Increase security and stability of deployments Immutable Docker Image Tags under AWS
Versioning and tagging play an overriding role in the stability and security of container applications. With Immutable tags, the Amazon Elastic Container Registry handles corresponding deployment problems.
Companies on the topic
How the Amazon Elastic Container Registry works.
(Image: Amazon Web Services)
Container technology is an indispensable part of the IT world and has established itself as a technology standard. With AWS, developers bring their container applications quickly into production. The correct versioning and tagging of Docker images is essential for the security and stability of deployments.
If the image tags are overwritten, for example by code changes in a CI/CD pipeline, it is unclear what has been rolled out into production. This in turn endangers the stability and security of the application.
The Immutable tags of the Amazon Elastic Container Registry (ECR) prevent such problems. ECR is a fully managed container registry that allows developers to store, manage and use their container images. This automates the best practices of a secure rollout process.
Why Image Tags cause Problems
Docker images are managed in a Docker repository and can be tagged. The Tags are often used for versioning (myapp:v3.1.4) can be used. Other use cases include the target architecture for which the images are suitable (myapp: 3.1.4-amd64) or the base images (myapp:3.1.4-alpine).
The Alpine images are particularly slim with a few megabytes and the containers can be quickly scaled in a cluster. The most well-known of all tags is certainly “latest”: this tag is automatically used by Docker and always references the last image created.
The advantage is that the latest version is easily retrieved. But since this tag can be easily overwritten, it is never clear which version of the application is in the image.
The tag can be overwritten with or without intent, which can compromise the stability and security of the software. This problem can be solved reliably with a suitable technology, in which the best practice is automated and the developers get the necessary guardrails.
Multiple repositories can be configured in the Amazon Elastic Container Registry, for example one repository per team or per application. The “Immutable Tags” feature cannot overwrite the tags of Docker images in an ECR repository.
The function can be applied to both new and existing repositories and can be switched at will, for example during a deployment time window. Here is an example of how to create a repository with AWS CLI:
aws ecr create-repository --repository-name name --image-tag-mutability IMMUTABLE --region eu-central-1
An existing repository is configured as follows:
aws ecr put-image-tag-mutability --repository-name name --image-tag-mutability IMMUTABLE --region eu-central-1
We have moved the Repository to Immutable, and then try to overwrite an Image Tag, we get the error “imagetag already exist exception“:
The image tag latest already exists in the xxx repository and cannot be overwritten because repository is immutable.
The advantages of Immutable tags are increased security, transparency and stability. Since the tags cannot be overwritten, an attacker cannot overwrite a Docker image under the same tag. Each code change must be deployed by a new image tag.
At the same time, developers cannot unintentionally bring software changes into production. The practice in itself is not new, public repositories for software packages such as npm.org, pypi.org and others have this feature by default.
In order to use this feature, the release process may need to be individually adapted. Each deployment artifact is unique with an immutable tag, for example by a hash value. The CI / CD pipeline must be able to handle this and there must be no fixed dependencies to the tags, both for deployment and rollback.
The Immutable tags do not always need to be used. In practice, a balance between the two variants is often sought, with the aim of maintaining high speed and stability of the release chain. In an ordinary CI/CD pipeline with a development, test and production environment, Immutable tags are used in test or production for the time being, which increases the stability of deployments.
Alexander Melnyk (Image: Amazon Web Services)
In order to maintain the speed of development and to integrate code changes as often and quickly as possible, can use latest or other changeable image tags. With two dedicated ECR repositories, this strategy can be implemented, with the CI / CD pipeline taking care of moving and tagging images between environments.
* Alexander Melnyk is Senior Specialist Solutions Architect at AWS.