Image sprawl is avoided

docker

Classification:

compliance

Framework:

cis-docker

Control:

6.1

Set up the docker integration.

Description

You should not keep a large number of container images on the same host. Use only tagged images as appropriate.

Rationale

Tagged images are useful if you need to fall back from the “latest” version to a specific version of an image in production. Images with unused or old tags may contain vulnerabilities that might be exploited if instantiated.

Audit

  1. Make a list of all image IDs that are currently instantiated by executing the command:

    docker images --quiet | xargs docker inspect --format '{{ .Id }}: Image={{ .Config.Image }}'

  2. List all the images present on the system by executing the command:

    docker images

  3. Compare the list of image IDs from Step 1 and 2. Look for images that are not in use. If any unused or old images are found, discuss with the system administrator the need to keep such images on the system. If images are no longer needed they should be deleted.

Remediation

You should keep only the images that you actually need and establish a workflow to remove old or stale images from the host. Additionally, you should use features such as pull-by-digest to get specific images from the registry. You can follow the steps below to find unused images on the system so they can be deleted.

  1. Make a list of all image IDs that are currently instantiated by executing the command docker images --quiet | xargs docker inspect --format '{{ .Id }}: Image={{ .Config.Image }}'

  2. List all the images present on the system by executing the command docker images

  3. Compare the list of image IDs created from Step 1 and Step 2 to find out images which are currently not being instantiated.

  4. Decide if you want to keep the images that are not currently in use. If they are not needed, delete them by executing the command docker rmi $IMAGE_ID

Alternatively, use the docker system prune command to remove dangling images which are not tagged or, if necessary, docker system prune -a to remove all images that are not currently used by a running container.

Impact

docker system prune -a removes all exited containers as well as all images and volumes that are not referenced by running containers, including for UCP and DTR. This can present problems under three circumstances:

  1. In offline environments, where image removal would result in needing to reload the images to the host.
  2. On DTR hosts, where nodes will not automatically rejoin the DTR cluster and docker system prune -a may remove DTR volumes and erase all DTR state.
  3. On DTR or UCP hosts where docker system prune -a is simultaneously issued on a majority of UCP managers or DTR nodes whilst the corresponding component UCP or DTR is stopped. This could result in loss of quorum and/or data.

Default value

Images and layered filesystems remain accessible on the host until the administrator removes all tags that refer to those images or layers.

References

  1. http://craiccomputing.blogspot.in/2014/09/clean-up-unused-docker-containers-and.html
  2. https://forums.docker.com/t/command-to-remove-all-unused-images/20/8
  3. https://github.com/docker/docker/issues/9054
  4. https://docs.docker.com/engine/reference/commandline/rmi/
  5. https://docs.docker.com/engine/reference/commandline/pull/
  6. https://github.com/docker/docker/pull/11109

CIS controls

Version 6

18 Application Software Security Application Software Security