SlideShare a Scribd company logo

Securing Containers From Day One | null Ahmedabad Meetup

K
Kumar Ashwin

Kumar Ashwin gives a presentation on securing containers from day one. The presentation covers what containers are, why we need them, the difference between virtual machines and containers, cgroups and namespaces, Docker basics, building optimized Docker images, and best practices for Dockerfile security. Some key points discussed include using minimal base images, ignoring unnecessary files, creating "golden images" as hardened base templates, not running as root, avoiding secrets in Dockerfiles, and using tools like Hadolint and Dockle to scan for issues.

1 of 24
Download to read offline
Securing Containers from Day One Kumar Ashwin 0xcardinal.com null Ahmedabad Container Security
About Me Kumar Ashwin • Security Consultant @ Payatu • Manages null Study Groups for six different Security Domains and also contributes to other communities • 0xcardinal.com • 0xCardinal on social platforms
Agenda • What are containers? • Why we need containers? • VM v/s Containers • Cgroups & Namespaces • Docker Primer • Build Optimization • Security • Resources • QnA https://giphy.com/gifs/rockstargames-usz0fqhUiVxSs6IUKB
What are containers? Containers are nothing but just another Linux process which is isolated from other processes running on the same host.
Why do we need containers?
Virtual Machines v/s Containers https://www.docker.com/blog/containers-replacing-virtual-machines/
cgroups & namespaces
namespaces It defines what a container can see, uses syscalls to do so. https://wizardzines.com/comics/namespaces/
Demo : namespaces Will share how the name spaces work using unshare and creating namespaces for user and network, and demonstrating the difference.
cgroups It defines what a container can use or access, uses syscalls to do so. https://wizardzines.com/comics/cgroups/
Docker Primer 🐳
Docker itself is not a Container. Myth busting
What is Docker? • Docker is a container engine, which is a piece of software that accepts user requests, including command line options, pulls images, and from the end user's perspective runs the container. • Other than docker there are other container engines as well, like - RKT, CRI-O, and LXD
Docker Architecture https://docs.docker.com/get-started/overview/
Docker Basics • There are different images, which are stored in the registry, from where it pull the image, to create different containers. • Generally, a Dockerfile (contains commands/instructions) is used to build a container. • If you want to run a multi-container Docker application – Docker Compose is your go to tool. • Common docker/docker compose commands, that are generally used - • docker pull <image-name> - used to pull images from registry • docker run [args] <image-name> - used to run a container from the image defined • docker build [args] – used to build a container out of a Dockerfile • docker-compose up – used to build a multi-container setup from docker-compose.yml • docker ps – used to list down the active containers • For every RUN, COPY, ADD instruction in a Dockerfile, a layer is created.
Dockerfile * insecure
Build Optimization • Minimize number of layers. Improves performance. • Multi-Stage Builds • Do not install unnecessary packages • Decouple the application • Slim down the image – using docker-slim • It promises to slim down the image by 30x - https://github.com/docker-slim/docker-slim
Why Dockerfile Security? • Here we will be talking about securing the images pre-build and what are the practices that we can follow. • A great start point to look for security issues are Dockerfile. • Dockerfiles? • These are the blueprints of the system/container that is to be created. • Infrastructure as a Code (IaaC) • One of the main components for the entire supply chain security.
Security Best-Practices • Prefer minimal base images • Use .dockerignore file to exclude files from build • Create Golden Images • Golden Images are hardened base images than can be used further development • Do not run containers as root • Adding this in the Dockerfile will help in chainging the user FROM alpine:latest RUN useradd –u 1234 non-root-user USER non-root-user • Do not commit secrets in Dockerfile or Containers • Can use BuildKit to pass secrets to use in containers securely • Use COPY instead of ADD, wherever possible
More Security Stuff • Use linters like hadolint, that will help to build best practice Docker Images.
More Security Stuff • Use dockle to scan images against CIS benchmarks. • CIS Benchmark security Comparision
Seccomp • It is a security feature in the Linux kernel. It can be used to restrict any system calls in the docker container. • E.g.,
Some Resources • Containers from Scratch [YouTube] • Dockerfile Best Practices • Multi-stage builds • dockle checkpoint comparison • Tips for optimizing builds • Dockerfile Tutorial • Practical guide to write Dockerfile
QnA Securing Containers from Day One Thank You! twitter.com/0xcardinal Kumar Ashwin
Ad

Recommended

Rebuilding Legacy Apps with Domain-Driven Design - Lessons learned
Rebuilding Legacy Apps with Domain-Driven Design - Lessons learnedRebuilding Legacy Apps with Domain-Driven Design - Lessons learned
Rebuilding Legacy Apps with Domain-Driven Design - Lessons learned
Kacper Gunia
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
Rudy De Busscher
 
Cloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWSCloudsolutionday 2016: DevOps workflow with Docker on AWS
Cloudsolutionday 2016: DevOps workflow with Docker on AWS
AWS Vietnam Community
 
Containerization: The DevOps Revolution
Containerization: The DevOps Revolution Containerization: The DevOps Revolution
Containerization: The DevOps Revolution
SoftServe
 
Rik Hepworth - ARM Yourself for Effective Azure Provisioning
Rik Hepworth - ARM Yourself for Effective Azure ProvisioningRik Hepworth - ARM Yourself for Effective Azure Provisioning
Rik Hepworth - ARM Yourself for Effective Azure Provisioning
WinOps Conf
 
Alex Magnay - Azure Infrastructure as Code with Hashicorp Terraform
Alex Magnay - Azure Infrastructure as Code with Hashicorp TerraformAlex Magnay - Azure Infrastructure as Code with Hashicorp Terraform
Alex Magnay - Azure Infrastructure as Code with Hashicorp Terraform
WinOps Conf
 
Network Infrastructure as Code with Chef and Cisco
Network Infrastructure as Code with Chef and CiscoNetwork Infrastructure as Code with Chef and Cisco
Network Infrastructure as Code with Chef and Cisco
Matt Ray
 
Sas 2015 event_driven
Sas 2015 event_drivenSas 2015 event_driven
Sas 2015 event_driven
Sascha Möllering
 
Docker in the Cloud
Docker in the CloudDocker in the Cloud
Docker in the Cloud
Sascha Möllering
 
Neil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep DiveNeil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep Dive
WinOps Conf
 
Cloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless ArchitectureCloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless Architecture
AWS Vietnam Community
 
DevOpsCon Cloud Workshop
DevOpsCon Cloud Workshop DevOpsCon Cloud Workshop
DevOpsCon Cloud Workshop
Sascha Möllering
 
WinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release PipelinesWinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf
 
Moving Applications into Azure Kubernetes
Moving Applications into Azure KubernetesMoving Applications into Azure Kubernetes
Moving Applications into Azure Kubernetes
Hussein Salman
 
ASP.NET vNext
ASP.NET vNextASP.NET vNext
ASP.NET vNext
Alex Thissen
 
Sebastien goasguen cloud stack the next year
Sebastien goasguen cloud stack the next yearSebastien goasguen cloud stack the next year
Sebastien goasguen cloud stack the next year
ShapeBlue
 
Sebastien goasguen cloud stack and docker
Sebastien goasguen cloud stack and dockerSebastien goasguen cloud stack and docker
Sebastien goasguen cloud stack and docker
ShapeBlue
 
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Trivadis
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Docker, Inc.
 
MVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming modelMVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming model
Alex Thissen
 
Containers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin SystemsContainers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Docker, Inc.
 
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinApplication Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Docker, Inc.
 
Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT
RightScale
 
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh SharmaTraining And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
CodeOps Technologies LLP
 
Meetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWSMeetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWS
AWS Vietnam Community
 
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
CodeOps Technologies LLP
 
Azure service fabric
Azure service fabricAzure service fabric
Azure service fabric
Fernando Mejía
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
Ramit Surana
 
Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
Ahmed AbouZaid
 
Ad

More Related Content

What's hot (20)

Docker in the Cloud
Docker in the CloudDocker in the Cloud
Docker in the Cloud
Sascha Möllering
 
Neil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep DiveNeil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep Dive
WinOps Conf
 
Cloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless ArchitectureCloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless Architecture
AWS Vietnam Community
 
DevOpsCon Cloud Workshop
DevOpsCon Cloud Workshop DevOpsCon Cloud Workshop
DevOpsCon Cloud Workshop
Sascha Möllering
 
WinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release PipelinesWinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf
 
Moving Applications into Azure Kubernetes
Moving Applications into Azure KubernetesMoving Applications into Azure Kubernetes
Moving Applications into Azure Kubernetes
Hussein Salman
 
ASP.NET vNext
ASP.NET vNextASP.NET vNext
ASP.NET vNext
Alex Thissen
 
Sebastien goasguen cloud stack the next year
Sebastien goasguen cloud stack the next yearSebastien goasguen cloud stack the next year
Sebastien goasguen cloud stack the next year
ShapeBlue
 
Sebastien goasguen cloud stack and docker
Sebastien goasguen cloud stack and dockerSebastien goasguen cloud stack and docker
Sebastien goasguen cloud stack and docker
ShapeBlue
 
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Trivadis
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Docker, Inc.
 
MVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming modelMVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming model
Alex Thissen
 
Containers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin SystemsContainers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Docker, Inc.
 
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinApplication Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Docker, Inc.
 
Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT
RightScale
 
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh SharmaTraining And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
CodeOps Technologies LLP
 
Meetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWSMeetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWS
AWS Vietnam Community
 
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
CodeOps Technologies LLP
 
Azure service fabric
Azure service fabricAzure service fabric
Azure service fabric
Fernando Mejía
 
Docker in the Cloud
Docker in the CloudDocker in the Cloud
Docker in the Cloud
Sascha Möllering
 
Neil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep DiveNeil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep Dive
WinOps Conf
 
Cloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless ArchitectureCloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless Architecture
AWS Vietnam Community
 
DevOpsCon Cloud Workshop
DevOpsCon Cloud Workshop DevOpsCon Cloud Workshop
DevOpsCon Cloud Workshop
Sascha Möllering
 
WinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release PipelinesWinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf
 
Moving Applications into Azure Kubernetes
Moving Applications into Azure KubernetesMoving Applications into Azure Kubernetes
Moving Applications into Azure Kubernetes
Hussein Salman
 
ASP.NET vNext
ASP.NET vNextASP.NET vNext
ASP.NET vNext
Alex Thissen
 
Sebastien goasguen cloud stack the next year
Sebastien goasguen cloud stack the next yearSebastien goasguen cloud stack the next year
Sebastien goasguen cloud stack the next year
ShapeBlue
 
Sebastien goasguen cloud stack and docker
Sebastien goasguen cloud stack and dockerSebastien goasguen cloud stack and docker
Sebastien goasguen cloud stack and docker
ShapeBlue
 
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Trivadis
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Docker, Inc.
 
MVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming modelMVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming model
Alex Thissen
 
Containers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin SystemsContainers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Docker, Inc.
 
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinApplication Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Docker, Inc.
 
Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT
RightScale
 
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh SharmaTraining And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
CodeOps Technologies LLP
 
Meetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWSMeetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWS
AWS Vietnam Community
 
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
CodeOps Technologies LLP
 
Azure service fabric
Azure service fabricAzure service fabric
Azure service fabric
Fernando Mejía
 

Similar to Securing Containers From Day One | null Ahmedabad Meetup (20)

Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
Ramit Surana
 
Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
Ahmed AbouZaid
 
Django and Docker
Django and DockerDjango and Docker
Django and Docker
Docker, Inc.
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken Cochrane
dotCloud
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
abhishek chawla
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with Docker
Geeta Vinnakota
 
Learning Dockers - Step by Step
Learning Dockers - Step by StepLearning Dockers - Step by Step
Learning Dockers - Step by Step
Adnan Siddiqi
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
Docker, Inc.
 
Docker Devops document for short summary
Docker Devops document for short summaryDocker Devops document for short summary
Docker Devops document for short summary
AdiB912552
 
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and PipelinesDocker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Matt Bentley
 
Docker Workshop
Docker WorkshopDocker Workshop
Docker Workshop
Ahmad Rafiee
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
Dave Ward
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
Rajesh Kolla
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Docker
DockerDocker
Docker
Abhishek Tomar
 
Containers and security
Containers and securityContainers and security
Containers and security
sriram_rajan
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Dockerize the World
Dockerize the WorldDockerize the World
Dockerize the World
damovsky
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
Ramit Surana
 
Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
Ahmed AbouZaid
 
Django and Docker
Django and DockerDjango and Docker
Django and Docker
Docker, Inc.
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken Cochrane
dotCloud
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
abhishek chawla
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with Docker
Geeta Vinnakota
 
Learning Dockers - Step by Step
Learning Dockers - Step by StepLearning Dockers - Step by Step
Learning Dockers - Step by Step
Adnan Siddiqi
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
Docker, Inc.
 
Docker Devops document for short summary
Docker Devops document for short summaryDocker Devops document for short summary
Docker Devops document for short summary
AdiB912552
 
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and PipelinesDocker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Matt Bentley
 
Docker Workshop
Docker WorkshopDocker Workshop
Docker Workshop
Ahmad Rafiee
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
Dave Ward
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
Rajesh Kolla
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Docker
DockerDocker
Docker
Abhishek Tomar
 
Containers and security
Containers and securityContainers and security
Containers and security
sriram_rajan
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Dockerize the World
Dockerize the WorldDockerize the World
Dockerize the World
damovsky
 
Ad

Recently uploaded (20)

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Ad

Securing Containers From Day One | null Ahmedabad Meetup

  • 1. Securing Containers from Day One Kumar Ashwin 0xcardinal.com null Ahmedabad Container Security
  • 2. About Me Kumar Ashwin • Security Consultant @ Payatu • Manages null Study Groups for six different Security Domains and also contributes to other communities • 0xcardinal.com • 0xCardinal on social platforms
  • 3. Agenda • What are containers? • Why we need containers? • VM v/s Containers • Cgroups & Namespaces • Docker Primer • Build Optimization • Security • Resources • QnA https://giphy.com/gifs/rockstargames-usz0fqhUiVxSs6IUKB
  • 4. What are containers? Containers are nothing but just another Linux process which is isolated from other processes running on the same host.
  • 6. Virtual Machines v/s Containers https://www.docker.com/blog/containers-replacing-virtual-machines/
  • 8. namespaces It defines what a container can see, uses syscalls to do so. https://wizardzines.com/comics/namespaces/
  • 9. Demo : namespaces Will share how the name spaces work using unshare and creating namespaces for user and network, and demonstrating the difference.
  • 10. cgroups It defines what a container can use or access, uses syscalls to do so. https://wizardzines.com/comics/cgroups/
  • 12. Docker itself is not a Container. Myth busting
  • 13. What is Docker? • Docker is a container engine, which is a piece of software that accepts user requests, including command line options, pulls images, and from the end user's perspective runs the container. • Other than docker there are other container engines as well, like - RKT, CRI-O, and LXD
  • 15. Docker Basics • There are different images, which are stored in the registry, from where it pull the image, to create different containers. • Generally, a Dockerfile (contains commands/instructions) is used to build a container. • If you want to run a multi-container Docker application – Docker Compose is your go to tool. • Common docker/docker compose commands, that are generally used - • docker pull <image-name> - used to pull images from registry • docker run [args] <image-name> - used to run a container from the image defined • docker build [args] – used to build a container out of a Dockerfile • docker-compose up – used to build a multi-container setup from docker-compose.yml • docker ps – used to list down the active containers • For every RUN, COPY, ADD instruction in a Dockerfile, a layer is created.
  • 17. Build Optimization • Minimize number of layers. Improves performance. • Multi-Stage Builds • Do not install unnecessary packages • Decouple the application • Slim down the image – using docker-slim • It promises to slim down the image by 30x - https://github.com/docker-slim/docker-slim
  • 18. Why Dockerfile Security? • Here we will be talking about securing the images pre-build and what are the practices that we can follow. • A great start point to look for security issues are Dockerfile. • Dockerfiles? • These are the blueprints of the system/container that is to be created. • Infrastructure as a Code (IaaC) • One of the main components for the entire supply chain security.
  • 19. Security Best-Practices • Prefer minimal base images • Use .dockerignore file to exclude files from build • Create Golden Images • Golden Images are hardened base images than can be used further development • Do not run containers as root • Adding this in the Dockerfile will help in chainging the user FROM alpine:latest RUN useradd –u 1234 non-root-user USER non-root-user • Do not commit secrets in Dockerfile or Containers • Can use BuildKit to pass secrets to use in containers securely • Use COPY instead of ADD, wherever possible
  • 20. More Security Stuff • Use linters like hadolint, that will help to build best practice Docker Images.
  • 21. More Security Stuff • Use dockle to scan images against CIS benchmarks. • CIS Benchmark security Comparision
  • 22. Seccomp • It is a security feature in the Linux kernel. It can be used to restrict any system calls in the docker container. • E.g.,
  • 23. Some Resources • Containers from Scratch [YouTube] • Dockerfile Best Practices • Multi-stage builds • dockle checkpoint comparison • Tips for optimizing builds • Dockerfile Tutorial • Practical guide to write Dockerfile
  • 24. QnA Securing Containers from Day One Thank You! twitter.com/0xcardinal Kumar Ashwin