Build Minimal Images and Run as Non-Root
ColdFusion 2025 supports containerization with official Docker images. You should build minimal, secure containers that include only the required packages and run with least privilege principles to reduce your attack surface.
Official ColdFusion Docker Images
Adobe provides official ColdFusion Docker images on Docker Hub. Start with the base image and customize for your needs:
FROM adobe/coldfusion:2025 # Install only required packages RUN cfpm install orm,pdfg --acceptEULA # Copy application code COPY ./app /app # Run as non-root user USER 1001:1001 # Expose ColdFusion port EXPOSE 8500 # Start ColdFusion CMD ["cfstart"]
Minimize Attack Surface
Install only the cfpm packages that your application actually needs. Follow these best practices:
- Start with the minimal base image and add components as required
- Use
cfpm install
to add only the features your application requires - Remove default applications and examples to reduce the attack surface
- Disable the Administrator web UI in production images (see security baseline)
- Use multi-stage builds to reduce the final image size and exclude build-time dependencies
Security Best Practices
Run as Non-Root User
Always run containers as a non-root user to limit privilege escalation:
# In Dockerfile RUN groupadd -r cfuser && useradd -r -g cfuser cfuser USER cfuser # Or use numeric UID/GID USER 1001:1001
Externalize Configuration
Use environment variables and external secrets management systems to handle sensitive configuration data:
- Store datasource credentials in Kubernetes Secrets or AWS Secrets Manager, not in the container
- Manage environment-specific settings through environment variables
- Never bake secrets directly into container images, as they remain in the image layers
Kubernetes Deployment
Configure readiness and liveness probes for reliable orchestration:
apiVersion: apps/v1 kind: Deployment metadata: name: coldfusion-app spec: replicas: 3 template: spec: containers: - name: coldfusion image: your-registry/cfapp:2025 ports: - containerPort: 8500 livenessProbe: httpGet: path: /healthcheck.cfm port: 8500 initialDelaySeconds: 60 periodSeconds: 10 readinessProbe: httpGet: path: /healthcheck.cfm port: 8500 initialDelaySeconds: 30 periodSeconds: 5 env: - name: DB_HOST valueFrom: secretKeyRef: name: db-credentials key: host
Persistent Storage
Configure persistent volumes appropriately for stateful data. Remember that containers are ephemeral by design:
- Never persist user sessions to local disk in containers, as they will be lost when containers restart
- Use Redis or another external session storage system (see caching strategy)
- Mount persistent volumes only for data that must survive container restarts, such as uploads and logs
- Prefer object storage systems (S3, Azure Blob Storage) over mounted volumes for file uploads
Logging Strategy
Configure JSON logging to stdout for centralized log aggregation (see logging and observability). This follows the twelve-factor app methodology:
- Use JSON layout for structured logs that are easier to parse and analyze
- Log to stdout and stderr instead of files, allowing the container runtime to capture logs
- Let your orchestration platform handle log rotation and retention policies
- Include correlation IDs in log entries to enable distributed request tracing
Image Scanning and Versioning
Implement a robust image management strategy to ensure security and reproducibility:
- Scan all images for vulnerabilities before deploying them to production environments
- Use semantic versioning for image tags to track changes and enable easy rollbacks
- Never use the
:latest
tag in production, as it makes deployments non-deterministic - Rebuild and redeploy images promptly after ColdFusion security updates are released
Container Checklist
- Based on official Adobe image
- Only required cfpm packages installed
- Running as non-root user
- No secrets baked into image
- Readiness and liveness probes configured
- Persistent volumes for stateful data
- Logging to stdout in JSON format
- Image scanned for vulnerabilities
- Specific version tag (not :latest)
Gotchas
- ColdFusion startup time can exceed default probe timeouts - adjust the initialDelaySeconds setting to accommodate longer startup times
- File permissions may fail when switching to a non-root user - ensure that directories and files have proper ownership and permissions
- Local file caching doesn't work well in ephemeral containers that can be recreated at any time - use Redis or another external caching solution
- Scheduled tasks need external scheduling systems in multi-instance deployments to prevent duplicate task execution
- The cfpm package manager requires network access during the build process - ensure proper proxy configuration in restricted environments
Related Resources
- Hosting Providers Comparison - AWS, Azure, and managed Kubernetes options
- Migration Patterns - Migrate on-prem CF to containers
- Monitoring Tools - Monitor containerized CF applications
- Performance Framework - Optimize containerized deployments
- Security Framework - Secure containerized ColdFusion
- Adobe ColdFusion on Docker Hub
- Kubernetes Liveness and Readiness Probes
Need Help?
Convective has extensive experience containerizing and orchestrating ColdFusion applications. Find out more.