Learn About Building Secured Container Images for OCI Functions
In this solution playbook, we share best practices to securely build images for Docker registry.
Architecture
Default Dockerfiles are built from a baseline image (fnproject/python:3.9-dev) and could be missing the latest versions of dependent packages.
Here are some reasons why container image scans are important and must be remediated if any vulnerabilities are detected:
- Early detection: Scanning images during the build phase helps identify vulnerabilities before they can be deployed into production.
- Cost-effective: Fixing vulnerabilities early is less expensive than fixing them after deployment.
- Reduces attack surface: Container images are composed of multiple layers, each of which could contain vulnerabilities. Scanning helps identify and address these vulnerabilities.
- Improves security posture: Using minimal, well-maintained base images from trusted sources can help to improve security posture.
The following diagram illustrates the workflow of this reference architecture using a default Dockerfile.
build-container-image-oci-functions-default-docker.zip
The following diagram illustrates the workflow of this reference architecture using a custom Dockerfile.
build-container-image-oci-functions-custom-docker.zip
This architecture supports the following components:
- Region
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
- Tenancy
A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.
- Registry
Oracle Cloud Infrastructure Registry is an Oracle-managed registry that enables you to simplify your development-to-production workflow. Registry makes it easy for you to store, share, and manage development artifacts, like Docker images. The highly available and scalable architecture of Oracle Cloud Infrastructure ensures that you can deploy and manage your applications reliably.
- Functions
Oracle Cloud Infrastructure Functions is a fully managed, multitenant, highly scalable, on-demand, Functions-as-a-Service (FaaS) platform. It is powered by the Fn Project open source engine. Functions enable you to deploy your code, and either call it directly or trigger it in response to events. Oracle Functions uses Docker containers hosted in Oracle Cloud Infrastructure Registry.
- Streaming
Oracle Cloud Infrastructure Streaming provides a fully managed, scalable, and durable storage solution for ingesting continuous, high-volume streams of data that you can consume and process in real time. You can use Streaming for ingesting high-volume data, such as application logs, operational telemetry, web click-stream data; or for other use cases where data is produced and processed continually and sequentially in a publish-subscribe messaging model.
- Vulnerability Scanning Service
Oracle Cloud Infrastructure Vulnerability Scanning Service helps improve the security posture in Oracle Cloud by routinely checking ports and hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.