Stub, Test, and Harden a Docker Image
Generate a stub image with a workload tag called redis:
rfstub docker.io/redis:6.2.5 -t redis
Deploy and test your stub image so that RapidFort can trace the runtime behavior and build the runtime profile.
For the purposes of this tutorial, you can simply start a new stub container (remember to add the SYS_PTRACEcapability) and then stop the container:
docker run --rm -it --cap-add=SYS_PTRACE -p9999:6379 --name redis-test docker.io/redis:6.2.5-rfstub
docker stop redis-test -t 10
Harden the stub image:
rfharden docker.io/redis:6.2.5-rfstub
Since RapidFort has a runtime profile for this image, hardening the image succeeded.
Pull the redis:6.2.6 Docker image from Docker Hub:
docker pull docker.io/redis:6.2.6
Generate a new stub image:
rfstub docker.io/redis:6.2.6 -t redis
Try to harden the new stub image:
$ rfharden docker.io/redis:6.2.6-rfstub
Hardening docker.io/redis:6.2.6-rfstub
Harden image: docker.io/redis:6.2.6-rfstub
General Error: Error: No stub instances have run yet...
This error is expected since you have not yet deployed and tested the stub image, so no runtime profile is available. Without a runtime profile, RapidFort cannot generate a hardened image.
Now harden the new stub image using workload tag redis:
rfharden docker.io/redis:6.2.6-rfstub -t redis
This time, your new stub image should be successfully hardened. The runtime profile from the redis:6.2.5 image was added when hardening with a workload tag. Since at least one runtime profile was available, hardening succeeded.
Hardening docker.io/redis:6.2.6-rfstub
Adding profile of image "docker.io/redis:6.2.5"
Note that no testing was required to harden the new stub image. Instead, the image was hardened using the runtime profile information that is associated with the redis workload tag.