Miscellaneous mostly-simple utilities to support a Docker host.
| Utility | Short Description |
|---|---|
| run-docker-bench-test.sh | Check Docker environment against security benchmarks. |
| update-dockers.sh | Update pre-defined list of Docker images |
Runs the docker-bench-test scripts in a pre-packaged Docker image. Based on the Docker docker-bench-security tests and the Center for Internet Security's Docker Benchmarks.
By default, this script pulls the latest image, runs the tests, and removes the container. Tests are retained in a working directory on the host.
The following environmental variables will affect the runtime:
DOCKERpath to Docker binary (default:/usr/bin/docker)DOCKER_BENCH_TEST_IMAGEname of docker-bench-test image (default:gaiadm/docker-bench-test)DOCKER_BENCH_TEST_WORKDIRworking directory for bench-test, including theconfig,results, andtestssub-directories (default:/var/docker-bench-test)DOCKER_BENCH_TEST_LABELlabel to apply to the container (default:docker_bench_test)DOCKER_BENCH_TEST_NOAUTORMif set, keeps the container after running (i.e., doesn't pass--rmtodocker run)DOCKER_BENCH_TEST_NOAUTOUPDATEif set, does not update the image before starting (i.e., nodocker pull)
Updates a configured list of images to ensure the latest available version of the specified image is available.
By default, after updates, the script purges any un-referenced layers from legacy images to reclaim disk space.
The following environmental variables will affect the runtime:
DOCKERpath to Docker binary (default:/usr/bin/docker)DOCKER_IMAGE_UPDATE_LISTfile containing list of images to be updated (pulled) (default:$HOME/.config/docker-image-list.cfg)DOCKER_IMAGE_UPDATE_NOPURGEif set, does not purge dangling image files