How to Profile & Harden your Containers
      Back to home
      1. RapidFort SASM Platform Documentation
      2. Quick Start Guide
      3. How to Profile & Harden your Containers

      Harden your Containers with Docker Compose

      Part 1: Get the Original Image & create a Stub image

      Step 1.1: Pull the NGINX Docker Image

      docker pull docker.io/nginx:latest

      Step 1.2: Log Into RapidFort

      Run rflogin to log into RapidFort. Enter your password if prompted.

      rflogin <email>

      Step 1.3: Generate a Stub Image

      Run rfstub to generate a stub image:

      rfstub docker.io/nginx:latest

      This creates a new image, docker.io/nginx:latest-rfstub. 

      Run docker images to view the stub image:

      docker images | grep nginx

      Part 2: Profile the Image

      Step 2.1: Create the docker-compose.yml file on your client with the following:

      web:

       image: nginx:latest-rfstub

       volumes:

          - ./templates:/etc/nginx/templates

       ports:

          - "9999:80"

       environment:

         - NGINX_HOST=localhost

         - NGINX_PORT=80

       cap_add:

        - SYS_PTRACE

      Step 2.2: Deploy the Stub

      docker-compose up -d

       Step 2.3: Profile the Stub Image

      After the stub image has been deployed, exercise the application's features. It can be accomplished by manually exercising every feature or automating using a coverage script where, unlike a QA test, for a given input signal, the output need not be evaluated. RapidFort will then identify the required software components in your application and generate a runtime profile (Real Bill of Materials). The runtime profile is required to harden & optimize the image.

      In this example we will profile NGINX for the Curl feature only:

      curl localhost:9999

      You will see the welcome message from NGINX.

      Step 2.4: Undeploy the Stub

      docker-compose down

      Part 3: Generate, Run, and Test the Hardened Image

      Step 3.1: Harden the Stub Image

      Run rfharden to harden the stub image.

      rfharden docker.io/nginx:latest-rfstub

      This creates a new image, docker.io/nginx:latest-rfhardened.

      If you get the following error message when hardening the image, return to Steps 2.1-2.3:

      Error: No stub instances have run yet...

      This indicates that RapidFort did not receive runtime profile information for this image. RapidFort must have a runtime profile to harden an image.

      Step 3.2: Deploy the Hardened Image

      Update the image name and remove the cap_add section from the docker-compose.yml file as follows:

      web:

       image: nginx:latest-rfhardened

       volumes:

         - ./templates:/etc/nginx/templates

       ports:

         - "9999:80"

       environment:

        - NGINX_HOST=localhost

        - NGINX_PORT=80

      Deploy the hardened image and test it again to verify that your application is working as expected. 

          docker-compose up -d

          curl localhost:9999

      When you are finished testing your application, undeploy the container:

      docker-compose down

      The hardened image does not contain any RapidFort dependencies for runtime tracing.

      You need not add the SYS_PTRACE capability when running the hardened image.

      Step 3.3: View Image Information

      You can view the image information - both before and after hardening from the RapidFort Web User Interface at https://frontrow.rapidfort.com. See the RapidFort User Interface section for more information.

      Alternatively, you can view the info’ by running rfinfo <rapidfort_guid>:

      rfinfo <rapidfort_guid>

      To save reports to your local system, run rfinfo with the -s parameter.

      rfinfo -s <rapidfort_guid>

      Stub images cannot be used as base images. If you need to make updates, please build a new original image with the updates and then generate a new stub image.