From 6e1b22d72ecd059632233c9ce154d42b9aa87b8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EC=A0=95=EC=A7=84=EC=98=81?= Date: Tue, 7 Dec 2021 11:37:33 +0900 Subject: [PATCH] translate 8.11 to korean --- README.korean.md | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/README.korean.md b/README.korean.md index d890776a..1ce23fe3 100644 --- a/README.korean.md +++ b/README.korean.md @@ -1119,7 +1119,35 @@ CMD [ "node", "dist/app.js" ] πŸ”— [**μžμ„Ένžˆ 보기: Use multi-stage builds**](/sections/docker/multi_stage_builds.korean.md) -


+

+ +## ![βœ”] 8.11 λΉŒλ“œ μ‹œκ°„ λ™μ•ˆμ˜ κΈ°λ°€ 값듀에 λŒ€ν•΄ μ‚­μ œν•˜κ³ , μΈμˆ˜μ— 기밀값듀을 λ„£λŠ” 것을 ν”Όν•˜λΌ. +**ν•΅μ‹¬μš”μ•½:** 도컀 λΉŒλ“œ ν™˜κ²½μœΌλ‘œλΆ€ν„° κΈ°λ°€ 값듀이 μœ μΆœλ˜λŠ” 것을 ν”Όν•˜λΌ. 도컀 μ΄λ―Έμ§€λŠ” 일반적으둜 ν”„λ‘œλ•μ…˜μ²˜λŸΌ μ•…μ˜μ μΈ 데이터듀이 제거된 μƒνƒœκ°€ μ•„λ‹Œ CI, λ ˆμ§€μŠ€νŠΈλ¦¬μ™€ 같은 λ‹€μ–‘ν•œ ν™˜κ²½μ—μ„œ κ³΅μœ λœλ‹€. ν•˜λ‚˜μ˜ μ˜ˆλ‘œλŠ” docker에 일반적으둜 인수둜 μ „λ‹¬λ˜μ–΄μ§€λŠ” npm 토큰이닀. 이 토큰은 이미지와 ν•¨κ»˜ 였래 μœ μ§€λ˜λ©°, μΉ¨μž…μžλ“€λ‘œ ν•˜μ—¬κΈˆ κ³΅κ°œλ˜μ§€ μ•Šμ€ npm λ ˆμ§€μŠ€νŠΈλ¦¬μ— λŒ€ν•œ μ •μ˜λ˜μ§€ μ•Šμ€ 접근을 ν—ˆλ½ν•œλ‹€. μ΄λŠ” .npmrc 같은 기밀을 ν¬ν•¨ν•œ νŒŒμΌμ„ λ³΅μ‚¬ν•˜κ³  이후 μ—¬λŸ¬ λ‹¨κ³„μ˜ λΉŒλ“œλ₯Ό 톡해 ν•΄λ‹Ή νŒŒμΌμ€ μ‚­μ œν•΄λ²„λ¦¬κ±°λ‚˜, λ˜λŠ” 흔적에 λŒ€ν•΄ μ „ν˜€ 남기지 μ•ŠλŠ” Docker build-kit κΈ°λ°€ κΈ°λŠ₯을 μ‚¬μš©ν•¨μœΌλ‘œμ¨ 막을 수 μžˆλ‹€. + +**κ·Έλ ‡κ²Œ ν•˜μ§€ μ•Šμ„ 경우:** CI와 도컀 λ ˆμ§€μŠ€νŠΈλ¦¬μ— λŒ€ν•΄ μ ‘κ·Όν•˜λŠ” λͺ¨λ“  이듀이 μ€‘μš”ν•œ 쑰직 기밀듀에 λŒ€ν•œ μ ‘κ·Όλ“€ 쀑 일뢀λ₯Ό 덀으둜 μ–»μ–΄κ°€κ²Œ 될 것이닀. + +πŸ”— [**μžμ„Ένžˆ 보기: Clean-out build-time secrets**](/sections/docker/avoidbuildtimesecrets.korean.md) + +

+ +## ![βœ”] 8.12. Scan images for multi layers of vulnerabilities +TL;DR: Besides checking code dependencies vulnerabilities also scan the final image that is shipped to production. Docker image scanners check the code dependencies but also the OS binaries. This E2E security scan covers more ground and verifies that no bad guy injected bad things during the build. Consequently, it is recommended running this as the last step before deployment. There are a handful of free and commercial scanners that also provide CI/CD plugins + +Otherwise: Your code might be entirely free from vulnerabilities. However it might still get hacked due to vulnerable version of OS-level binaries (e.g. OpenSSL, TarBall) that are commonly being used by applications + +πŸ”— [Read More: Scan the entire image before production](https://github.com/goldbergyoni/nodebestpractices/blob/master/sections/docker/scan-images.md) + + +

+ +## ![βœ”] 8.13 Clean NODE_MODULE cache +TL;DR: After installing dependencies in a container remove the local cache. It doesn't make any sense to duplicate the dependencies for faster future installs since there won't be any further installs - A Docker image is immutable. Using a single line of code tens of MB (typically 10-50% of the image size) are shaved off + +Otherwise: The image that will get shipped to production will weigh 30% more due to files that will never get used + +πŸ”— [Read More: Clean NODE_MODULE cache](https://github.com/goldbergyoni/nodebestpractices/blob/master/sections/docker/clean-cache.md) + +


# λ§ˆμΌμŠ€ν†€