a complete filesystem that contains everything it needs to run: code,runtime, system tools, system libraries –anything you can install on a server. This guarantees that it will always run the same,regardless of the environment it is running in.”
control groups, orchestrating the namespaces, and so on so that docker images can be run and secured. • Because of the need to manage kernel functions, Docker runs with root privileges. • Limit the users who have control of the Docker Daemon
the first-step in a wider effort toward privilege separation. • From Docker 1.10, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
on every managed host • Signature verification transparent to users • Guarantee integrity of your images when pulled • Provides trust from publisher to consumer • export DOCKER_CONTENT_TRUST=1 • ~/.docker/trust/trusted-certificates/
scanning of all components in the image • Performs binary scan to pick up on statically linked binaries • Analyses libraries statically compiled in the image • Generates a reports that shows if there are CVE in the libraries inside the image
want to determine if it's safe enough for you to use in production. • You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.
• https://github.com/docker/docker-bench-security • Open-source tool for running automated tests • Inspired by the CIS Docker 1.11 benchmark • Runs against containers currently running on same host • Checks for AppArmor, read-only volumes, etc...
traffic between containers • [WARN] 4.1 - Create a user for the container • [WARN] * Running as root: • [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers • [WARN] * Capabilities added: CapAdd=[audit_control] • [WARN] 5.13 - Mount container's root filesystem as readonly • [WARN] * Container running with root FS mounted R/W: