Docker Security Mark Wolfe DevOps @ Versent 

Welcome • Who is this guy? • @wolfeidau on twitter and Github • Who is Versent? • Yes we are hiring 

Situation Analysis • We are using Docker to build and deploy Web Applications • Pull images from Docker Hub • Clone and code software from Github • Install dependencies • Run 

So what is the Problem? 

Docker Host • Keep your hosts up to date • Please schedule automatic security updates • Docker daemon runs as root • Keep it up to date • Avoid --privileged if possible this is also run as root • Avoid docker run -v /:/sysroot or the like 

Docker Security Check docker run -it --net host --pid host \ --cap-add audit_control -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security https://github.com/docker/docker-bench-security 

Docker File • Set a User • Install signed packages where possible, use apt-get or yum if possible! • Check GPG signatures of downloaded archives • Beware curl http://somewhere.com | bash • Docker Inc has some great examples of good practices, copy with gusto. 

• Image contains an operating system • Typically contains a few packages • Do these packages have security issues? • Shellshock • Openssl issues Images 

Images Provenance • Who even made this image? • Are they trustworthy? • How old are your images? • docker inspect can help 

Images Cont. • Only use a small selection of trusted images • Build a base image with all your standard packages • Scan these images • Rebuild them regularly 

Continuous Integration 

Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet 

Continous Integration • Build and Test our Code • Produce Docker images • Named based on service • These have a tag aka BuildNo • Short Git hash of Code • Use Buildkite 

Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet PUSH PULL IMAGE IMAGE 

Continuous Win • CI Server controls Images • Closed System • Audit trail of what went into Docker • Web servers never talk to *Hub • When the hubs are down your app will still autoscale… 

Let go of bad practices 

Read this Book https://www.openshift.com/promotions/docker-security.html 

Questions • Thanks for listening • @wolfeidau on twitter • github.com/wolfeidau • [email protected] 

References • https://docs.docker.com/engine/security/security/ • https://zwischenzugs.wordpress.com/2016/07/08/ a-checklist-for-docker-in-the-enterprise/ • https://github.com/docker/docker-bench-security 

Images • "Medium" by Thomas Hawk • "Snowying" by fiddleoak • "Snowstorm" by Beaulawrence