Docker security introduction-task-2016
1 like385 views
This document discusses Docker security. It begins by introducing Docker and containers, then covers securing Docker images through signing and scanning. It discusses how Docker uses namespaces and cgroups for isolation. It also addresses securing the Docker daemon and containers, as well as operational concerns around deployment, networking, monitoring, and logging of containers. It concludes by looking at future directions like unikernels and serverless architectures.
![SECURITYFORDOCKERIMAGES
Secure Registry/Mirror Access
Getting trustworthy images
trusted sources - docker hub, private registry
building secure
Docker Content Trust (1.8) [Notary]
"only signed content in production"
Yubico Keys](https://image.slidesharecdn.com/dockersecurityintroduction-task-2016-161218170507/85/Docker-security-introduction-task-2016-28-320.jpg)
Docker security introduction-task-2016
- 1. DOCKER SECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - @fsmontenegro @ricardogerardi TASK Jan 27, 2016
- 6. MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity-sapping burden. Like any architectural style, microservices bring costs and bene ts. To make a sensible choice you have to understand these and apply them to your speci c context."" Martin Fowler ( )http://martinfowler.com/articles/microservice-trade-o s.html
- 7. SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational bene ts of "DevOps"
- 8. DATADOGCONTAINERSURVEY ( )https://www.datadoghq.com/docker-adoption/ Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up
- 11. WHATWEFOUND
- 13. ABOUTUS-FERNANDO @fsmontenegro Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera)
- 14. ABOUTUS-RICARDO @ricardogerardi Senior IT Consultant Network Management/Monitoring IBM Netcool Certi ed Uncerti ed father (2x) Interests Linux/UNIX Emerging technologies Data Science
- 15. DOCKERINTRO
- 16. WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
- 18. VIRTUALMACHINES
- 20. WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
- 21. WHATDOYOUNEEDTORUN DOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
- 22. DOCKERARCHITECTUREINA NUTSHELL Source: https://www.docker.com/what-docker
- 23. Source: https://docs.docker.com/engine/introduction/understanding-docker/
- 24. DOCKERDEMO
- 25. DOCKER SECURITY
- 26. FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
- 27. SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
- 28. SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
- 29. DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
- 30. CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability-analysis-for- containers/ https://blog.quay.io/security- scanning-beta/
- 31. OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
- 32. SECURITYFROMDOCKER How to contain Docker & containers?
- 33. NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – lesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
- 34. ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - ltering of system calls network isolation via iptables limit inter-container communication
- 35. SECURITYBYDOCKER Leveraging Docker features for security
- 36. LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - ltering system calls journaled changes
- 38. WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
- 40. PAASPROVIDERS
- 44. MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
- 47. WRAPPINGUP
- 48. LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
- 50. WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound tra c keep up to date (news!) rethink approach ("cattle, not pets")
- 51. DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
- 52. RESOURCES! Twitterfolk: - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC