Situation Analysis • We are using Docker to build and deploy Web Applications • Pull images from Docker Hub • Clone and code software from Github • Install dependencies • Run
Docker Host • Keep your hosts up to date • Please schedule automatic security updates • Docker daemon runs as root • Keep it up to date • Avoid --privileged if possible this is also run as root • Avoid docker run -v /:/sysroot or the like
Docker File • Set a User • Install signed packages where possible, use apt-get or yum if possible! • Check GPG signatures of downloaded archives • Beware curl http://somewhere.com | bash • Docker Inc has some great examples of good practices, copy with gusto.
• Image contains an operating system • Typically contains a few packages • Do these packages have security issues? • Shellshock • Openssl issues Images
Images Cont. • Only use a small selection of trusted images • Build a base image with all your standard packages • Scan these images • Rebuild them regularly
Continous Integration • Build and Test our Code • Produce Docker images • Named based on service • These have a tag aka BuildNo • Short Git hash of Code • Use Buildkite
Continuous Win • CI Server controls Images • Closed System • Audit trail of what went into Docker • Web servers never talk to *Hub • When the hubs are down your app will still autoscale…