Quick Start
This sample illustrates how to patch containers using vulnerability reports with copa.
Prerequisites
- An Ubuntu 22.04 VM configured through the setup instructions or a VSCode devcontainer environment. This includes:
copatool built & pathed.- buildkit daemon installed & pathed.
- docker daemon running and CLI installed & pathed.
- trivy CLI installed & pathed.
Sample Steps
-
Scan the container image for patchable OS vulnerabilities, outputting the results to a JSON file:
trivy image --vuln-type os --ignore-unfixed -f json -o nginx.1.21.6.json docker.io/library/nginx:1.21.6You can also see the existing patchable vulnerabilities in table form on the shell with:
trivy image --vuln-type os --ignore-unfixed docker.io/library/nginx:1.21.6 -
Patch the image using the Trivy report. You will need to start
buildkitdif it is not already running:sudo buildkitd &sudo copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patchedAlternatively, you can run
buildkitdin a container, which allows copa to be run without root access to the local buildkit socket:export BUILDKIT_VERSION=v0.11.4export BUILDKIT_PORT=8888docker run \--detach \--rm \--privileged \-p 127.0.0.1:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp \--name buildkitd \--entrypoint buildkitd \"moby/buildkit:$BUILDKIT_VERSION" \--addr tcp://0.0.0.0:$BUILDKIT_PORTcopa patch \-i docker.io/library/nginx:1.21.6 \-r nginx.1.21.6.json \-t 1.21.6-patched \-a tcp://0.0.0.0:$BUILDKIT_PORTIn either case,
copais non-destructive and exports a new image with the specified1.21.6-patchedlabel to the local Docker daemon.NOTE: if you're running this sample against an image from a private registry instead, ensure that the credentials are configured in the default Docker config.json before running
copa patch, for example, viasudo docker login -u <user> -p <password> <registry>. -
Scan the patched image and verify that the vulnerabilities have been patched:
trivy image --vuln-type os --ignore-unfixed docker.io/library/nginx:1.21.6-patchedYou can also inspect the structure of the patched image with
docker historyto see the new patch layer appended to the image:$ docker history docker.io/library/nginx:1.21.6-patchedIMAGE CREATED CREATED BY SIZE COMMENTa372df41e06d 1 minute ago mount / from exec sh -c apt-get install --no-ins… 26.1MB buildkit.exporter.image.v0<missing> 3 months ago CMD ["nginx" "-g" "daemon off;"] 0B buildkit.dockerfile.v0<missing> 3 months ago STOPSIGNAL SIGQUIT 0B buildkit.dockerfile.v0<missing> 3 months ago EXPOSE map[80/tcp:{}] 0B buildkit.dockerfile.v0<missing> 3 months ago ENTRYPOINT ["/docker-entrypoint.sh"] 0B buildkit.dockerfile.v0<missing> 3 months ago COPY 30-tune-worker-processes.sh /docker-ent… 4.61kB buildkit.dockerfile.v0<missing> 3 months ago COPY 20-envsubst-on-templates.sh /docker-ent… 1.04kB buildkit.dockerfile.v0<missing> 3 months ago COPY 10-listen-on-ipv6-by-default.sh /docker… 1.96kB buildkit.dockerfile.v0<missing> 3 months ago COPY docker-entrypoint.sh / # buildkit 1.2kB buildkit.dockerfile.v0<missing> 3 months ago RUN /bin/sh -c set -x && addgroup --syst… 61.1MB buildkit.dockerfile.v0<missing> 3 months ago ENV PKG_RELEASE=1~bullseye 0B buildkit.dockerfile.v0<missing> 3 months ago ENV NJS_VERSION=0.7.0 0B buildkit.dockerfile.v0<missing> 3 months ago ENV NGINX_VERSION=1.20.2 0B buildkit.dockerfile.v0<missing> 3 months ago LABEL maintainer=NGINX Docker Maintainers <d… 0B buildkit.dockerfile.v0<missing> 4 months ago /bin/sh -c #(nop) CMD ["bash"] 0B<missing> 4 months ago /bin/sh -c #(nop) ADD file:09675d11695f65c55… 80.4MB -
Run the container to verify that the image has no regressions:
$ docker run -it --rm --name nginx-test docker.io/library/nginx:1.21.6-patched/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d//docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh/docker-entrypoint.sh: Configuration complete; ready for start up2022/05/16 18:00:17 [notice] 1#1: using the "epoll" event method2022/05/16 18:00:17 [notice] 1#1: nginx/1.20.22022/05/16 18:00:17 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)2022/05/16 18:00:17 [notice] 1#1: OS: Linux 5.10.102.1-microsoft-standard-WSL22022/05/16 18:00:17 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:10485762022/05/16 18:00:17 [notice] 1#1: start worker processes2022/05/16 18:00:17 [notice] 1#1: start worker process 312022/05/16 18:00:17 [notice] 1#1: start worker process 322022/05/16 18:00:17 [notice] 1#1: start worker process 332022/05/16 18:00:17 [notice] 1#1: start worker process 342022/05/16 18:00:17 [notice] 1#1: start worker process 352022/05/16 18:00:17 [notice] 1#1: start worker process 362022/05/16 18:00:17 [notice] 1#1: start worker process 372022/05/16 18:00:17 [notice] 1#1: start worker process 382022/05/16 18:00:17 [notice] 38#38: signal 28 (SIGWINCH) received2022/05/16 18:00:17 [notice] 36#36: signal 28 (SIGWINCH) received2022/05/16 18:00:17 [notice] 33#33: signal 28 (SIGWINCH) received2022/05/16 18:00:17 [notice] 32#32: signal 28 (SIGWINCH) received2022/05/16 18:00:17 [notice] 34#34: signal 28 (SIGWINCH) received2022/05/16 18:00:17 [notice] 35#35: signal 28 (SIGWINCH) received2022/05/16 18:00:17 [notice] 37#37: signal 28 (SIGWINCH) received2022/05/16 18:00:17 [notice] 1#1: signal 28 (SIGWINCH) received2022/05/16 18:00:17 [notice] 31#31: signal 28 (SIGWINCH) receivedYou can stop the container by opening a new shell instance and running:
docker stop nginx-test