SlideShare a Scribd company logo

Operating Docker

Jen Andre
Jen Andre

This document discusses strategies for securely operating Docker containers. It begins by acknowledging valid security concerns with Docker and advocating understanding threat models and limitations. The document then explores issues of trust in Docker images and potential solutions like auditing tools and private registries. It outlines opportunities to automate security configuration checks and generate AppArmor profiles. Finally, it presents a vision for a registry of security profiles that could reduce the burden of container hardening. Overall, the document takes an empathetic approach to security concerns while highlighting practical steps and potential technical improvements.

1 of 52
operating docker securely Jen  Andre
about me @fun_cuddles  /  jenpire.com  /  organizer  @BostonGoLang   co-­‐founder  @threatstack,    formely  Mandiant  /  Symantec   **  I  HAVE  NO  AFFILIATION  WITH  THE  SMART  PEOPLE  AT  DOCKER  **
Operating Docker
REALITY  CHECK *  I  stole  this  shamelessly  from  @petecheslock
houston,  we  have  concerns
managing misinformation VS http://iamondemand.com/blog/5-key-benefits-of-docker-ci-version-control-portability-isolation-and-security/ http://www.securityweek.com/disrupting-disruptor-security-docker-containers
-­‐  your  security  engineer “Docker needs to fix all of these problems.” “It’s probably fine.” -­‐ -­‐your  hipster  devops     -­‐ gal  or  guy
is docker secure?
this is the wrong question.
Operating Docker
How  can  we  enable  organizaOons  (security   +  dev  +  ops)  operate  Docker  safely? 1. Understand  your  threat  model   2. Understand  Docker’s  limitaOons   3. Understand  the  tools  available  to  us     4. Evolve  the  Docker  security  ecosystem  :)
1.  How  do  I  trust  the  code?   2.  How  do  I  know  if  I’ve  configured  my  Docker  host  +   containers  in  a  secure  way?   3.  How  do  containers  change  my  security  pracOces,   e.g.  monitoring? empathy: understanding the security engineer’s concerns
but also consider the  consistency  of  applicaOon  environments  in  Docker   containers  provides  for  interesOng  opportuniHes  for   new  automaOon  around  security  hardening,  audiOng,   and  tesOng.
issues with trust docker  images  are  binaries  (opaque)   who  am  I  trusOng?   who  is  updaOng  these  things  when  there  is  a  criOcal   security  flaw?  
The problem of patch management is a real thing. http://www.banyanops.com/blog/analyzing-docker-hub/
confusing advice http://serverfault.com/questions/611082/how-to-handle-security-updates-within-docker-containers
always be updating! • Do  perform  security  upgrades  (debian  example   below)   • sudo  docker  exec  -­‐it  <container>  apt-­‐get  update     • sudo  docker  exec  -­‐it  <container>  apt-­‐get  upgrade   -­‐s  |  grep  -­‐i  security  #  dry  run   • sudo  docker  exec  -­‐it  <container>  apt-­‐get  upgrade   #  commit  changes  when  done  
who are you trusting?
what  if  someone   replaced  libc  with  a   backdoored  version?
community   addressing trust automate  policy  audiOng  +   enforcement for  a  given  container,  tell  me  who/what   I  am  trusOng build  from  a  trusted  base  image be  aware  of  who  you  are  trusOng don’t  overrely  on  Docker  hub tooling  to  apply  and     validate  security  updates
more advice • “The  best  opOon  is  to  block  index.docker.io  locally,  and   download  and  verify  images  manually  before  imporOng   them  into  Docker  using  docker  load.”   • hcps://Otanous.com/posts/docker-­‐insecurity#fn:4   • Use  a  private  docker  registry   • hcps://www.digitalocean.com/community/tutorials/how-­‐to-­‐set-­‐up-­‐a-­‐private-­‐docker-­‐registry-­‐ on-­‐ubuntu-­‐14-­‐04  ,  hcps://quay.io         • Use  RedHat  cerOfied  containers   •  hcp://www.redhat.com/en/about/press-­‐releases/red-­‐hat-­‐announces-­‐cerOficaOon-­‐for-­‐ containerized-­‐applicaOons-­‐extends-­‐customer-­‐confidence-­‐and-­‐trust-­‐to-­‐the-­‐cloud  
opportunities • trust,  but  verify:  build  an  binary  audiOng  tool  for  Docker   images!   • e.g.,  scan  images,  validate  installed  libraries  and  binaries    do   not  have  criOcal  security  issues  and  align  with  signed  package   manifests.   • hcps://github.com/banyanops/collector    +`cruh’  but  for  containers?   • hcps://github.com/OpenSCAP/container-­‐compliance  -­‐  RHEL  only   • contribute  to  the  packaging/distribuOon  trust  conversaOon!   • hcps://github.com/docker/distribuOon/pull/179   • references:  hcp://theupdateframework.com/  
best practices, hardening, & secure configurations ]
security empathy How  do  I  know  if  I’ve   configured  my  Docker  host  +   containers  in  a  secure  way?  
the good! Docker  released  a   comprehensive   security  benchmark. hcps://blog.docker.com/2015/05/understanding-­‐docker-­‐security-­‐and-­‐best-­‐pracOces/
the bad …it’s  118  pages  of  material!
the good!: can we automate these checks? for  most  of  them,  yes!   github.com/dockersecuritytools/bacen  -­‐  IN  PROGRESS
serverspec example
the problem of isolation
container hardening: the good there’s actually a lot of knobs to turn!
• SELinux  /  AppArmor  policies  (—security-­‐opt)    (more   about  this  later)   • capabiliHes  (—cap-­‐add,  —cap-­‐drop)     • “give  root  without  all  of  root”
• cgroups  (resource  allocaOon,  many  flags)   • Example:  $ docker run -it --rm -m 128m fedora bash • hcps://goldmann.pl/blog/2014/09/11/resource-­‐management-­‐in-­‐docker/   • user  namespaces  (soon!)  so  you  don’t  have  to  run   id=0  processes  as  root!   • seccomp  filtering  to  permit  or  block  individual   system  calls  (soon!)   • hcp://opensource.com/business/15/3/docker-­‐security-­‐future
the bad there’s a lot of knobs to turn :(
we can do better.
what  problems  are  they  trying  to  solve? AppArmor  +  SELinux
a question if  engineers  can’t  figure  out  how  to  build  and  apply  SELinux  policies  now,     how  will  Docker  change  things?
apparmor a  gentler  mandatory  access  control  system   hcps://wiki.ubuntu.com/AppArmor   introducing  
#include <tunables/global> /usr/sbin/tcpdump { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/user-tmp> capability net_raw, capability setuid, capability setgid, capability dac_override, network raw, network packet, # for -D capability sys_module, @{PROC}/bus/usb/ r, @{PROC}/bus/usb/** r, # for -F and -w audit deny @{HOME}/.* mrwkl, audit deny @{HOME}/.*/ rw, audit deny @{HOME}/.*/** mrwkl, audit deny @{HOME}/bin/ rw, audit deny @{HOME}/bin/** mrwkl, @{HOME}/ r, @{HOME}/** rw, /usr/sbin/tcpdump r, } name of profile — generally the binary. the permitted (or denied) capabilities the files it can access (or is denied access to).
• Docker’s  default  capabiliOes  are   set  by  app  armor!  (and  turned   off  when  you  docker  run  — privileged=true)     • be  careful:  when  you  supply   your  own  apparmor  profile,   your  are  essenOally  resetng   the  capabiliOes.   • copy  or  inherit  these  when  you  create  a   new  profile  for  your  containers.       this looks familiar…
using apparmor with 1. Create  the  custom  profile:  vim  my_container_profile   2. Load  it  into  app  armor:  cat  my_container_profile  |   sudo  apparmor_parser  -­‐r   3. ` 4. Run  it  with  your  docker  container:  docker  run  — security-­‐opt=“apparmor:my_container_profile”   5. $$$  Profit?
ok but what if I break things?
tip: make  a  permissive  profile,  and  run  it  in  complain  mode sudo  aa-­‐complain  my_container_profile it  will  log  to  auditd type=AVC  msg=audit(1390936201.188:15647):  apparmor="AUDIT"   operation="file_lock"  parent=7873  profile="my_container_profile"  f   name="/tmp/pam_krb5_tmp_FqhNDa"  pid=7875  comm="sshd"   requested_mask="k"  denied_mask="k"  fsuid=0  ouid=0   iterate  unOl  right.
“Great! but this is still hard and annoying.”
what if you could automate it?
tip: use  aa-­‐logprof  to  generate  the  apparmor  profiles   automagically? aa-­‐logprof  [  -­‐d  /path/to/profiles  ]  [  -­‐f  /path/to/logfile  ]   !!  don’t  use  these  without  manual  review  and  ediHng  !! http://manpages.ubuntu.com/manpages/natty/man8/aa-­‐logprof.8.html
(ok: we still need better tooling)
a vision
• IF  in  the  future…   • DockerHub  registry  becomes  your  go-­‐to  trusted   distribuOon  source  for  applicaOons.…   •  Why  not     • Have  a  registry  for  apparmor  and  SELinux  profiles   geared  for  official  dockerized  app  containers?   • …Include  seccomp  filters  and  other  security  configs?   • Share  your  polices  &  reduce  the  burden  of  having  to   harden  your  own  apps/containers.
#  fetch  apparmor  security  profile  for  wordpress   image   docker  security-­‐profile  fetch  wordpress:latest       #  you  can  even  fetch  by  image  /  tag   docker  security-­‐profile  fetch   0cc6ffbf1a0cd78ab244c4b3b5cef13618bf4c8bcd229ec2673 1a951c33df72e     #  allow  users  to  submit/push  their  own  app  armor   profiles     docker  security-­‐profile  push  —-­‐profile=“apparmor:/ etc/apparmor/wordpress.profile”  jandre/ wordpress:custom
in conclusion • we  need  more  automaOon  around  security  audiOng,   hardening,  tesOng,  and  monitoring   • InnovaOon  here  should  come  not  just  from  the   Docker  folks.   • The  consistency  of  Docker  containers  enables  us  to   be  innovaOve  in  how  we  automate  the  above  ^^  
Operating Docker
is this interesting to you? • contact  me!  jandre@gmail.com   • follow  @dockersecurity  for  news
Ad

Recommended

Lessons from running AppSync in prod
Lessons from running AppSync in prodLessons from running AppSync in prod
Lessons from running AppSync in prod
Yan Cui
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017
Mandi Walls
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
 
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
The Seven Habits of Highly Effective Puppet Users - PuppetConf 2014
Puppet
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
Agility Requires Safety
Agility Requires SafetyAgility Requires Safety
Agility Requires Safety
Yevgeniy Brikman
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019
Morgan Roman
 
Intro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio CodeIntro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio Code
ColdFusionConference
 
Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016
Ortus Solutions, Corp
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
AFUP_Limoges
 
Designing & Building Secure Web APIs
Designing & Building Secure Web APIsDesigning & Building Secure Web APIs
Designing & Building Secure Web APIs
CodeOps Technologies LLP
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
Soluto
 
Akka for realtime multiplayer mobile games
Akka for realtime multiplayer mobile gamesAkka for realtime multiplayer mobile games
Akka for realtime multiplayer mobile games
Yan Cui
 
Drupal Deployment
Drupal DeploymentDrupal Deployment
Drupal Deployment
Jeff Eaton
 
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
Alexandre Gouaillard
 
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Codemotion
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
Matt Ray
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
Kazuki Omo
 
Apparmor
ApparmorApparmor
Apparmor
n|u - The Open Security Community
 
Ad

More Related Content

What's hot (20)

Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
Agility Requires Safety
Agility Requires SafetyAgility Requires Safety
Agility Requires Safety
Yevgeniy Brikman
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019
Morgan Roman
 
Intro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio CodeIntro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio Code
ColdFusionConference
 
Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016
Ortus Solutions, Corp
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
AFUP_Limoges
 
Designing & Building Secure Web APIs
Designing & Building Secure Web APIsDesigning & Building Secure Web APIs
Designing & Building Secure Web APIs
CodeOps Technologies LLP
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
Soluto
 
Akka for realtime multiplayer mobile games
Akka for realtime multiplayer mobile gamesAkka for realtime multiplayer mobile games
Akka for realtime multiplayer mobile games
Yan Cui
 
Drupal Deployment
Drupal DeploymentDrupal Deployment
Drupal Deployment
Jeff Eaton
 
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
Alexandre Gouaillard
 
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Codemotion
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
Matt Ray
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
Agility Requires Safety
Agility Requires SafetyAgility Requires Safety
Agility Requires Safety
Yevgeniy Brikman
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019
Morgan Roman
 
Intro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio CodeIntro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio Code
ColdFusionConference
 
Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016
Ortus Solutions, Corp
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
AFUP_Limoges
 
Designing & Building Secure Web APIs
Designing & Building Secure Web APIsDesigning & Building Secure Web APIs
Designing & Building Secure Web APIs
CodeOps Technologies LLP
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
Soluto
 
Akka for realtime multiplayer mobile games
Akka for realtime multiplayer mobile gamesAkka for realtime multiplayer mobile games
Akka for realtime multiplayer mobile games
Yan Cui
 
Drupal Deployment
Drupal DeploymentDrupal Deployment
Drupal Deployment
Jeff Eaton
 
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
Alexandre Gouaillard
 
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Codemotion
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim KadlecDevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
Matt Ray
 

Viewers also liked (9)

Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
Kazuki Omo
 
Apparmor
ApparmorApparmor
Apparmor
n|u - The Open Security Community
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
Mike Goelzer
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Containerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael CrosbyContainerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael Crosby
Docker, Inc.
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Docker, Inc.
 
Docker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David LawrenceDocker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David Lawrence
Docker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
Kazuki Omo
 
Apparmor
ApparmorApparmor
Apparmor
n|u - The Open Security Community
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
Mike Goelzer
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Containerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael CrosbyContainerd: Building a Container Supervisor by Michael Crosby
Containerd: Building a Container Supervisor by Michael Crosby
Docker, Inc.
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Docker, Inc.
 
Docker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David LawrenceDocker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David Lawrence
Docker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
Ad

Similar to Operating Docker (20)

Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !
Alexandre Salomé
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Good - aDocker - Reference Materials.pdf
Good - aDocker - Reference Materials.pdfGood - aDocker - Reference Materials.pdf
Good - aDocker - Reference Materials.pdf
Kiran Kumar Bugude
 
Thotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail WhaleThotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail Whale
Erin Willingham
 
Docker 102 - Immutable Infrastructure
Docker 102 - Immutable InfrastructureDocker 102 - Immutable Infrastructure
Docker 102 - Immutable Infrastructure
Adrian Otto
 
TIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepTIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by step
The Incredible Automation Day
 
Introduction To Docker
Introduction To DockerIntroduction To Docker
Introduction To Docker
Hamilton Turner
 
Creating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneCreating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with Chaperone
Gary Wisniewski
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Mihai Criveti
 
Docker Introduction.pdf
Docker Introduction.pdfDocker Introduction.pdf
Docker Introduction.pdf
OKLABS
 
Docker presentasjon java bin
Docker presentasjon java binDocker presentasjon java bin
Docker presentasjon java bin
Olve Hansen
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
Carlo Bonamico
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Codemotion
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerization
Balint Pato
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)
Jun Hong Kim
 
Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !
Alexandre Salomé
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Good - aDocker - Reference Materials.pdf
Good - aDocker - Reference Materials.pdfGood - aDocker - Reference Materials.pdf
Good - aDocker - Reference Materials.pdf
Kiran Kumar Bugude
 
Thotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail WhaleThotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail Whale
Erin Willingham
 
Docker 102 - Immutable Infrastructure
Docker 102 - Immutable InfrastructureDocker 102 - Immutable Infrastructure
Docker 102 - Immutable Infrastructure
Adrian Otto
 
TIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepTIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by step
The Incredible Automation Day
 
Introduction To Docker
Introduction To DockerIntroduction To Docker
Introduction To Docker
Hamilton Turner
 
Creating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneCreating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with Chaperone
Gary Wisniewski
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Mihai Criveti
 
Docker Introduction.pdf
Docker Introduction.pdfDocker Introduction.pdf
Docker Introduction.pdf
OKLABS
 
Docker presentasjon java bin
Docker presentasjon java binDocker presentasjon java bin
Docker presentasjon java bin
Olve Hansen
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
Carlo Bonamico
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Codemotion
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerization
Balint Pato
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)
Jun Hong Kim
 
Ad

Recently uploaded (20)

How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 

Operating Docker

  • 2. about me @fun_cuddles  /  jenpire.com  /  organizer  @BostonGoLang   co-­‐founder  @threatstack,    formely  Mandiant  /  Symantec   **  I  HAVE  NO  AFFILIATION  WITH  THE  SMART  PEOPLE  AT  DOCKER  **
  • 4. REALITY  CHECK *  I  stole  this  shamelessly  from  @petecheslock
  • 5. houston,  we  have  concerns
  • 7. -­‐  your  security  engineer “Docker needs to fix all of these problems.” “It’s probably fine.” -­‐ -­‐your  hipster  devops     -­‐ gal  or  guy
  • 9. this is the wrong question.
  • 11. How  can  we  enable  organizaOons  (security   +  dev  +  ops)  operate  Docker  safely? 1. Understand  your  threat  model   2. Understand  Docker’s  limitaOons   3. Understand  the  tools  available  to  us     4. Evolve  the  Docker  security  ecosystem  :)
  • 12. 1.  How  do  I  trust  the  code?   2.  How  do  I  know  if  I’ve  configured  my  Docker  host  +   containers  in  a  secure  way?   3.  How  do  containers  change  my  security  pracOces,   e.g.  monitoring? empathy: understanding the security engineer’s concerns
  • 13. but also consider the  consistency  of  applicaOon  environments  in  Docker   containers  provides  for  interesOng  opportuniHes  for   new  automaOon  around  security  hardening,  audiOng,   and  tesOng.
  • 14. issues with trust docker  images  are  binaries  (opaque)   who  am  I  trusOng?   who  is  updaOng  these  things  when  there  is  a  criOcal   security  flaw?  
  • 15. The problem of patch management is a real thing. http://www.banyanops.com/blog/analyzing-docker-hub/
  • 17. always be updating! • Do  perform  security  upgrades  (debian  example   below)   • sudo  docker  exec  -­‐it  <container>  apt-­‐get  update     • sudo  docker  exec  -­‐it  <container>  apt-­‐get  upgrade   -­‐s  |  grep  -­‐i  security  #  dry  run   • sudo  docker  exec  -­‐it  <container>  apt-­‐get  upgrade   #  commit  changes  when  done  
  • 19. what  if  someone   replaced  libc  with  a   backdoored  version?
  • 20. community   addressing trust automate  policy  audiOng  +   enforcement for  a  given  container,  tell  me  who/what   I  am  trusOng build  from  a  trusted  base  image be  aware  of  who  you  are  trusOng don’t  overrely  on  Docker  hub tooling  to  apply  and     validate  security  updates
  • 21. more advice • “The  best  opOon  is  to  block  index.docker.io  locally,  and   download  and  verify  images  manually  before  imporOng   them  into  Docker  using  docker  load.”   • hcps://Otanous.com/posts/docker-­‐insecurity#fn:4   • Use  a  private  docker  registry   • hcps://www.digitalocean.com/community/tutorials/how-­‐to-­‐set-­‐up-­‐a-­‐private-­‐docker-­‐registry-­‐ on-­‐ubuntu-­‐14-­‐04  ,  hcps://quay.io         • Use  RedHat  cerOfied  containers   •  hcp://www.redhat.com/en/about/press-­‐releases/red-­‐hat-­‐announces-­‐cerOficaOon-­‐for-­‐ containerized-­‐applicaOons-­‐extends-­‐customer-­‐confidence-­‐and-­‐trust-­‐to-­‐the-­‐cloud  
  • 22. opportunities • trust,  but  verify:  build  an  binary  audiOng  tool  for  Docker   images!   • e.g.,  scan  images,  validate  installed  libraries  and  binaries    do   not  have  criOcal  security  issues  and  align  with  signed  package   manifests.   • hcps://github.com/banyanops/collector    +`cruh’  but  for  containers?   • hcps://github.com/OpenSCAP/container-­‐compliance  -­‐  RHEL  only   • contribute  to  the  packaging/distribuOon  trust  conversaOon!   • hcps://github.com/docker/distribuOon/pull/179   • references:  hcp://theupdateframework.com/  
  • 24. security empathy How  do  I  know  if  I’ve   configured  my  Docker  host  +   containers  in  a  secure  way?  
  • 25. the good! Docker  released  a   comprehensive   security  benchmark. hcps://blog.docker.com/2015/05/understanding-­‐docker-­‐security-­‐and-­‐best-­‐pracOces/
  • 26. the bad …it’s  118  pages  of  material!
  • 27. the good!: can we automate these checks? for  most  of  them,  yes!   github.com/dockersecuritytools/bacen  -­‐  IN  PROGRESS
  • 29. the problem of isolation
  • 30. container hardening: the good there’s actually a lot of knobs to turn!
  • 31. • SELinux  /  AppArmor  policies  (—security-­‐opt)    (more   about  this  later)   • capabiliHes  (—cap-­‐add,  —cap-­‐drop)     • “give  root  without  all  of  root”
  • 32. • cgroups  (resource  allocaOon,  many  flags)   • Example:  $ docker run -it --rm -m 128m fedora bash • hcps://goldmann.pl/blog/2014/09/11/resource-­‐management-­‐in-­‐docker/   • user  namespaces  (soon!)  so  you  don’t  have  to  run   id=0  processes  as  root!   • seccomp  filtering  to  permit  or  block  individual   system  calls  (soon!)   • hcp://opensource.com/business/15/3/docker-­‐security-­‐future
  • 33. the bad there’s a lot of knobs to turn :(
  • 34. we can do better.
  • 35. what  problems  are  they  trying  to  solve? AppArmor  +  SELinux
  • 36. a question if  engineers  can’t  figure  out  how  to  build  and  apply  SELinux  policies  now,     how  will  Docker  change  things?
  • 37. apparmor a  gentler  mandatory  access  control  system   hcps://wiki.ubuntu.com/AppArmor   introducing  
  • 38. #include <tunables/global> /usr/sbin/tcpdump { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/user-tmp> capability net_raw, capability setuid, capability setgid, capability dac_override, network raw, network packet, # for -D capability sys_module, @{PROC}/bus/usb/ r, @{PROC}/bus/usb/** r, # for -F and -w audit deny @{HOME}/.* mrwkl, audit deny @{HOME}/.*/ rw, audit deny @{HOME}/.*/** mrwkl, audit deny @{HOME}/bin/ rw, audit deny @{HOME}/bin/** mrwkl, @{HOME}/ r, @{HOME}/** rw, /usr/sbin/tcpdump r, } name of profile — generally the binary. the permitted (or denied) capabilities the files it can access (or is denied access to).
  • 39. • Docker’s  default  capabiliOes  are   set  by  app  armor!  (and  turned   off  when  you  docker  run  — privileged=true)     • be  careful:  when  you  supply   your  own  apparmor  profile,   your  are  essenOally  resetng   the  capabiliOes.   • copy  or  inherit  these  when  you  create  a   new  profile  for  your  containers.       this looks familiar…
  • 40. using apparmor with 1. Create  the  custom  profile:  vim  my_container_profile   2. Load  it  into  app  armor:  cat  my_container_profile  |   sudo  apparmor_parser  -­‐r   3. ` 4. Run  it  with  your  docker  container:  docker  run  — security-­‐opt=“apparmor:my_container_profile”   5. $$$  Profit?
  • 41. ok but what if I break things?
  • 42. tip: make  a  permissive  profile,  and  run  it  in  complain  mode sudo  aa-­‐complain  my_container_profile it  will  log  to  auditd type=AVC  msg=audit(1390936201.188:15647):  apparmor="AUDIT"   operation="file_lock"  parent=7873  profile="my_container_profile"  f   name="/tmp/pam_krb5_tmp_FqhNDa"  pid=7875  comm="sshd"   requested_mask="k"  denied_mask="k"  fsuid=0  ouid=0   iterate  unOl  right.
  • 43. “Great! but this is still hard and annoying.”
  • 44. what if you could automate it?
  • 45. tip: use  aa-­‐logprof  to  generate  the  apparmor  profiles   automagically? aa-­‐logprof  [  -­‐d  /path/to/profiles  ]  [  -­‐f  /path/to/logfile  ]   !!  don’t  use  these  without  manual  review  and  ediHng  !! http://manpages.ubuntu.com/manpages/natty/man8/aa-­‐logprof.8.html
  • 46. (ok: we still need better tooling)
  • 48. • IF  in  the  future…   • DockerHub  registry  becomes  your  go-­‐to  trusted   distribuOon  source  for  applicaOons.…   •  Why  not     • Have  a  registry  for  apparmor  and  SELinux  profiles   geared  for  official  dockerized  app  containers?   • …Include  seccomp  filters  and  other  security  configs?   • Share  your  polices  &  reduce  the  burden  of  having  to   harden  your  own  apps/containers.
  • 49. #  fetch  apparmor  security  profile  for  wordpress   image   docker  security-­‐profile  fetch  wordpress:latest       #  you  can  even  fetch  by  image  /  tag   docker  security-­‐profile  fetch   0cc6ffbf1a0cd78ab244c4b3b5cef13618bf4c8bcd229ec2673 1a951c33df72e     #  allow  users  to  submit/push  their  own  app  armor   profiles     docker  security-­‐profile  push  —-­‐profile=“apparmor:/ etc/apparmor/wordpress.profile”  jandre/ wordpress:custom
  • 50. in conclusion • we  need  more  automaOon  around  security  audiOng,   hardening,  tesOng,  and  monitoring   • InnovaOon  here  should  come  not  just  from  the   Docker  folks.   • The  consistency  of  Docker  containers  enables  us  to   be  innovaOve  in  how  we  automate  the  above  ^^  
  • 52. is this interesting to you? • contact  me!  [email protected]   • follow  @dockersecurity  for  news