Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Docker Security

Docker Security

Talk I gave at the Docker Meetup in Melbourne on 19th of July 2016

Mark Wolfe

July 19, 2016

More Decks by Mark Wolfe

Other Decks in Technology


  1. Welcome • Who is this guy? • @wolfeidau on twitter

    and Github • Who is Versent? • Yes we are hiring
  2. Situation Analysis • We are using Docker to build and

    deploy Web Applications • Pull images from Docker Hub • Clone and code software from Github • Install dependencies • Run
  3. Docker Host • Keep your hosts up to date •

    Please schedule automatic security updates • Docker daemon runs as root • Keep it up to date • Avoid --privileged if possible this is also run as root • Avoid docker run -v /:/sysroot or the like
  4. Docker Security Check docker run -it --net host --pid host

    \ --cap-add audit_control -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security https://github.com/docker/docker-bench-security
  5. Docker File • Set a User • Install signed packages

    where possible, use apt-get or yum if possible! • Check GPG signatures of downloaded archives • Beware curl http://somewhere.com | bash • Docker Inc has some great examples of good practices, copy with gusto.
  6. • Image contains an operating system • Typically contains a

    few packages • Do these packages have security issues? • Shellshock • Openssl issues Images
  7. Images Provenance • Who even made this image? • Are

    they trustworthy? • How old are your images? • docker inspect can help
  8. Images Cont. • Only use a small selection of trusted

    images • Build a base image with all your standard packages • Scan these images • Rebuild them regularly
  9. Continous Integration • Build and Test our Code • Produce

    Docker images • Named based on service • These have a tag aka BuildNo • Short Git hash of Code • Use Buildkite
  10. Continuous Win • CI Server controls Images • Closed System

    • Audit trail of what went into Docker • Web servers never talk to *Hub • When the hubs are down your app will still autoscale…