Table of Contents
hide
Google Cloud Building Containers Best Practices
Package a single app per container
- An “app” is considered to be a single piece of software, with a unique parent process, and potentially several child processes.
- A container is designed to have the same lifecycle as the app it hosts, so each of the containers should contain only one app. When a container starts, so should the app, and when the app stops, so should the container. for e.g. in the case of the classic Apache/MySQL/PHP stack, each component must be hosted in a separate container.
Properly handle PID 1, signal handling, and zombie processes
- Linux signals are the main way to control the lifecycle of processes inside a container.
- The app within the container should handle the Linux signals, as well as the best practice of a single app per container should be implemented.
- Process identifiers (PIDs) are unique identifiers that the Linux kernel gives to each process.
- PIDs are namespace, i.e. the containers PIDs are different from the host and are mapped to the PIDs on the host system.
- Docker and Kubernetes use signals to communicate with the processes inside containers, most notably to terminate them.
- Both Docker and Kubernetes can only send signals to the process that has PID 1 inside a container.
- For Signal handling and Zombie processes following can be followed
- Run as PID 1 and register signal handlers
- Launch the process with the
CMD
and/orENTRYPOINT
instructions in the Dockerfile, which would give the PID 1 to the process - Use the built-in
exec
command to launch the process from the shell script. Theexec
command replaces the script with the program and the process then inherits PID 1.
- Launch the process with the
- Enable process namespace sharing in Kubernetes
- Process namespace sharing for a Pod can be enabled where Kubernetes uses a single process namespace for all the containers in that Pod.
- Kubernetes Pod infrastructure container becomes PID 1 and automatically reaps orphaned processes.
- Use a specialized init system
- Init system such as
tini
created especially for containers that can be used to handle signals and reaps any zombie processes
- Init system such as
- Run as PID 1 and register signal handlers
Optimize for the Docker build cache
- Images are built layer by layer, and in a Dockerfile, each instruction creates a layer in the resulting image.
- Docker build cache can accelerate the building of container images.
- During a build, when possible, Docker reuses a layer from a previous build and skips a potentially costly step.
- Docker can use its build cache only if all previous build steps used it.
Remove unnecessary tools
- Remove unnecessary tools helps reduce the attack surface of the app by removing any unnecessary tools.
- Avoid running as root inside the container: this method offers the first layer of security and could prevent attackers from modifying files
- Launch the container in read-only mode using the
--read-only
flag from thedocker run
or by using thereadOnlyRootFilesystem
option in Kubernetes.
Build the smallest image possible
- Smaller image offers advantages such as faster upload and download times
- To reduce the size of the image, install only what is strictly needed
Scan images for vulnerabilities
- For vulnerabilities, as the containers are supposed to be immutable, the best practice is to rebuild the image, patches included, and redeploy it
- As containers have a shorter lifecycle and a less well-defined identity than servers, a centralized inventory system would not work effectively
- Container Analysis can scan the images for security vulnerabilities in publicly monitored packages
Using public image
- Consider before using public images as you cannot control what’s inside them
- Public image such as Debian or Alpine can be used as the base image and building everything on top of that image
Managed Base Images
- Managed base images are base container images that are automatically patched by Google for security vulnerabilities, using the most recent patches available from the project upstream
GCP Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- When creating a secure container image, which two items should you incorporate into the build if possible?
- Use public container images as a base image for the app.
- Build the smallest image possible
- Use many container image layers to hide sensitive information.
- Package multiple applications in a container