Immutable infrastructure - Docker

Immutable infrastructure is a security and operations model where components such as servers, containers, and images are never modified after deployment. Instead of patching or reconfiguring live systems, you replace them entirely with new versions.

When using Docker Hardened Images, immutability is a best practice that reinforces the security posture of your software supply chain.

Why immutability matters

Mutable systems are harder to secure and audit. Live patching or manual updates introduce risks such as:

Configuration drift
Untracked changes
Inconsistent environments
Increased attack surface

Immutable infrastructure solves this by making changes only through controlled, repeatable builds and deployments.

How Docker Hardened Images support immutability

Docker Hardened Images are built to be minimal, locked-down, and non-interactive, which discourages in-place modification. For example:

Many DHI images exclude shells, package managers, and debugging tools
DHI images are designed to be scanned and signed before deployment
DHI users are encouraged to rebuild and redeploy images rather than patch running containers

This design aligns with immutable practices and ensures that:

Updates go through the CI/CD pipeline
All changes are versioned and auditable
Systems can be rolled back or reproduced consistently

Immutable patterns in practice

Some common patterns that leverage immutability include:

Container replacement: Instead of logging into a container to fix a bug or apply a patch, rebuild the image and redeploy it.
Infrastructure as Code (IaC): Define your infrastructure and image configurations in version-controlled files.
Blue/Green or Canary deployments: Roll out new images alongside old ones and gradually shift traffic to the new version.

By combining immutable infrastructure principles with hardened images, you create a predictable and secure deployment workflow that resists tampering and minimizes long-term risk.