[Cialug] Automatic container updates
Andy Denner
linux-list at upeke.com
Tue Apr 26 05:02:28 UTC 2022
To be fair (with hand waving and generalizations), it entirely depends
on your threat profile and needs.
If greenbone updates once a day, your scanner won't be any more fresh
than that.
Platform one and the DOD have an entirely different set of needs and
somewhat are more attractive of a target. (Although with the current
world conditions and state sponsored hacking, a bit less so)
Will wrote:
>
> I've been getting DEEP into this topic lately as well as following some
> acquintencies with Chainguard on the SLSA and SBOM specs. Basically,
> according to some of the latest Chainguard white papers, you want to build
> on demand and directly from the repository.
>
> I have some basic proofs of concept but ideally, if you're pulling from
> Docker hub, you're doing it wrong. If you're pulling a tarball, you're
> likely doing it wrong. With that said, much of what is used for practices
> certified for Iron Bank ARE doing it wrong (great from a starting
> perspective) but much less wrong. Iron Bank certified images must build
> every 4 hours to meet requirements.
>
> On Mon, Apr 25, 2022 at 7:11 PM Adam Shannon <adam at ashannon.us> wrote:
>
>>
>> When building an image Docker and Podman can automatically pull
>> (--pull) a
>> newer revision of a tag. Useful if you're using debian:stable or
>> alpine:3.15 as a base image.
>>
>> There are some robots (e.g. renovate) that can open pull requests with
>> updated Dockerfile/Podfile contents.
>>
>> https://docs.podman.io/en/latest/markdown/podman-build.1.html#pull
>>
>> ------- Original Message -------
>> On Monday, April 25th, 2022 at 5:51 PM, Andy Denner
>> <linux-list at upeke.com>
>> wrote:
>>
>>
>>>
>>>
>>>
>>> So what I have heard for the standard process is to have your CI/CD
>>> process that builds your images set as a scheduled task to build your
>>> container periodically. (if it is a local docker instance and no ci/cd
>>> you could do the same with cron). Cycling and refreshing your
>>> containers also helps enforce the cattle not pets idea.
>>>
>>> Some of the more security forward places have a policy to not have any
>>> containers sitting around that are older than x (i.e. 90 days).
>>>
>>> L. V. Lammert wrote on 4/25/2022 3:33 PM:
>>>
>>>>
>>>> Been using Greenbone for security scans, .. but if the version running
>>>
>>
>> is
>>>
>>>>
>>>> not current, the scans are useless and, unfortunately, the tag is not
>>>> useful:
>>>>
>>>> securecompliance/gvm debian-master-data-full b6e23911f4f6 4 months ago
>>>
>>
>> 6.12GB
>>>
>>>>
>>>>
>>>> What's the best way to check for a new version and automatically pull?
>>>>
>>>> Thanks!
>>>>
>>>> _______________________________________________
>>>> Cialug mailing list
>>>> Cialug at cialug.org
>>>> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>>>
>>>
>>>
>>> _______________________________________________
>>> Cialug mailing list
>>> Cialug at cialug.org
>>> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>>
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
More information about the Cialug
mailing list