Improve container image size and enhance security

.dockerignore

@@ -0,0 +1,6 @@
+.git
+.github
+.devcontainer
+*.md
+LICENSE
+.gitignore

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker.io/docker/dockerfile-upstream:1.9.0
 # check=error=true
 
-FROM quay.io/centos/centos:stream9
+FROM ubuntu:22.04
 LABEL org.opencontainers.image.title="Debug Container" \
       org.opencontainers.image.authors="Phil Huang <[email protected]>" \
       org.opencontainers.image.source="https://github.com/pichuang/debug-container" \
@@ -10,52 +10,59 @@ LABEL org.opencontainers.image.title="Debug Container" \
       org.opencontainers.image.url="ghcr.io/pichuang/debug-container:master" \
       org.opencontainers.image.documentation="https://github.com/pichuang/debug-container"
 
-# Install packages and clean up in one layer
-# hadolint ignore=DL3033
-RUN yum -y install epel-release && \
-    rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9 && \
-    yum -y update && \
-    yum -y --allowerasing install \
-        python3.11 \
-        python3.11-pip \
-        iputils \
-        mtr \
+# Install core networking and debugging tools in one layer to minimize image size
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        bash \
+        python3 \
+        python3-pip \
+        iputils-ping \
+        mtr-tiny \
         net-tools \
         htop \
         vim \
         git \
-        bind-utils \
-        iproute \
-        nmap-ncat \
+        dnsutils \
+        iproute2 \
+        netcat \
         wget \
         curl \
         tcpdump \
         sysstat \
         numactl \
-        hping3 \
-        dnsperf \
         jq \
-        speedtest-cli \
         iperf3 \
-        procps-ng \
+        procps \
         nmap \
-        ethtool && \
-    yum -y clean all && \
-    rm -rf /var/cache/yum && \
-    rm /root/anaconda-ks.cfg /root/anaconda-post.log /root/original-ks.cfg /root/anaconda-post-nochroot.log
-
-# Clone repository
-RUN git clone https://github.com/upa/deadman.git /root/deadman
+        ethtool \
+        sudo \
+        tini \
+        ca-certificates && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 
 # Set motd
 COPY motd /etc/motd
-RUN echo "cat /etc/motd" >> ~/.bashrc
+
+# Create non-root user
+RUN useradd -ms /bin/bash debuguser && \
+    echo "debuguser ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/debuguser && \
+    chmod 0440 /etc/sudoers.d/debuguser && \
+    echo "cat /etc/motd" >> /home/debuguser/.bashrc
 
 EXPOSE 5566
 
-# hadolint ignore=DL3002
-USER root
-WORKDIR /root
+# Use tini as init to properly handle signals
+ENTRYPOINT ["/usr/bin/tini", "--"]
+
+# Switch to non-root user
+USER debuguser
+WORKDIR /home/debuguser
 ENV HOSTNAME=debug-container
 
+# Add health check
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost:5566/ || exit 1
+
 CMD ["/bin/bash", "-l"]

README.md

@@ -4,20 +4,25 @@
 
 [![OpenSSF - Scorecard supply-chain security](https://github.com/pichuang/debug-container/actions/workflows/scorecard.yml/badge.svg)](https://github.com/pichuang/debug-container/actions/workflows/scorecard.yml)
 
-This container can be thought of as the administrator’s shell. Many of the debugging tools (such as ping, traceroute, and mtr) and man pages that an administrator might use to diagnose problems on the host are in this container.
+This container can be thought of as the administrator's shell. Many of the debugging tools (such as ping, traceroute, and mtr) and man pages that an administrator might use to diagnose problems on the host are in this container.
 
 - Networking-related commands:
-  - [x] iproute
+  - [x] iproute2
   - [x] net-tools
-  - [x] mtr
-  - [x] dig
-  - [x] ping
+  - [x] mtr-tiny
+  - [x] dnsutils (dig)
+  - [x] iputils-ping
   - [x] ethtool
-  - [x] nmap-ncat
+  - [x] netcat
+  - [x] nmap
+  - [x] tcpdump
+  - [x] curl
 - Generic commands:
   - [x] vim
   - [x] git
   - [x] htop
+  - [x] sudo
+  - [x] tini (proper init process)
 
 ## Download
 ```
@@ -81,7 +86,6 @@ If you don't see a command prompt, try pressing enter.
 root [ / ]# cat /etc/os-release | head -n 2
 ```
 
-
 ## How to use `debug-container` on Red Hat OpenShift?
 
 1. Namespace Level Debugging: Running one Pod in project and `any node`
@@ -137,7 +141,6 @@ spec:
     args: [ "while true; do sleep 30; done;" ]
 ```
 
-
 ## How to build the container images?
 - If you choose buildah...
 ```
@@ -149,6 +152,34 @@ make build-buildah
 make build-docker
 ```
 
+## Security Best Practices
+
+When using debug containers, especially with elevated privileges, consider the following security best practices:
+
+1. **Avoid running privileged containers in production**: The `--privileged` flag gives containers full access to the host, which can be a security risk.
+
+2. **Use non-root users**: The debug container now runs with a non-root user by default. This provides an extra layer of security.
+
+3. **Limit container capabilities**: When possible, specify only the capabilities your container needs rather than running with full privileges.
+
+4. **Time-limit debug sessions**: Always use the `--rm` flag to ensure containers are removed when the session ends.
+
+5. **Restrict volume mounts**: Only mount the volumes necessary for debugging.
+
+6. **Use network isolation**: When possible, use the default bridge network rather than host networking.
+
+7. **Apply resource limits**: Consider setting memory and CPU limits on debug containers.
+
+8. **Monitor container activity**: Keep track of who is using debug containers and monitor their activities.
+
+Example of a more secure debug container run with limited privileges:
+
+```bash
+docker run -it --rm --name debug-container \
+  --cap-add=NET_ADMIN --cap-add=SYS_PTRACE \
+  --security-opt=no-new-privileges \
+  ghcr.io/pichuang/debug-container:master
+```
 
 ## Author
 * **Phil Huang** <[email protected]>