Harden your Containers with Podman

In the following tutorial, we will stub, profile, and harden the NGINX Docker image.

RapidFort recommends Podman version 4.20 or later

Part 1: Get the Original Image & create a Stub image

Step 1.1: Pull the NGINX Docker Image

podman pull docker.io/nginx:latest

Step 1.2: Log Into RapidFort

Run rflogin to log into RapidFort. Enter your password if prompted.

rflogin <email>

Step 1.3: Generate a Stub Image

Run rfstub to generate a stub image:

rfstub docker.io/nginx:latest

This creates a new image, docker.io/nginx:latest-rfstub. 

To view the stub image:

podman images | grep nginx

Part 2: Profile the Image

Step 2.1: Run the Stub Image

You must add the SYS_PTRACE Linux kernel capability for this step

podman run --rm -it -p9999:80 --cap-add=SYS_PTRACE --name=rf-test docker.io/nginx:latest-rfstub

If you do not add the SYS_PTRACE capability (--cap-add=SYS_PTRACE) then you may see the following error message:

ptrace: Operation not permitted [/bin/dash]

ERROR 48e: did you forget to add SYS_PTRACE capability (--cap-add=SYS_PTRACE)?

Step 2.2: Profile the Stub Image

After the stub image has been deployed, exercise the application's features. It can be accomplished by manually exercising every feature or automating using a coverage script where, unlike a QA test, for a given input signal, the output need not be evaluated. RapidFort will then identify the required software components in your application and generate a runtime profile (Real Bill of Materials). The runtime profile is required to harden & optimize the image.

In this example we will profile NGINX for the Curl feature only:

curl localhost:9999

You will see the welcome message from NGINX.

Step 2.3: Stop the Container

Stop the Docker container:

podman stop -t 1 rf-test

Part 3: Generate, Run, and Test the Hardened Image

Step 3.1: Harden the Stub Image

Run rfharden to harden the stub image.

rfharden docker.io/nginx:latest-rfstub

This creates a new image, docker.io/nginx:latest-rfhardened.

If you get the following error message when hardening the image, return to Steps 2.1-2.3:

Error: No stub instances have run yet...

This indicates that RapidFort did not receive runtime profile information for this image. RapidFort must have a runtime profile to harden an image.

Step 3.2: Run the Hardened Image

Run the hardened image and test it again to verify that your application is working as expected:

podman run --rm -it -p9999:80 --name=rf-test docker.io/nginx:latest-rfhardened

curl localhost:9999

You should see the same welcome message from NGINX.

When you are finished with testing your application, stop the Docker container:

podman stop -t 1 rf-test

The hardened image does not contain any RapidFort dependencies for runtime tracing.

You need not add the SYS_PTRACE capability when running the hardened image.

Step 3.3: View Image Information

You can view the image information - both before and after hardening from the RapidFort Web User Interface at https://frontrow.rapidfort.com. See the RapidFort User Interface section for more information.

Alternatively, you can view the info’ by running rfinfo <rapidfort_guid>:

rfinfo <rapidfort_guid>

To save reports to your local system, run rfinfo with the -s parameter.

rfinfo -s <rapidfort_guid>


Stub images cannot be used as base images. If you need to make updates, please build a new original image with the updates and then generate a new stub image.