Apply Immutable Infrastructure Principles

Posted January 19Jan 19

You are reading Part 49 of the 57-part series: Harden and Secure Linux Servers. [Level 5]

This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.

To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.

Immutable infrastructure is a deployment model where servers and applications are never modified after deployment—instead, they are replaced with a new version whenever an update is needed. This approach offers:

✅ No configuration drift – Prevents untracked or manual changes from causing inconsistencies.
✅ Increased security – Eliminates long-lived systems that can be compromised over time.
✅ Easier rollback – If an issue occurs, simply redeploy the previous version.
✅ Better automation – Ensures infrastructure is always deployed in a repeatable, predictable manner.

By adopting immutable infrastructure, you improve stability, security, and operational efficiency in your Linux environment.

How to Implement Immutable Infrastructure

1. Use Docker Containers for Application Deployment

Instead of modifying running applications, deploy immutable containers using Docker.

Step 1: Create a Dockerfile for an Immutable Application

Write a Dockerfile to package the application:

FROM ubuntu:20.04
WORKDIR /app
COPY my_app /app/
CMD ["./my_app"]

Build the Docker Image:
```
docker build -t my_app:v1 .
```

Run the Immutable Container:

docker run -d --name app_container my_app:v1

🔹 Now, if an update is needed, a new container version (my_app:v2) is deployed instead of modifying the running one.

2. Use HashiCorp Packer to Create Immutable Server Images

Instead of updating running servers, generate new machine images using HashiCorp Packer.

Step 1: Install Packer

sudo apt install packer -y  # Ubuntu/Debian
sudo yum install packer -y  # CentOS/RHEL

Step 2: Define an Immutable Image with Packer

Create a file named ubuntu-image.json:

{
  "builders": [
    {
      "type": "amazon-ebs",
      "region": "us-east-1",
      "source_ami": "ami-0c55b159cbfafe1f0",
      "instance_type": "t2.micro",
      "ssh_username": "ubuntu",
      "ami_name": "immutable-ubuntu-image-{{timestamp}}"
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "inline": [
        "sudo apt update -y",
        "sudo apt install -y nginx",
        "echo 'Immutable Server' | sudo tee /var/www/html/index.html"
      ]
    }
  ]
}

Step 3: Build the Immutable Image

packer build ubuntu-image.json

🔹 Now, a new AMI (Amazon Machine Image) is created—future servers will be deployed from this image rather than modifying existing ones.

3. Deploy Infrastructure as Code with Terraform

Use Terraform to manage infrastructure in a declarative, repeatable, and immutable way.

Step 1: Install Terraform

sudo apt install terraform -y

Step 2: Define an Immutable Infrastructure Deployment (AWS EC2 Example)

Create a Terraform configuration file (main.tf):

provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "immutable_server" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  user_data     = file("setup.sh")

  tags = {
    Name = "Immutable-Server"
  }
}

Step 3: Deploy Infrastructure Using Terraform

terraform init
terraform apply -auto-approve

🔹 When updates are required, Terraform destroys the old instance and provisions a fresh one.

4. Automate Deployments Using CI/CD Pipelines

To fully automate immutable deployments, use a CI/CD pipeline (GitHub Actions, GitLab CI, Jenkins).

Example: Deploy an Immutable Container Using GitHub Actions

Create .github/workflows/deploy.yml:

name: Deploy Immutable App

on:
  push:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v2

      - name: Build Docker Image
        run: docker build -t my_app:${{ github.sha }} .

      - name: Push Image to Docker Hub
        run: |
          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
          docker tag my_app:${{ github.sha }} myrepo/my_app:${{ github.sha }}
          docker push myrepo/my_app:${{ github.sha }}

      - name: Deploy New Version
        run: |
          ssh user@server "docker stop app_container && docker rm app_container"
          ssh user@server "docker run -d --name app_container myrepo/my_app:${{ github.sha }}"

🔹 Now, every time you push changes, a new Docker image is built and deployed, replacing the old one.

5. Ensure Security and Compliance in Immutable Infrastructure

🔹 Harden Base Images – Use minimal OS images like Alpine Linux to reduce the attack surface.
🔹 Scan Container Images for Vulnerabilities – Use Trivy to detect security flaws:

trivy image myrepo/my_app:v1

🔹 Rotate Immutable Instances Automatically – Use AWS Auto Scaling or Kubernetes Rolling Updates to continuously replace instances.

Best Practices for Implementing Immutable Infrastructure

✅ Never modify running instances – Always create a new version instead.
✅ Use containerization for lightweight, immutable deployments.
✅ Automate infrastructure provisioning with Terraform and Packer.
✅ Implement CI/CD pipelines to deploy fresh instances with every update.
✅ Use security best practices like image scanning and least privilege access.

By adopting immutable infrastructure, you eliminate manual changes, improve security, and enable fully automated deployments, ensuring a more resilient and scalable Linux environment.

Quote

Sign In