$30 off During Our Annual Pro Sale. View Details »

Container Security

Andy Gale
September 21, 2016

Container Security

Very Lightning Talk about Container Security. Given at Bristol DevOps 21st September 2016.

Andy Gale

September 21, 2016
Tweet

More Decks by Andy Gale

Other Decks in Technology

Transcript

  1. Container Security Andy Gale

  2. Andy Gale @techandygale on Twitter Bristol Rovers fan #UTG Bristol

    DevOps Organiser What do you do? Owner and DevOps Consultant at Hello Future
  3. Hello Future • @hellofutur3 on Twitter • DevOps, Continuous Delivery,

    Chef, Docker and cloud automation consultancy • Web application development • We now have availability for DevOps Consultancy if you’re after some • We’re hiring https://hellofutu.re/jobs/ What do we do?
  4. Container Hosts Container Platform Containers themselves • Containers package both

    your code and other software for redistribution • Software, such as Apache, PHP, Nginx often requires regular updates for security issues • If you have automated deployments, Continuous Delivery etc this is not such much or a problem • But what about when you have sites or applications that are deployed less frequently? Considerations
  5. Containers themselves Identify problem container images Build new container images

    Push to production
  6. Containers themselves Identify problem container images Build new container images

    Push to production • Built into some online Docker Registries • Docker Cloud “free preview for private repository subscriber" • Quay.io in beta but free • Free tool from CoreOS called Clair (powers Quay.io) Identify problem container images
  7. Container Hosts Container Platform Docker Cloud Image from https://docs.docker.com/docker-cloud/builds/image-scan/

  8. Container Hosts Container Platform Quay.io Image from https://blog.quay.io/security-scanning-beta/

  9. Container Hosts Container Platform Clair DIY! https://github.com/coreos/clair

  10. Containers themselves Identify problem container images Build new container images

    Push to production • Quay.io can notify email, Slack, generic webhooks, and more allowing you to rebuild your image • Neither seem to offer an option to automatically rebuild the image for you, even though they will build automatically using Git hooks etc • Easier said then done if your base layer is vulnerable and hasn’t been updated Build new container images
  11. Containers themselves Identify problem container images Build new container images

    Push to production • Hopefully you’ve got some automated process to do this otherwise it could become the same pain as patching is! Push to production
  12. We’re concerned with not just the containers! Container images Container

    hosts Container platform • Developer code • Language runtimes (Ruby, Python, PHP) • Services such as Apache, Nginx, MySQL • OS binaries and libraries Container images • Container software itself, Docker etc • OS binaries and libraries Container host • Software updates • Networking • Volumes Container platform
  13. Container Hosts Container Platform Container hosts • Traditional Linux distributions

    you’ll still need to patch your host nodes! • Consider Snappy Ubuntu Core, Project Atomic • CoreOS works around this nicely allowing you to update the entire OS • RancherOS packages the whole OS in Docker containers allowing incredibly simple updates managed by Rancher • Docker Cloud allows you to update Docker on its managed nodes Depends on your setup!
  14. Container Hosts Container Platform Container platforms Kubernetes, Mesos • A

    bit of a pain in the backside • Maybe use a hosted service like Amazon Container Service, Google Container Engine