Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Docker Security

Docker Security

Talk I gave at the Docker Meetup in Melbourne on 19th of July 2016


Mark Wolfe

July 19, 2016


  1. Docker Security Mark Wolfe DevOps @ Versent

  2. Welcome • Who is this guy? • @wolfeidau on twitter

    and Github • Who is Versent? • Yes we are hiring
  3. Situation Analysis • We are using Docker to build and

    deploy Web Applications • Pull images from Docker Hub • Clone and code software from Github • Install dependencies • Run
  4. So what is the Problem?

  5. Docker Host • Keep your hosts up to date •

    Please schedule automatic security updates • Docker daemon runs as root • Keep it up to date • Avoid --privileged if possible this is also run as root • Avoid docker run -v /:/sysroot or the like
  6. Docker Security Check docker run -it --net host --pid host

    \ --cap-add audit_control -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security https://github.com/docker/docker-bench-security
  7. Docker File • Set a User • Install signed packages

    where possible, use apt-get or yum if possible! • Check GPG signatures of downloaded archives • Beware curl http://somewhere.com | bash • Docker Inc has some great examples of good practices, copy with gusto.
  8. • Image contains an operating system • Typically contains a

    few packages • Do these packages have security issues? • Shellshock • Openssl issues Images
  9. Images Provenance • Who even made this image? • Are

    they trustworthy? • How old are your images? • docker inspect can help
  10. Images Cont. • Only use a small selection of trusted

    images • Build a base image with all your standard packages • Scan these images • Rebuild them regularly
  11. Continuous Integration

  12. Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet

  13. Continous Integration • Build and Test our Code • Produce

    Docker images • Named based on service • These have a tag aka BuildNo • Short Git hash of Code • Use Buildkite
  14. Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet

  15. Continuous Win • CI Server controls Images • Closed System

    • Audit trail of what went into Docker • Web servers never talk to *Hub • When the hubs are down your app will still autoscale…
  16. Let go of bad practices

  17. Read this Book https://www.openshift.com/promotions/docker-security.html

  18. Questions • Thanks for listening • @wolfeidau on twitter •

    github.com/wolfeidau • mark@wolfe.id.au
  19. References • https://docs.docker.com/engine/security/security/ • https://zwischenzugs.wordpress.com/2016/07/08/ a-checklist-for-docker-in-the-enterprise/ • https://github.com/docker/docker-bench-security

  20. Images • "Medium" by Thomas Hawk • "Snowying" by fiddleoak

    • "Snowstorm" by Beaulawrence