iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Docker image sprawl occurs when a large number of outdated or unused images accumulate, leading to inefficiencies in storage management. Avoiding image sprawl is critical for keeping the Docker environment clean and efficient, ensuring that only the required, up-to-date images are stored.

Rationale:

Keeping unused images increases storage usage and reduces efficiency. Docker images should be carefully managed to ensure only necessary images are retained, thus preventing system bloat and minimizing potential security risks from outdated or unnecessary images.

Impact:

Pros:

• Reduces storage overhead by removing unused or outdated images.
  

• Improves the efficiency of the Docker environment.
  

• Enhances security by ensuring outdated images are removed.
  

Cons:

• Requires an active image cleanup policy and process, which may require automation and monitoring.
  

Default Value:

Docker does not impose a limit on the number of images. By default, unused images can accumulate unless manually removed or managed.

Pre-requisites:

• Administrative privileges on the Docker host system.
  

• Familiarity with Docker image management commands.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   

2. Check the list of images by running the command docker images to identify unused or outdated images.
   

3. Review the tags and ensure only necessary images are present.
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   

2. Run the command to list Docker images:
   

docker images

3. Check for any unnecessary or unused images in the output.
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Remove unused images manually by running the following command:
   

docker rmi <image_id>

3. Optionally, you can set up automated cleanup using docker system prune to remove unused images, containers, and volumes.
   

Using AWS CLI:

1. Use SSM to remotely clean up unused images:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker system prune -f"]'

Backout Plan:

Using AWS Console:

1. If images are removed incorrectly, they can be re-pulled from the image repository using the following command:
   

docker pull <image_name>

Using AWS CLI:

1. Use SSM to pull any missing images back from the repository:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker pull <image_name>"]'

References:

• CIS Docker Benchmark v1.7
  

• Docker Image Management Documentation: https://docs.docker.com/engine/reference/commandline/rmi/