Container Security Andy Gale 

Andy Gale @techandygale on Twitter Bristol Rovers fan #UTG Bristol DevOps Organiser What do you do? Owner and DevOps Consultant at Hello Future 

Hello Future • @hellofutur3 on Twitter • DevOps, Continuous Delivery, Chef, Docker and cloud automation consultancy • Web application development • We now have availability for DevOps Consultancy if you’re after some • We’re hiring https://hellofutu.re/jobs/ What do we do? 

Container Hosts Container Platform Containers themselves • Containers package both your code and other software for redistribution • Software, such as Apache, PHP, Nginx often requires regular updates for security issues • If you have automated deployments, Continuous Delivery etc this is not such much or a problem • But what about when you have sites or applications that are deployed less frequently? Considerations 

Containers themselves Identify problem container images Build new container images Push to production 

Containers themselves Identify problem container images Build new container images Push to production • Built into some online Docker Registries • Docker Cloud “free preview for private repository subscriber" • Quay.io in beta but free • Free tool from CoreOS called Clair (powers Quay.io) Identify problem container images 

Container Hosts Container Platform Docker Cloud Image from https://docs.docker.com/docker-cloud/builds/image-scan/ 

Container Hosts Container Platform Quay.io Image from https://blog.quay.io/security-scanning-beta/ 

Container Hosts Container Platform Clair DIY! https://github.com/coreos/clair 

Containers themselves Identify problem container images Build new container images Push to production • Quay.io can notify email, Slack, generic webhooks, and more allowing you to rebuild your image • Neither seem to offer an option to automatically rebuild the image for you, even though they will build automatically using Git hooks etc • Easier said then done if your base layer is vulnerable and hasn’t been updated Build new container images 

Containers themselves Identify problem container images Build new container images Push to production • Hopefully you’ve got some automated process to do this otherwise it could become the same pain as patching is! Push to production 

We’re concerned with not just the containers! Container images Container hosts Container platform • Developer code • Language runtimes (Ruby, Python, PHP) • Services such as Apache, Nginx, MySQL • OS binaries and libraries Container images • Container software itself, Docker etc • OS binaries and libraries Container host • Software updates • Networking • Volumes Container platform 

Container Hosts Container Platform Container hosts • Traditional Linux distributions you’ll still need to patch your host nodes! • Consider Snappy Ubuntu Core, Project Atomic • CoreOS works around this nicely allowing you to update the entire OS • RancherOS packages the whole OS in Docker containers allowing incredibly simple updates managed by Rancher • Docker Cloud allows you to update Docker on its managed nodes Depends on your setup! 

Container Hosts Container Platform Container platforms Kubernetes, Mesos • A bit of a pain in the backside • Maybe use a hosted service like Amazon Container Service, Google Container Engine