a complete ﬁlesystem that contains everything it needs to run: code, runPme, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.”
model? 2. How do I ensure I can trust the code running in my containers? 3. How do I know if I’ve conﬁgured my Docker host + containers in a way that minimizes my risk? 4. How do containers change my security pracPces, e.g. monitoring? questions for the security professional
locally, and download and verify images manually before imporPng them into Docker using docker load.” • hcps:/ /Ptanous.com/posts/docker-‐insecurity#fn:4 • Use a private docker registry • hcps:/ /www.digitalocean.com/community/tutorials/how-‐to-‐set-‐up-‐a-‐private-‐docker-‐registry-‐ on-‐ubuntu-‐14-‐04 , hcps:/ /quay.io • Use RedHat cerPﬁed containers • hcp:/ /www.redhat.com/en/about/press-‐releases/red-‐hat-‐announces-‐cerPﬁcaPon-‐for-‐ containerized-‐applicaPons-‐extends-‐customer-‐conﬁdence-‐and-‐trust-‐to-‐the-‐cloud
for Docker images! • e.g., scan images, validate installed libraries and binaries do not have criPcal security issues and align with signed package manifests. • hcps:/ /github.com/banyanops/collector +`cruM’ but for containers? • hcps:/ /github.com/OpenSCAP/container-‐compliance -‐ RHEL only • contribute to the packaging/distribuPon trust conversaPon! • hcps:/ /github.com/docker/distribuPon/pull/179 • references: hcp:/ /theupdateframework.com/
prevent one container from sucking all of the resources (DoS) another container on the same host • $ docker run -it --rm -m 128m fedora bash • hcps:/ /goldmann.pl/blog/2014/09/11/resource-‐management-‐in-‐docker/
(and turned oﬀ when you docker run — privileged=true) • be careful: when you supply your own apparmor proﬁle, your are essenPally resetng the capabiliPes. • copy or inherit these when you create a new proﬁle for your containers. this looks familiar…
your go-‐to trusted distribuPon source for applicaPons.… • Why not • Have a registry for apparmor and SELinux proﬁles geared for oﬃcial dockerized app containers? • …Include seccomp ﬁlters and other security conﬁgs? • Share your polices & reduce the burden of having to harden your own apps/containers.
docker security-‐profile fetch wordpress:latest # you can even fetch by image / tag docker security-‐profile fetch 0cc6ffbf1a0cd78ab244c4b3b5cef13618bf4c8bcd229ec2673 1a951c33df72e # allow users to submit/push their own app armor profiles docker security-‐profile push —-‐profile=“apparmor:/ etc/apparmor/wordpress.profile” jandre/ wordpress:custom