Home>Containerization

Build Minimal Images and Run as Non-Root

ColdFusion 2025 supports containerization with official Docker images. You should build minimal, secure containers that include only the required packages and run with least privilege principles to reduce your attack surface.

Official ColdFusion Docker Images

Adobe provides official ColdFusion Docker images on Docker Hub. Start with the base image and customize for your needs:

FROM adobe/coldfusion:2025

# Install only required packages
RUN cfpm install orm,pdfg --acceptEULA

# Copy application code
COPY ./app /app

# Run as non-root user
USER 1001:1001

# Expose ColdFusion port
EXPOSE 8500

# Start ColdFusion
CMD ["cfstart"]

Minimize Attack Surface

Install only the cfpm packages that your application actually needs. Follow these best practices:

  • Start with the minimal base image and add components as required
  • Use cfpm install to add only the features your application requires
  • Remove default applications and examples to reduce the attack surface
  • Disable the Administrator web UI in production images (see security baseline)
  • Use multi-stage builds to reduce the final image size and exclude build-time dependencies

Security Best Practices

Run as Non-Root User

Always run containers as a non-root user to limit privilege escalation:

# In Dockerfile
RUN groupadd -r cfuser && useradd -r -g cfuser cfuser
USER cfuser

# Or use numeric UID/GID
USER 1001:1001

Externalize Configuration

Use environment variables and external secrets management systems to handle sensitive configuration data:

  • Store datasource credentials in Kubernetes Secrets or AWS Secrets Manager, not in the container
  • Manage environment-specific settings through environment variables
  • Never bake secrets directly into container images, as they remain in the image layers

Kubernetes Deployment

Configure readiness and liveness probes for reliable orchestration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coldfusion-app
spec:
  replicas: 3
  template:
    spec:
      containers:
      - name: coldfusion
        image: your-registry/cfapp:2025
        ports:
        - containerPort: 8500
        livenessProbe:
          httpGet:
            path: /healthcheck.cfm
            port: 8500
          initialDelaySeconds: 60
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /healthcheck.cfm
            port: 8500
          initialDelaySeconds: 30
          periodSeconds: 5
        env:
        - name: DB_HOST
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: host

Persistent Storage

Configure persistent volumes appropriately for stateful data. Remember that containers are ephemeral by design:

  • Never persist user sessions to local disk in containers, as they will be lost when containers restart
  • Use Redis or another external session storage system (see caching strategy)
  • Mount persistent volumes only for data that must survive container restarts, such as uploads and logs
  • Prefer object storage systems (S3, Azure Blob Storage) over mounted volumes for file uploads

Logging Strategy

Configure JSON logging to stdout for centralized log aggregation (see logging and observability). This follows the twelve-factor app methodology:

  • Use JSON layout for structured logs that are easier to parse and analyze
  • Log to stdout and stderr instead of files, allowing the container runtime to capture logs
  • Let your orchestration platform handle log rotation and retention policies
  • Include correlation IDs in log entries to enable distributed request tracing

Image Scanning and Versioning

Implement a robust image management strategy to ensure security and reproducibility:

  • Scan all images for vulnerabilities before deploying them to production environments
  • Use semantic versioning for image tags to track changes and enable easy rollbacks
  • Never use the :latest tag in production, as it makes deployments non-deterministic
  • Rebuild and redeploy images promptly after ColdFusion security updates are released

Container Checklist

  • Based on official Adobe image
  • Only required cfpm packages installed
  • Running as non-root user
  • No secrets baked into image
  • Readiness and liveness probes configured
  • Persistent volumes for stateful data
  • Logging to stdout in JSON format
  • Image scanned for vulnerabilities
  • Specific version tag (not :latest)

Gotchas

  • ColdFusion startup time can exceed default probe timeouts - adjust the initialDelaySeconds setting to accommodate longer startup times
  • File permissions may fail when switching to a non-root user - ensure that directories and files have proper ownership and permissions
  • Local file caching doesn't work well in ephemeral containers that can be recreated at any time - use Redis or another external caching solution
  • Scheduled tasks need external scheduling systems in multi-instance deployments to prevent duplicate task execution
  • The cfpm package manager requires network access during the build process - ensure proper proxy configuration in restricted environments

Related Resources

Need Help?

Convective has extensive experience containerizing and orchestrating ColdFusion applications. Find out more.