementation details multi-stage multi arch minimal size image
- 27. Implementation
- 28. Implementation Build. generates docker image for end user ‘consumption’ Makefile build system build targets expose all functionality base on latest curl release tag CI build/test/scan with travis
- 30. Implementation Test. curl’s own extensive test suite lint check dockerfile - projectatomic/dockerfile-lint docker image test - google’s container-structure-test run the container
- 31. tests demo
- 32. Implementation Security. virus checker: clamav rootkit: rkhunter (chkrootkit) system: lynis docker: trivis, anchore
- 35. Lessons learned
- 36. Be conservative Incremental enhancement Don’t break the internet
- 37. Keep it simple single image adopt builder framework when ready
- 38. ● security scanning works ! ● docker build buildx makes it easy to ‘multi-arch’ ● docker great for development, be more careful about production Other lessons learned
- 39. Next steps Variation ”batteries included”, minimal, … Useful deps ex. include jq More arch, ssl backends, http2/3 impl, tests, security, … Standard Library ?
- 40. Thank you & Questions ?