Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Matthew Barker - What Goes In Must Come Out, Hi...

DevOpsDays KC 2017
September 22, 2017
Technology
0
230

Matthew Barker - What Goes In Must Come Out, Hidden Defects in Your Docker Containers

Containers package applications, OS, utilities, and config into one deployable unit. That adds up to a lot of hidden complexity. How can developers ensure the container performs well, are of high quality, and not a security risk? Let’s explore automated methods and tools to achieve those goals.

DevOpsDays KC 2017

September 22, 2017
Tweet

More Decks by DevOpsDays KC 2017

See All by DevOpsDays KC 2017
Dane Hammer - The First Year Working Remotely
devopsdayskc
1
240
David Hollinger III - Vox Pupuli - The Importance of Working Together
devopsdayskc
0
240
Adam Wieberg - Why Beta Users are Key
devopsdayskc
0
170
Dave Swersky, Ron MacKenzie - Cracking the Culture Code: Practical Advice on Promoting a Generative Culture
devopsdayskc
0
340
Scott Howell III - Changing culture through personal reflection
devopsdayskc
0
190
Alison Stanton - Ways DevOps Could Be More Accessible
devopsdayskc
0
240
Joshua Goldman - Help I'm a "DevOps Engineer" Now!!!!
devopsdayskc
1
340
Kyle Sexton - Secret Management with HashiCorp Vault
devopsdayskc
1
490
Todd Brees - 3 Simple Lessons from Working With Public that Help in Technology
devopsdayskc
0
230

Other Decks in Technology

See All in Technology
フルカイテン株式会社 採用資料
fullkaiten
0
40k
株式会社ログラス − エンジニア向け会社説明資料 / Loglass Comapany Deck for Engineer
loglass2019
3
28k
プロポーザルのつくり方
〜個人技編〜 / How to come up with proposals
ohbarye
4
310
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
株式会社島津製作所_研究開発(集団協業と知的生産)の現場を支える、OSS知識基盤システムの導入
akahane92
1
180
メールサーバ管理者のみ知る話
hinono
1
100
20241108_CS_LLMMT
shigashiyama
0
250
国土交通省 データコンペ参加者向け勉強会
takehikohashimoto
0
400
RAGのためのビジネス文書解析技術
eida
3
660
AIチャットボット開発への生成AI活用
ryomrt
0
140
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
190
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
0
120

Featured

See All Featured
Ruby is Unlike a Banana
tanoku
96
11k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
560
The World Runs on Bad Software
bkeepers
PRO
65
11k
The Language of Interfaces
destraynor
154
24k
Bash Introduction
62gerente
608
210k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
YesSQL, Process and Tooling at Scale
rocio
168
14k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
How to train your dragon (web standard)
notwaldorf
88
5.7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Typedesign – Prime Four
hannesfritz
40
2.4k

Transcript

  1. WHAT GOES IN MUST COME OUT Hidden Defects in Your

    Docker Containers Matthew Barker Solution Architect, Twistlock matthewabq

  2. Security Advantages of Docker Containers Minimal © 2017 Reproducible Task

    specific Isolated Short lived Immutable

  3. 7 thousand docker pulls per minute 2 billion+ total pulls

    What could go wrong

  4. OUR INVENTORY: IMAGES

  5. OUR INVENTORY: COMPONENTS

  6. APPLICATION 1 OS Java Utilities Binary/OSS Components Plugins Docker Engine

    Host Operating System APPLICATION 2 OS Ruby on Rails Utilities Binary/OSS Components Plugins

  7. A SIMPLE CONTAINER BASED WEBAPP # Dockerfile for Simple Web

    Application FROM tomcat:8.0 MAINTAINER Matthew Barker # update and install openssh-server RUN apt-get update && apt-get install -y apt-transport-https && \\ apt-get install -y openssh-server # Build and statically deploy the application war file ADD target/web-app.war /usr/local/tomcat/webapps What can go wrong?

  8. FROM: tomcat:8.0 27 HIGH LEVEL VULNERABILITIES

  9. RUN apt-get install -y openssh-server 4 HIGH LEVEL VULNERABILITIES

  10. ADD target/web-app.war /usr/local/tomcat/webapps 6 HIGH LEVEL COMPONENT (JAR) VULNERABILITIES

  11. Other Considerations 4 HIGH/MEDIUM LEVEL COMPLIANCE ISSUES Docker Standards Compliance

  12. Securing Your Containers
 © 2017 Use a small footprint Shift

    Left - compliance - security Automate, Automate, Automate Step 1: Utilize and build secure and compliant images

  13. Securing Your Containers
 Step 2: Maintain a clean inventory of

    images © 2017 Update frequently Continuously verify - automated scans with alerts

  14. Securing Your Containers
 Step 3: Be vigilant and lock down

    deployments © 2017 Automate everything! Include Runtime Protection - host and containers Deploy Frequently Continuously monitor deployed container images

  15. SECURE VERSION OF DOCKERFILE # Dockerfile for Secure Web Application

    # Use base image free of vulnerabilities FROM tomcat:9-alpine MAINTAINER Matthew Barker # Remediate vulnerable source code and components # then Deploy App ADD package/target/WebApp-5.5.war /usr/local/tomcat/webapps

  16. REMEDIATE COMPLIANCE ISSUES # Dockerfile for Secure and Compliant Web

    Application # Put private RSA keys in a secrets vault and inject into container # remove these secrets from the image RUN rm /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key # setup and run as admin user, NEVER RUN AS ROOT COPY tomcat-users.xml /usr/local/tomcat/conf/RUN adduser -D -u 1000 admin \ && chown -R admin /usr/local/tomcatUSER admin

  17. SECURING THE APP LAYER

  18. SECURING THE APP LAYER

  19. SECURING THE APP LAYER

  20. Want more information? Email me at [email protected] for a copy

    of the slide presentation © 2017 20