Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Matthew Barker - What Goes In Must Come Out, Hidden Defects in Your Docker Containers

DevOpsDays KC 2017
September 22, 2017
Technology
0
220

Matthew Barker - What Goes In Must Come Out, Hidden Defects in Your Docker Containers

Containers package applications, OS, utilities, and config into one deployable unit. That adds up to a lot of hidden complexity. How can developers ensure the container performs well, are of high quality, and not a security risk? Let’s explore automated methods and tools to achieve those goals.

DevOpsDays KC 2017

September 22, 2017
Tweet

More Decks by DevOpsDays KC 2017

See All by DevOpsDays KC 2017
Dane Hammer - The First Year Working Remotely
devopsdayskc
1
220
David Hollinger III - Vox Pupuli - The Importance of Working Together
devopsdayskc
0
230
Adam Wieberg - Why Beta Users are Key
devopsdayskc
0
160
Dave Swersky, Ron MacKenzie - Cracking the Culture Code: Practical Advice on Promoting a Generative Culture
devopsdayskc
0
320
Scott Howell III - Changing culture through personal reflection
devopsdayskc
0
180
Alison Stanton - Ways DevOps Could Be More Accessible
devopsdayskc
0
220
Joshua Goldman - Help I'm a "DevOps Engineer" Now!!!!
devopsdayskc
1
280
Kyle Sexton - Secret Management with HashiCorp Vault
devopsdayskc
1
460
Todd Brees - 3 Simple Lessons from Working With Public that Help in Technology
devopsdayskc
0
200

Other Decks in Technology

See All in Technology
アプリがつくるNOT A HOTELブランド
hokuts
1
450
NgRx Signal Store
rainerhahnekamp
0
120
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
14
35k
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
3
240
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
130
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
24
5.2k
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
3
2.5k
ChatGPT for IT Service Management (IT Pro)
dahatake
2
160
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
120
Tebiki株式会社 エンジニア採用資料
tebiki
0
4.1k
Databricks におけるデータエンジニアリング
databricksjapan
0
380
強みを伸ばすキャリアデザイン
yug1224
0
200

Featured

See All Featured
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Documentation Writing (for coders)
carmenintech
59
3.9k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
1
3.4k
Rails Girls Zürich Keynote
gr2m
91
13k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
186
16k
Happy Clients
brianwarren
91
6.4k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
Making the Leap to Tech Lead
cromwellryan
123
8.5k

Transcript

  1. WHAT GOES IN MUST COME OUT Hidden Defects in Your

    Docker Containers Matthew Barker Solution Architect, Twistlock matthewabq

  2. Security Advantages of Docker Containers Minimal © 2017 Reproducible Task

    specific Isolated Short lived Immutable

  3. 7 thousand docker pulls per minute 2 billion+ total pulls

    What could go wrong

  4. OUR INVENTORY: IMAGES

  5. OUR INVENTORY: COMPONENTS

  6. APPLICATION 1 OS Java Utilities Binary/OSS Components Plugins Docker Engine

    Host Operating System APPLICATION 2 OS Ruby on Rails Utilities Binary/OSS Components Plugins

  7. A SIMPLE CONTAINER BASED WEBAPP # Dockerfile for Simple Web

    Application FROM tomcat:8.0 MAINTAINER Matthew Barker # update and install openssh-server RUN apt-get update && apt-get install -y apt-transport-https && \\ apt-get install -y openssh-server # Build and statically deploy the application war file ADD target/web-app.war /usr/local/tomcat/webapps What can go wrong?

  8. FROM: tomcat:8.0 27 HIGH LEVEL VULNERABILITIES

  9. RUN apt-get install -y openssh-server 4 HIGH LEVEL VULNERABILITIES

  10. ADD target/web-app.war /usr/local/tomcat/webapps 6 HIGH LEVEL COMPONENT (JAR) VULNERABILITIES

  11. Other Considerations 4 HIGH/MEDIUM LEVEL COMPLIANCE ISSUES Docker Standards Compliance

  12. Securing Your Containers
 © 2017 Use a small footprint Shift

    Left - compliance - security Automate, Automate, Automate Step 1: Utilize and build secure and compliant images

  13. Securing Your Containers
 Step 2: Maintain a clean inventory of

    images © 2017 Update frequently Continuously verify - automated scans with alerts

  14. Securing Your Containers
 Step 3: Be vigilant and lock down

    deployments © 2017 Automate everything! Include Runtime Protection - host and containers Deploy Frequently Continuously monitor deployed container images

  15. SECURE VERSION OF DOCKERFILE # Dockerfile for Secure Web Application

    # Use base image free of vulnerabilities FROM tomcat:9-alpine MAINTAINER Matthew Barker # Remediate vulnerable source code and components # then Deploy App ADD package/target/WebApp-5.5.war /usr/local/tomcat/webapps

  16. REMEDIATE COMPLIANCE ISSUES # Dockerfile for Secure and Compliant Web

    Application # Put private RSA keys in a secrets vault and inject into container # remove these secrets from the image RUN rm /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key # setup and run as admin user, NEVER RUN AS ROOT COPY tomcat-users.xml /usr/local/tomcat/conf/RUN adduser -D -u 1000 admin \ && chown -R admin /usr/local/tomcatUSER admin

  17. SECURING THE APP LAYER

  18. SECURING THE APP LAYER

  19. SECURING THE APP LAYER

  20. Want more information? Email me at [email protected] for a copy

    of the slide presentation © 2017 20