Keeping your Dokku-deployed apps secure, take 3

This post I'm writing is mostly in response to the discussion happening on a GitHub issue I filed against dokku. As will all security matters, I've done the best job I can, but it's important to have other eyes look at it too, so if I'm wrong anywhere in here, let me know.

In a previous post, I wrote about keeping the base image under apps deployed on Dokku up to date. When using Dokku, it's important to understand that it's not enough to keep the host OS up to date, you need to keep all the services and libraries installed in all the containers that your app uses up to date as well.

The first area of complexity is that you have two systems to keep up to date: The host OS and the OS inside the container.

The Host OS

Keeping the Host OS up to date is relatively easy in Ubuntu. You can use either unattended-upgrades or cron-apt. Since there's plenty of documentation on the topic, that's all I'll say about that.

The Container OS

Dokku now provides dokku and herokuish packages for dokku, the latter of which theoretically keeps the container environment up to date. Your app containter is build on the herokuish container, which is built on the heroku/cedar:14 container, which is built on the ubuntu-debootstrap container. What this means is that if there's any poor security update policy anywhere in that chain, your app will run insecure software.

The ubuntu-debootstrap container is maintained by a contributor to Docker Hub, and if you look at the history of the manifest, you can see that it isn't updated all that often. The good news is that it doesn't matter! The heroku/cedar:14 image, when it is built, does an apt-get update && apt-get upgrade, so all security updated packages will be brought up to date. This means we're effectively insulated from the poor update cycle on ubuntu-debootstrap.

What we're not isolated from, however, is the poor update cycle on heroku/cedar:14. As of the time of writing, the most recent entry on heroku/cedar:14's build list is from Octover 2nd. Since then, there have been vulnerabilities addressed in OpenJDK, for example. Comparing the GitHub repo history and the heroku/cedar build history it looks like they aren't re-building when there are new security updates, but only when there are new commits.

What this means is that the basis for gliderlabs/herokuish is insecure, and can't be trusted, as the herokuish build process does not do an apt-get update && apt-get upgrade when building.

What can we do?

Manually build the images. :(

Here's the script that I'm now using, updated for the newer version of dokku.

This script is running daily, rebuilding my images to make sure the window of any vulnerabilities on my box are as low as possible.