Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Matthew Barker - What Goes In Must Come Out, Hi...

Matthew Barker - What Goes In Must Come Out, Hidden Defects in Your Docker Containers

Containers package applications, OS, utilities, and config into one deployable unit. That adds up to a lot of hidden complexity. How can developers ensure the container performs well, are of high quality, and not a security risk? Let’s explore automated methods and tools to achieve those goals.

DevOpsDays KC 2017

September 22, 2017
Tweet

More Decks by DevOpsDays KC 2017

Other Decks in Technology

Transcript

  1. WHAT GOES IN MUST COME OUT Hidden Defects in Your

    Docker Containers Matthew Barker Solution Architect, Twistlock matthewabq
  2. APPLICATION 1 OS Java Utilities Binary/OSS Components Plugins Docker Engine

    Host Operating System APPLICATION 2 OS Ruby on Rails Utilities Binary/OSS Components Plugins
  3. A SIMPLE CONTAINER BASED WEBAPP # Dockerfile for Simple Web

    Application FROM tomcat:8.0 MAINTAINER Matthew Barker # update and install openssh-server RUN apt-get update && apt-get install -y apt-transport-https && \\ apt-get install -y openssh-server # Build and statically deploy the application war file ADD target/web-app.war /usr/local/tomcat/webapps What can go wrong?
  4. Securing Your Containers
 © 2017 Use a small footprint Shift

    Left - compliance - security Automate, Automate, Automate Step 1: Utilize and build secure and compliant images
  5. Securing Your Containers
 Step 2: Maintain a clean inventory of

    images © 2017 Update frequently Continuously verify - automated scans with alerts
  6. Securing Your Containers
 Step 3: Be vigilant and lock down

    deployments © 2017 Automate everything! Include Runtime Protection - host and containers Deploy Frequently Continuously monitor deployed container images
  7. SECURE VERSION OF DOCKERFILE # Dockerfile for Secure Web Application

    # Use base image free of vulnerabilities FROM tomcat:9-alpine MAINTAINER Matthew Barker # Remediate vulnerable source code and components # then Deploy App ADD package/target/WebApp-5.5.war /usr/local/tomcat/webapps
  8. REMEDIATE COMPLIANCE ISSUES # Dockerfile for Secure and Compliant Web

    Application # Put private RSA keys in a secrets vault and inject into container # remove these secrets from the image RUN rm /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key # setup and run as admin user, NEVER RUN AS ROOT COPY tomcat-users.xml /usr/local/tomcat/conf/RUN adduser -D -u 1000 admin \ && chown -R admin /usr/local/tomcatUSER admin