VSHN.timer #71: Containers Beyond Docker

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

This week we’re going to talk about how we’re moving past Docker into a world of open container standards.

1. If you run Docker containers, the lazy option consists in hosting your images in Docker Hub. But beware! They have new download rate limits. In short, Docker Hub now allows up to 100 pulls per 6 hours for anonymous (unauthenticated) IP addresses, and 200 pulls per 6 hours for authenticated non-paying users. Of course, these restrictions do not apply to Docker Hub users with Pro or Team accounts. Our VSHNeer Gabriel Mainberger recently wrote an article in this blog about the measures we had to take due to these new restrictions. We recommend migrating your images to Red Hat Quay, AWS ECR, or to use a private registry, such as Harbor, OpenShift’s or GitLab’s.

https://docs.docker.com/docker-hub/download-rate-limit/

2. Containers are lightweight, fast, and convenient; no wonder they have been embraced by DevOps teams all over the world. There are, however, a few security gotchas to be aware of when writing those Dockerfiles. Cloudberry Engineering has published a useful checklist of eight critical items to keep in mind while creating new images: use trusted base images, do not sudo, do not use root users, avoid curl | bash, and more. They even provided an Open Policy Agent rule to statically analyze your Dockerfiles with conftest! Perfect for your DevSecOps needs.

https://cloudberry.engineering/article/dockerfile-security-best-practices/

3. Did you know that Kubernetes is used by more than half of all organizations using containers? Or that 80% of all Kubernetes clusters in Google Cloud are hosted in the managed GKE service? Or that NGINX, Redis, and PostgreSQL are the most popular container images? The Datadog Container Use Report contains these and eight more interesting facts about the world of containers.

https://www.datadoghq.com/container-report/

4. Podman has slowly but surely become the de facto official replacement for Docker. And migrating to it is as easy as alias docker=podman. Images created by Podman and Docker are both based on the OCI standard, and they are fully interoperable. DevOps engineers also appreciate the simpler architecture of Podman (read: no daemon) for their image building needs. Cedric Clyburn from Red Hat recently wrote a nice blog post explaining all there is to know about this transition. Remember: the industry is moving away from Docker!

https://developers.redhat.com/blog/2020/11/19/transitioning-from-docker-to-podman/

5. The open source project of the week is Bottlerocket, a Linux distribution created by AWS explicitly built to run containers, and an interesting case of using Rust for building a complete operating system.

https://github.com/bottlerocket-os/bottlerocket

Are you using Podman already? Do you check your container images for vulnerabilities? Have you switched to a different image registry? Get in touch with us through the form at the bottom of this page, and see you next week for another edition of VSHN.timer.

PS: would you like to receive VSHN.timer every Monday in your inbox? Sign up for our weekly VSHN.timer newsletter.

PS²: would you like to watch VSHN.timer on YouTube? Subscribe to our channel vshn.tv and give a „thumbs up“ to our videos.

PS³: check out our previous VSHN.timer editions about containers: #12, #17, #40, #51 and #54.