피드 구독

What is attack surface anyway? In one of Aesop’s Fables, The Town Mouse & the Country Mouse, the country mouse says to the city mouse, "You may have luxuries and dainties that I have not," …  "but I prefer my plain food and simple life in the country with the peace and security that go with it." This is a concept familiar to even the ancient Greeks. In any system, there’s less headache, less stress, and less risk when you depend on fewer moving parts. In computer security, we refer to this concept as attack surface. And, we are in a constant battle to reduce the attack surface, a struggle between convenience and minimization.

The quest to reduce the attack surface of Linux containers

In the quest to reduce the attack surface, there’s always a tension between smaller individual container images and total software within an environment (see also: Container Tidbits: Can Good Supply Chain Hygiene Mitigate Base Image Sizes?). It’s important to remember that attack surface expands for several main reasons:

  1. Convenience. Particularly, with open source, it’s easy to go grab a new piece of software or library to cut down on the code you have to write yourself. Every new piece of software utilized adds to the attack surface.

  2. Lack of coordination. It’s easy to ignore what your colleagues are using, and just grab the latest version of some library or package. Every new version of the same library or package adds to the attack surface.

  3. Quality. It’s hard to research how well maintained a library is. It’s hard to know how security-minded its creators are. It’s difficult to know if they scan the code for security problems. Low quality or unmaintained libraries increase the attack surface.

Red Hat Enterprise Linux provides high-quality libraries that are maintained by security minded people. To make it convenient to consume these libraries in containers, Red Hat introduced Red Hat Universal Base Image (UBI). 

Introducing the UBI Micro image

Standardizing on UBI has always been a great way to reduce attack surface within a containerized environment (see also: Containers need standard operating environments too). Now, with Red Hat Enterprise Linux (RHEL) 8.4, we’re announcing UBI Micro to help reduce the attack surface of individual applications. 

UBI Micro is constructed from the exact same packages as UBI Standard, Minimal, and Init, but minimizes the individual image size by excluding a package manager and all of its dependencies which are normally pulled into a container image. 

Constructing a container image without the Linux distro’s packaging tools is sometimes referred to as distroless. By this criteria, UBI can be called a distroless container image built with RHEL content which is freely distributable for any use case you want. This reduces the attack surface of any individual image built upon it, as well as limiting the total amount of software within an environment when you standardize on RHEL (including OpenShift built on RHEL) and UBI (one glibc, one openssl, etc). Furthermore, the binaries and libraries in UBI come directly from RHEL. That means UBI has the same security response team, the same security hardening, and the same security metadata. 

UBI Micro is a high quality container image with a minimized attack surface and is great for some highly minimized applications, even if you use UBI Standard, Minimal, or Init for other applications.  Now, let’s see how it works in action.

Using UBI Micro with Buildah

Let’s demonstrate how to build on the UBI Micro image using Buildah. The following commands will pull the image, mount it, install Apache and commit the image in the local container/storage cache:

microcontainer=$(buildah from registry.access.redhat.com/ubi8/ubi-micro)
micromount=$(buildah mount $microcontainer)
yum install \
    --installroot $micromount \
    --releasever 8 \
    --setopt install_weak_deps=false \
    --nodocs -y \
    httpd
yum clean all \
    --installroot $micromount
buildah umount $microcontainer
buildah commit $microcontainer ubi-micro-httpd

Now, check out how big it is:

podman images | grep ubi-micro-httpd

Output:

localhost/ubi-micro-httpd                                     latest                                                       7c557e7fbe9f  22 minutes ago  151 MB

That’s it, it’s that simple. Using the version of Buildah included in RHEL8, it’s that easy to build upon UBI Micro as a base image. This Apache image weighs in at 156MB on disk and 55MB across the wire. Not bad compared to the standard Apache httpd 2.4 image from Red Hat which is 403MB on disk and 147MB across the wire. 

For more technical information, check out the Building, running, and managing containers guide in the official RHEL 8 documentation.


저자 소개

At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.

McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리