Part 1: Get the Original Image & create a Stub image
Step 1.1: Pull the NGINX Docker Image
docker pull docker.io/nginx:latest
Step 1.2: Log Into RapidFort
Run rflogin to log into RapidFort. Enter your password if prompted.
rflogin <email>
Step 1.3: Generate a Stub Image
Run rfstub to generate a stub image:
rfstub docker.io/nginx:latest
This creates a new image, docker.io/nginx:latest-rfstub.
Run docker images to view the stub image:
docker images | grep nginx
Part 2: Profile the Image
Step 2.1: Create the docker-compose.yml file on your client with the following:
web:
image: nginx:latest-rfstub
volumes:
- ./templates:/etc/nginx/templates
ports:
- "9999:80"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=80
cap_add:
- SYS_PTRACE
Step 2.2: Deploy the Stub
docker-compose up -d
Step 2.3: Profile the Stub Image
After the stub image has been deployed, exercise the application's features. It can be accomplished by manually exercising every feature or automating using a coverage script where, unlike a QA test, for a given input signal, the output need not be evaluated. RapidFort will then identify the required software components in your application and generate a runtime profile (Real Bill of Materials). The runtime profile is required to harden & optimize the image.
In this example we will profile NGINX for the Curl feature only:
curl localhost:9999
You will see the welcome message from NGINX.
Step 2.4: Undeploy the Stub
docker-compose down
Part 3: Generate, Run, and Test the Hardened Image
Step 3.1: Harden the Stub Image
Run rfharden to harden the stub image.
rfharden docker.io/nginx:latest-rfstub
This creates a new image, docker.io/nginx:latest-rfhardened.
If you get the following error message when hardening the image, return to Steps 2.1-2.3:
Error: No stub instances have run yet...
This indicates that RapidFort did not receive runtime profile information for this image. RapidFort must have a runtime profile to harden an image.
Step 3.2: Deploy the Hardened Image
Update the image name and remove the cap_add section from the docker-compose.yml file as follows:
web:
image: nginx:latest-rfhardened
volumes:
- ./templates:/etc/nginx/templates
ports:
- "9999:80"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=80
Deploy the hardened image and test it again to verify that your application is working as expected.
docker-compose up -d
curl localhost:9999
When you are finished testing your application, undeploy the container:
docker-compose down
The hardened image does not contain any RapidFort dependencies for runtime tracing.
You need not add the SYS_PTRACE capability when running the hardened image.
Step 3.3: View Image Information
You can view the image information - both before and after hardening from the RapidFort Web User Interface at https://frontrow.rapidfort.com. See the RapidFort User Interface section for more information.
Alternatively, you can view the info’ by running rfinfo <rapidfort_guid>:
rfinfo <rapidfort_guid>
To save reports to your local system, run rfinfo with the -s parameter.
rfinfo -s <rapidfort_guid>
Stub images cannot be used as base images. If you need to make updates, please build a new original image with the updates and then generate a new stub image.