As the we prepare to start using Docker, I’d like to learn some best practices around the technology. Right off the bat, it seems that we shouldn’t use images from public repositories. I’m proposing that we leverage those published docker files to build our own images but that all of our Docker images should start from Scratch, building our own RHEL base image or should, at the least, start from an official Docker image where an image provider has a strong interest in providing secure images without unexpected software, etc.
How do other large users of Docker work with the Docker Hub? How are the Docker images they use created and managed?
Depending on your exact security requirements, it is very doable to create and maintain your own base images. You could even use the official images source as a starting point.
Redhat provides the official rhel images. If you do a pull as seen in this redhat documentation, and look at the docker daemon output, the docker hub will actually refer your engine to https://registry.access.redhat.com/v1/, where the rhel image actually comes from. It is actually possible to pull from them directly by doing the following: