Building and managing container images with Buildah

buildah is a open source tool which can be used to build OCI compliant container images without using docker engine. It can also be run in a rootless mode, thereby reducing the attack surface area and also inside a container image itself.

You can use buildah to built container images from existing container images, from Dockerfiles and from scratch (read empty images) as well. OCI images built using buildah are portable and can be run on different hosts as well with different container engines such as CRI-O, Podman, Docker Engine, etc.

Read More »

Using Skopeo to work with Container Images in a dockerless world

Skopeo is one of the specialized tool that performs various operations on container images and image repositories.

Skopeo can perform operations which consist of:

  • Copying an image from and to various storage mechanisms. For example you can copy images from one registry to another, without requiring privilege.
  • Inspecting a remote image showing its properties including its layers, without requiring you to pull the image to the host.
  • Deleting an image from an image repository.
  • Syncing an external image repository to an internal registry for air-gapped (aka offline) deployments.
  • When required by the repository, skopeo can pass the appropriate credentials and certificates for authentication.
Read More »

Create and Manage a secure private container registry for internal usage

A docker image registry is used to store docker images and maintain their versions. Container runtime engines such as Podman, Containerd, CRI-O, rkt, etc are typically used to the push and pull images using their respective commands. Most of these runtimes have a way to create and maintain a local registry for the machine on which they are installed. However when sharing images between different machines, we need a centralized repository where one can push and pull images. There are lot of PaaS registry services are available in the market already. However, sometimes you may want to have your own personal/private registry where you can control what images are available for your runtimes.

Read More »

Encrypting ECR Images with AWS KMS

AWS Key management service (AWS KMS) is a service offering from AWS to host and manage master keys, which are used to encrypt your data stored in other AWS services. AWS Elastic Container Registry (AWS ECR), by default, store images in the AWS S3, which uses AES-256 as server side encryption to protect the data stored at rest. However, some compliances such as HIPAA may warrant you to not only encrypt the data at rest, but also using specific encryption protocols. Using AWS KMS in either AWS managed or Customer Managed Keys (CMKs), allow one to be compliant with such regulations. In this blog post, we’ll discuss how we can enable the same for ECR images.

Read More »

Understanding Advance features of Elastic Container Registry (ECR)

In the last blog post, we discussed about Amazon’s docker container image repository service, Elastic Container Registry (ECR). We learned how to create ECR, push and pull images and other basic operations. In this blog post, we’ll discuss about advanced features such as scan on push, lifecycle policies, etc. We’ll learn what these features are about, and how to turn them on or off.

Image tag Mutability

You can configure a repository to be immutable to prevent image tags from being overwritten. After the repository is configured for immutable tags, an ImageTagAlreadyExistsException error is returned, if you attempt to push an image with a tag that is already in the repository.

Read More »

Working with Elastic Container Registry (ECR) – Covering Basics

Amazon Elastic Container Registry or ECR is one of the services hosted by Amazon Web Services (AWS). ECR provides both private and public repositories for storing container images. It integrates well with AWS CLI to push, pull and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. Both public ECR and private ECR, provides almost same features. However private ECR, as the name indicates, provides more security features for enterprises as all communication needs to be authenticated first. This is a first one in series of blog posts on the Amazon ECR, where we’ll cover the basics of getting started. In later blog posts, we’ll discuss how to operate and utilize various features in ECR, cover some security and monitoring considerations and some automation as well.

Read More »