what if you do not want to run docker pull?

In Red Hat Security blog post before you initiate docker pull is explained why running docker pull ( at current state of docker ) cannot be ultimately considered as wise step.

Unfortunately, all instructions out there related to starting with docker points exclusively to docker pull as way to go – not giving much room discussion from above blog post.

If you are security aware ( some would say paranoid ), then you have couple options to deal with this

1. divide pull and load steps – this means get .tar.gz archive of docker image and then load docker image after downloading it, this means you can get docker image using wget ( eg fedora Fedora docker images in .tar.gz format ) and then load it with docker load With this these you achieve same result but before loading image you can check md5 sum of image you want to load and ensure it is really one you want.
I provided link to Fedora .tar.gz docker image format.Asking your favorite search ( evil ) machine will guide you to other images – Centos/Debian.

I recommend you to read below articles in order to understand a bit more about how docker handle stuff in background

a. docker insecurity blog post
b. Cryptographic Signing of Core Images

2. With 1. implemented, there is no need any more to get images from internet – as long as there is not ( and you want to use it ) updated base image ( in above case Fedora image ). From this point you can use docker for your purposes, and if you want to build new image you can use docker build --tag=mynewimage Dockerfile where in Dockerfile you specify that you want to build new image from one you already have. Beware here that,if docker build is not able to find image to build from – it will search against hub.docker.com – so read above article in to figure out how to prevent this.
Docker team wrote excellent document on writing dockerfiles and I recommend to read it in advance to get better insight on Dockerfile structure.

3. You can use docker-registry and build you local docker registry from where you can pull images – without internet interaction. In order to download images from docker registry you will first need to preload / upload ones you want there.

In my future blog posts, I will write detailed howto how to create base image(s), how to configure and start your local docker registry service and how to upload images to there

Advertisements

#fedora-docker-images-docker-registry-security-docker-pull-docker-load-docker-push