Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Matthew Barker - What Goes In Must Come Out, Hi...

DevOpsDays KC 2017
September 22, 2017
Technology
0
230

Matthew Barker - What Goes In Must Come Out, Hidden Defects in Your Docker Containers

Containers package applications, OS, utilities, and config into one deployable unit. That adds up to a lot of hidden complexity. How can developers ensure the container performs well, are of high quality, and not a security risk? Let’s explore automated methods and tools to achieve those goals.

DevOpsDays KC 2017

September 22, 2017
Tweet

More Decks by DevOpsDays KC 2017

See All by DevOpsDays KC 2017
Dane Hammer - The First Year Working Remotely
devopsdayskc
1
240
David Hollinger III - Vox Pupuli - The Importance of Working Together
devopsdayskc
0
240
Adam Wieberg - Why Beta Users are Key
devopsdayskc
0
170
Dave Swersky, Ron MacKenzie - Cracking the Culture Code: Practical Advice on Promoting a Generative Culture
devopsdayskc
0
340
Scott Howell III - Changing culture through personal reflection
devopsdayskc
0
190
Alison Stanton - Ways DevOps Could Be More Accessible
devopsdayskc
0
240
Joshua Goldman - Help I'm a "DevOps Engineer" Now!!!!
devopsdayskc
1
340
Kyle Sexton - Secret Management with HashiCorp Vault
devopsdayskc
1
490
Todd Brees - 3 Simple Lessons from Working With Public that Help in Technology
devopsdayskc
0
230

Other Decks in Technology

See All in Technology
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
170
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
強いチームと開発生産性
onk
PRO
34
11k
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
300
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
190
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
360
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
580

Featured

See All Featured
The Invisible Side of Design
smashingmag
298
50k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
4 Signs Your Business is Dying
shpigford
180
21k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Done Done
chrislema
181
16k
We Have a Design System, Now What?
morganepeng
50
7.2k
The Pragmatic Product Professional
lauravandoore
31
6.3k
How to Ace a Technical Interview
jacobian
276
23k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Into the Great Unknown - MozCon
thekraken
32
1.5k

Transcript

  1. WHAT GOES IN MUST COME OUT Hidden Defects in Your

    Docker Containers Matthew Barker Solution Architect, Twistlock matthewabq

  2. Security Advantages of Docker Containers Minimal © 2017 Reproducible Task

    specific Isolated Short lived Immutable

  3. 7 thousand docker pulls per minute 2 billion+ total pulls

    What could go wrong

  4. OUR INVENTORY: IMAGES

  5. OUR INVENTORY: COMPONENTS

  6. APPLICATION 1 OS Java Utilities Binary/OSS Components Plugins Docker Engine

    Host Operating System APPLICATION 2 OS Ruby on Rails Utilities Binary/OSS Components Plugins

  7. A SIMPLE CONTAINER BASED WEBAPP # Dockerfile for Simple Web

    Application FROM tomcat:8.0 MAINTAINER Matthew Barker # update and install openssh-server RUN apt-get update && apt-get install -y apt-transport-https && \\ apt-get install -y openssh-server # Build and statically deploy the application war file ADD target/web-app.war /usr/local/tomcat/webapps What can go wrong?

  8. FROM: tomcat:8.0 27 HIGH LEVEL VULNERABILITIES

  9. RUN apt-get install -y openssh-server 4 HIGH LEVEL VULNERABILITIES

  10. ADD target/web-app.war /usr/local/tomcat/webapps 6 HIGH LEVEL COMPONENT (JAR) VULNERABILITIES

  11. Other Considerations 4 HIGH/MEDIUM LEVEL COMPLIANCE ISSUES Docker Standards Compliance

  12. Securing Your Containers
 © 2017 Use a small footprint Shift

    Left - compliance - security Automate, Automate, Automate Step 1: Utilize and build secure and compliant images

  13. Securing Your Containers
 Step 2: Maintain a clean inventory of

    images © 2017 Update frequently Continuously verify - automated scans with alerts

  14. Securing Your Containers
 Step 3: Be vigilant and lock down

    deployments © 2017 Automate everything! Include Runtime Protection - host and containers Deploy Frequently Continuously monitor deployed container images

  15. SECURE VERSION OF DOCKERFILE # Dockerfile for Secure Web Application

    # Use base image free of vulnerabilities FROM tomcat:9-alpine MAINTAINER Matthew Barker # Remediate vulnerable source code and components # then Deploy App ADD package/target/WebApp-5.5.war /usr/local/tomcat/webapps

  16. REMEDIATE COMPLIANCE ISSUES # Dockerfile for Secure and Compliant Web

    Application # Put private RSA keys in a secrets vault and inject into container # remove these secrets from the image RUN rm /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key # setup and run as admin user, NEVER RUN AS ROOT COPY tomcat-users.xml /usr/local/tomcat/conf/RUN adduser -D -u 1000 admin \ && chown -R admin /usr/local/tomcatUSER admin

  17. SECURING THE APP LAYER

  18. SECURING THE APP LAYER

  19. SECURING THE APP LAYER

  20. Want more information? Email me at [email protected] for a copy

    of the slide presentation © 2017 20