iCompaas Support

Profile Applicability:

• Level 1

Description:

Dockerfiles should not use package manager update instructions such as apt-get update or yum update by themselves in a single line. Update instructions should always be used together with package installation commands to avoid the caching of update layers, which may prevent fresh updates from being applied to future builds.

Rationale:

If the update instructions are used alone in the Dockerfile, they create a cached layer. This can cause outdated layers to be reused when building the Docker image later, potentially preventing the latest updates from being applied, which is a security risk.

Impact:

None: This recommendation does not impact functionality but ensures that Docker images are always up-to-date and do not rely on cached layers, maintaining security.

Default Value:

By default, Docker does not enforce any restrictions on using update instructions by themselves in Dockerfiles.

Pre-requisites:

• Docker must be installed on the host system.

• Access to Dockerfile and Docker image building environment.

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance where Docker is running.

2. Ensure the Dockerfile does not contain update instructions like apt-get update or yum update without subsequent installation commands such as apt-get install or yum install.
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to inspect the Docker history for update instructions:
   

   docker history <Image_ID>

Implementation Plan:

Using AWS Console:

1. Connect to the EC2 instance.

2. Modify the Dockerfile to combine update instructions with package installation commands. For example:
   

   RUN apt-get update && apt-get install -y <package_name>

3. Rebuild the Docker image:
   

   docker build -t <image_name> .

Using AWS CLI:

1. Use SSM to update the Dockerfile on the EC2 instance and rebuild the image.

2. Run the following command to send the updated Dockerfile and rebuild:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"RUN apt-get update && apt-get install -y <package_name>\" > Dockerfile && docker build -t <image_name> ."]'

Backout Plan:

Using AWS Console:

1. Connect to the EC2 instance.

2. Revert the changes in the Dockerfile and rebuild the image with the old configuration:
   

   docker build -t <old_image_name> .

Using AWS CLI:

1. Use SSM to revert the Dockerfile and rebuild the image:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"<previous_content_of_dockerfile>\" > Dockerfile && docker build -t <old_image_name> ."]'

References:

• Dockerfile Best Practices