Container Security

Transcript

1. Container Security Andy Gale

2. Andy Gale @techandygale on Twitter Bristol Rovers fan #UTG Bristol

   DevOps Organiser What do you do? Owner and DevOps Consultant at Hello Future

3. Hello Future • @hellofutur3 on Twitter • DevOps, Continuous Delivery,

   Chef, Docker and cloud automation consultancy • Web application development • We now have availability for DevOps Consultancy if you’re after some • We’re hiring https://hellofutu.re/jobs/ What do we do?

4. Container Hosts Container Platform Containers themselves • Containers package both

   your code and other software for redistribution • Software, such as Apache, PHP, Nginx often requires regular updates for security issues • If you have automated deployments, Continuous Delivery etc this is not such much or a problem • But what about when you have sites or applications that are deployed less frequently? Considerations

5. Containers themselves Identify problem container images Build new container images

   Push to production

6. Containers themselves Identify problem container images Build new container images

   Push to production • Built into some online Docker Registries • Docker Cloud “free preview for private repository subscriber" • Quay.io in beta but free • Free tool from CoreOS called Clair (powers Quay.io) Identify problem container images

7. Container Hosts Container Platform Docker Cloud Image from https://docs.docker.com/docker-cloud/builds/image-scan/

8. Container Hosts Container Platform Quay.io Image from https://blog.quay.io/security-scanning-beta/

9. Container Hosts Container Platform Clair DIY! https://github.com/coreos/clair

10. Containers themselves Identify problem container images Build new container images

    Push to production • Quay.io can notify email, Slack, generic webhooks, and more allowing you to rebuild your image • Neither seem to offer an option to automatically rebuild the image for you, even though they will build automatically using Git hooks etc • Easier said then done if your base layer is vulnerable and hasn’t been updated Build new container images

11. Containers themselves Identify problem container images Build new container images

    Push to production • Hopefully you’ve got some automated process to do this otherwise it could become the same pain as patching is! Push to production

12. We’re concerned with not just the containers! Container images Container

    hosts Container platform • Developer code • Language runtimes (Ruby, Python, PHP) • Services such as Apache, Nginx, MySQL • OS binaries and libraries Container images • Container software itself, Docker etc • OS binaries and libraries Container host • Software updates • Networking • Volumes Container platform

13. Container Hosts Container Platform Container hosts • Traditional Linux distributions

    you’ll still need to patch your host nodes! • Consider Snappy Ubuntu Core, Project Atomic • CoreOS works around this nicely allowing you to update the entire OS • RancherOS packages the whole OS in Docker containers allowing incredibly simple updates managed by Rancher • Docker Cloud allows you to update Docker on its managed nodes Depends on your setup!

14. Container Hosts Container Platform Container platforms Kubernetes, Mesos • A

    bit of a pain in the backside • Maybe use a hosted service like Amazon Container Service, Google Container Engine