Comment by trenchpilgrim

Comment by trenchpilgrim a day ago

8 replies

View on Hacker News

If you are adding security keys and git repos to your final shipped image you are doing things very wrong - a container image is literally a tarball and some metadata about how to run the executables inside. Even if you need that data to build your application you should use a multi-stage build to include only the final artifacts in the image you ship.

For stuff like security keys you should typically add them as build --args-- secrets, not as content in the image.

hiddew a day ago

> For stuff like security keys you should typically add them as build args, not as content in the image.

Do not use build arguments for anything secret. The values are committed into the image layers.

Reply View 0 replies
tecleandor a day ago

Yeah, typically, but in this case they're commiting and commiting in the container image, and saving changes from running software. Not only that, they're commiting log files into the image, which is crazy.

The thing here is they're using Docker container images like if they were VM disks and they end up with images with almost 300 layers, like in this case. I think LXC or VMs should be a better case for this (but I don't know if they've tested it or why are they using Docker)

Reply View 0 replies
cowsandmilk a day ago

That’s nice, but you still shouldn’t be looking into your customer’s containers.

Reply View 4 replies
  • adastra22 a day ago

    How else do they diagnose issues? Sorry to break it to you, this is absolutely standard across the entire industry.

    Reply View 3 replies
    • stackskipton a day ago

      Evict the containers, let the customer know and get customer approval to work with their images.

      Reply View 2 replies
      • adastra22 19 hours ago

        You have approval in the terms of service. This is absolutely known and expected across the entire industry. It's why your employees have clauses in their contracts about respecting third party confidentiality.

        Reply View 0 replies
      • trenchpilgrim a day ago

        What about this case where the container was working but was consuming overhead due to an infrastructure issue? Customer hasn't done anything wrong. If you stop their containers they'll likely leave for a competitor.

        Reply View 0 replies