dhi.io/calico-node
Calico Node
Calico's per-host DaemonSet container image. Provides CNI networking and policy for Kubernetes.
How to use this image
All examples in this guide use the public image. If you’ve mirrored the repository for your own use (for example, to your Docker Hub namespace), update your commands to reference the mirrored image instead of the public one.
For example:
- Public image:
dhi.io/<repository>:<tag> - Mirrored image:
<your-namespace>/dhi-<repository>:<tag>
For the examples, you must first use docker login dhi.io to authenticate to the registry to pull the images.
Deploy with the Tigera Operator
The recommended way to deploy Calico in production is using the Tigera Operator with Helm.
The Installation CR supports three fields for image configuration:
registry- Docker registry URL (must end with/).imagePath- Path component between registry and image name.imagePrefix- Prefix added to each image name.
These settings apply to all Calico component images, not just the Node image. The final image reference follows this
format: <registry><imagePath>/<imagePrefix><imageName>:<tag>, where <tag> must be prefixed with a v
To use Docker Hardened Images from the dhi.io registry, you will need to use the v prefixed tags and re-tag the
images with a path, like:
docker image tag dhi.io/calico-node:v3.31.3 dhi.io/dhi/calico-node:v3.31.3
Whatever path you specify should be set as the imagePath in the Tigera Operator configuration. Note that, if you are
mirroring the image into your organization's namespace, then retagging should not be necessary because the imagePath
will be your organization's namespace already.
Create an Installation CR with the following configuration.
installation:
enabled: true
imagePullSecrets:
- name: dhi-pull-secret
registry: dhi.io/
imagePath: dhi
imagePrefix: calico-
cni:
type: Calico
calicoNetwork:
bgp: Enabled
Now install the Tigera Operator with Helm, passing the values file:
helm repo add projectcalico https://docs.tigera.io/calico/charts
helm install calico projectcalico/tigera-operator \
--namespace tigera-operator \
--create-namespace \
--values values.yaml
This will deploy Calico with DHI images from the start. The operator will continuously reconcile the deployment to match the Installation CR, so it will not revert to upstream images as long as this configuration is in place.
Note: If you only have the Calico Node image available, other Calico components may fail to start with
ImagePullBackOff until their DHI images are also available in your registry.
Configuration
Calico Node is configured primarily through environment variables. These control networking mode, IP detection, BGP settings, Felix policy engine behavior, and more. For the complete list of available configuration options, see the Calico node configuration reference.
Non-hardened images vs. Docker Hardened Images
Key differences
| Feature | Docker Official CLI image | Docker Hardened CLI image |
|---|---|---|
| Security | Standard base with common utilities | Minimal, hardened base with security patches |
| Shell access | Full shell (bash/sh) available | No shell in runtime variants |
| Package manager | apt/apk available | No package manager in runtime variants |
| User | Runs as root by default | Runs as nonroot user |
| Attack surface | Larger due to additional utilities | Minimal, only essential components |
| Debugging | Traditional shell debugging | Use Docker Debug or Image Mount for troubleshooting |
Why no shell or package manager?
Docker Hardened Images prioritize security through minimalism:
- Reduced attack surface: Fewer binaries mean fewer potential vulnerabilities
- Immutable infrastructure: Runtime containers shouldn't be modified after deployment
- Compliance ready: Meets strict security requirements for regulated environments
The hardened images intended for runtime don't contain a shell nor any tools for debugging. Common debugging methods for applications built with Docker Hardened Images include:
- Docker Debug to attach to containers
- Docker's Image Mount feature to mount debugging tools
- Ecosystem-specific debugging approaches
Docker Debug provides a shell, common debugging tools, and lets you install other tools in an ephemeral, writable layer that only exists during the debugging session.
For example, you can use Docker Debug:
docker debug <image-name>
or mount debugging tools with the Image Mount feature:
docker run --rm -it --pid container:my-container \
--mount=type=image,source=dhi.io/busybox,destination=/dbg,ro \
dhi.io/docker:<tag> /dbg/bin/sh
Image variants
Docker Hardened Images come in different variants depending on their intended use.
Runtime variants are designed to run your application in production. These images are intended to be used either directly or as the
FROMimage in the final stage of a multi-stage build. These images typically:- Run as the nonroot user
- Do not include a shell or a package manager
- Contain only the minimal set of libraries needed to run the app
Build-time variants typically include
devin the variant name and are intended for use in the first stage of a multi-stage Dockerfile. These images typically:- Run as the root user
- Include a shell and package manager
- Are used to build or compile applications
FIPS variants include
fipsin the variant name and tag. They come in both runtime and build-time variants. These variants use cryptographic modules that have been validated under FIPS 140, a U.S. government standard for secure cryptographic operations. For example, usage of MD5 fails in FIPS variants.
Migrate to a Docker Hardened Image
To migrate your application to a Docker Hardened Image, you must update your Dockerfile. At minimum, you must update the base image in your existing Dockerfile to a Docker Hardened Image. This and a few other common changes are listed in the following table of migration notes.
| Item | Migration note |
|---|---|
| Base image | Replace your base images in your Dockerfile with a Docker Hardened Image. |
| Package management | Non-dev images, intended for runtime, don't contain package managers. Use package managers only in images with a dev tag. |
| Non-root user | By default, non-dev images, intended for runtime, run as the nonroot user. Ensure that necessary files and directories are accessible to the nonroot user. |
| Multi-stage build | Utilize images with a dev tag for build stages and non-dev images for runtime. For binary executables, use a static image for runtime. |
| TLS certificates | Docker Hardened Images contain standard TLS certificates by default. There is no need to install TLS certificates. |
| Ports | Non-dev hardened images run as a nonroot user by default. As a result, applications in these images can't bind to privileged ports (below 1024) when running in Kubernetes or in Docker Engine versions older than 20.10. To avoid issues, configure your application to listen on port 1025 or higher inside the container. |
| Entry point | Docker Hardened Images may have different entry points than images such as Docker Official Images. Inspect entry points for Docker Hardened Images and update your Dockerfile if necessary. |
| No shell | By default, non-dev images, intended for runtime, don't contain a shell. Use dev images in build stages to run shell commands and then copy artifacts to the runtime stage. |
The following steps outline the general migration process.
Find hardened images for your app.
A hardened image may have several variants. Inspect the image tags and find the image variant that meets your needs.
Update the base image in your Dockerfile.
Update the base image in your application's Dockerfile to the hardened image you found in the previous step. For framework images, this is typically going to be an image tagged as
devbecause it has the tools needed to install packages and dependencies.For multi-stage Dockerfiles, update the runtime image in your Dockerfile.
To ensure that your final image is as minimal as possible, you should use a multi-stage build. All stages in your Dockerfile should use a hardened image. While intermediary stages will typically use images tagged as
dev, your final runtime stage should use a non-dev image variant.Install additional packages
Docker Hardened Images contain minimal packages in order to reduce the potential attack surface. You may need to install additional packages in your Dockerfile. Inspect the image variants to identify which packages are already installed.
Only images tagged as
devtypically have package managers. You should use a multi-stage Dockerfile to install the packages. Install the packages in the build stage that uses adevimage. Then, if needed, copy any necessary artifacts to the runtime stage that uses a non-dev image.For Alpine-based images, you can use
apkto install packages. For Debian-based images, you can useapt-getto install packages.
Troubleshooting migration
The following are common issues that you may encounter during migration.
General debugging
The hardened images intended for runtime don't contain a shell nor any tools for debugging. The recommended method for debugging applications built with Docker Hardened Images is to use Docker Debug to attach to these containers. Docker Debug provides a shell, common debugging tools, and lets you install other tools in an ephemeral, writable layer that only exists during the debugging session.
Permissions
By default image variants intended for runtime, run as the nonroot user. Ensure that necessary files and directories are accessible to the nonroot user. You may need to copy files to different directories or change permissions so your application running as the nonroot user can access them.
Privileged ports
Non-dev hardened images run as a nonroot user by default. As a result, applications in these images can't bind to
privileged ports (below 1024) when running in Kubernetes or in Docker Engine versions older than 20.10. To avoid issues,
configure your application to listen on port 1025 or higher inside the container, even if you map it to a lower port on
the host. For example, docker run -p 80:8080 my-image will work because the port inside the container is 8080, and
docker run -p 80:81 my-image won't work because the port inside the container is 81.
No shell
By default, image variants intended for runtime don't contain a shell. Use dev images in build stages to run shell
commands and then copy any necessary artifacts into the runtime stage. In addition, use Docker Debug to debug containers
with no shell.
Entry point
Docker Hardened Images may have different entry points than images such as Docker Official Images. Use docker inspect
to inspect entry points for Docker Hardened Images and update your Dockerfile if necessary.