Build Minimal Images and Run as Non-Root

Deploy ColdFusion 2025 in Docker and Kubernetes with security best practices

Last updated: October 4, 202514 min read

ColdFusion 2025 supports containerization with official Docker images. You should build minimal, secure containers that include only the required packages and run with least privilege principles to reduce your attack surface.

Official ColdFusion Docker Images

Adobe provides official ColdFusion Docker images on Docker Hub. Start with the base image and customize for your needs:

FROM adobe/coldfusion:2025

# Install only required packages
RUN cfpm install orm,pdfg --acceptEULA

# Copy application code
COPY ./app /app

# Run as non-root user
USER 1001:1001

# Expose ColdFusion port
EXPOSE 8500

# Start ColdFusion
CMD ["cfstart"]

Minimize Attack Surface

Install only the cfpm packages that your application actually needs. Follow these best practices:

Start with the minimal base image and add components as required
Use cfpm install to add only the features your application requires
Remove default applications and examples to reduce the attack surface
Disable the Administrator web UI in production images (see security baseline)
Use multi-stage builds to reduce the final image size and exclude build-time dependencies

Security Best Practices

Run as Non-Root User

Always run containers as a non-root user to limit privilege escalation:

# In Dockerfile
RUN groupadd -r cfuser && useradd -r -g cfuser cfuser
USER cfuser

# Or use numeric UID/GID
USER 1001:1001

Externalize Configuration

Use environment variables and external secrets management systems to handle sensitive configuration data:

Store datasource credentials in Kubernetes Secrets or AWS Secrets Manager, not in the container
Manage environment-specific settings through environment variables
Never bake secrets directly into container images, as they remain in the image layers

Kubernetes Deployment

Configure readiness and liveness probes for reliable orchestration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coldfusion-app
spec:
  replicas: 3
  template:
    spec:
      containers:
      - name: coldfusion
        image: your-registry/cfapp:2025
        ports:
        - containerPort: 8500
        livenessProbe:
          httpGet:
            path: /healthcheck.cfm
            port: 8500
          initialDelaySeconds: 60
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /healthcheck.cfm
            port: 8500
          initialDelaySeconds: 30
          periodSeconds: 5
        env:
        - name: DB_HOST
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: host

Persistent Storage

Configure persistent volumes appropriately for stateful data. Remember that containers are ephemeral by design:

Never persist user sessions to local disk in containers, as they will be lost when containers restart
Use Redis or another external session storage system (see caching strategy)
Mount persistent volumes only for data that must survive container restarts, such as uploads and logs
Prefer object storage systems (S3, Azure Blob Storage) over mounted volumes for file uploads

Logging Strategy

Configure JSON logging to stdout for centralized log aggregation (see logging and observability). This follows the twelve-factor app methodology:

Use JSON layout for structured logs that are easier to parse and analyze
Log to stdout and stderr instead of files, allowing the container runtime to capture logs
Let your orchestration platform handle log rotation and retention policies
Include correlation IDs in log entries to enable distributed request tracing

Image Scanning and Versioning

Implement a robust image management strategy to ensure security and reproducibility:

Scan all images for vulnerabilities before deploying them to production environments
Use semantic versioning for image tags to track changes and enable easy rollbacks
Never use the :latest tag in production, as it makes deployments non-deterministic
Rebuild and redeploy images promptly after ColdFusion security updates are released

Container Checklist

Based on official Adobe image
Only required cfpm packages installed
Running as non-root user
No secrets baked into image
Readiness and liveness probes configured
Persistent volumes for stateful data
Logging to stdout in JSON format
Image scanned for vulnerabilities
Specific version tag (not :latest)

Gotchas

ColdFusion startup time can exceed default probe timeouts - adjust the initialDelaySeconds setting to accommodate longer startup times
File permissions may fail when switching to a non-root user - ensure that directories and files have proper ownership and permissions
Local file caching doesn't work well in ephemeral containers that can be recreated at any time - use Redis or another external caching solution
Scheduled tasks need external scheduling systems in multi-instance deployments to prevent duplicate task execution
The cfpm package manager requires network access during the build process - ensure proper proxy configuration in restricted environments

Related Resources

Hosting Providers Comparison - AWS, Azure, and managed Kubernetes options
Migration Patterns - Migrate on-prem CF to containers
Monitoring Tools - Monitor containerized CF applications
Performance Framework - Optimize containerized deployments
Security Framework - Secure containerized ColdFusion
Adobe ColdFusion on Docker Hub
Kubernetes Liveness and Readiness Probes

Need Help?

Convective has extensive experience containerizing and orchestrating ColdFusion applications. Find out more.