Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Docker Security

Docker Security

Talk I gave at the Docker Meetup in Melbourne on 19th of July 2016

Mark Wolfe

July 19, 2016
Tweet

More Decks by Mark Wolfe

Other Decks in Technology

Transcript

  1. Docker Security Mark Wolfe DevOps @ Versent

  2. Welcome • Who is this guy? • @wolfeidau on twitter

    and Github • Who is Versent? • Yes we are hiring
  3. Situation Analysis • We are using Docker to build and

    deploy Web Applications • Pull images from Docker Hub • Clone and code software from Github • Install dependencies • Run
  4. So what is the Problem?

  5. Docker Host • Keep your hosts up to date •

    Please schedule automatic security updates • Docker daemon runs as root • Keep it up to date • Avoid --privileged if possible this is also run as root • Avoid docker run -v /:/sysroot or the like
  6. Docker Security Check docker run -it --net host --pid host

    \ --cap-add audit_control -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security https://github.com/docker/docker-bench-security
  7. Docker File • Set a User • Install signed packages

    where possible, use apt-get or yum if possible! • Check GPG signatures of downloaded archives • Beware curl http://somewhere.com | bash • Docker Inc has some great examples of good practices, copy with gusto.
  8. • Image contains an operating system • Typically contains a

    few packages • Do these packages have security issues? • Shellshock • Openssl issues Images
  9. Images Provenance • Who even made this image? • Are

    they trustworthy? • How old are your images? • docker inspect can help
  10. Images Cont. • Only use a small selection of trusted

    images • Build a base image with all your standard packages • Scan these images • Rebuild them regularly
  11. Continuous Integration

  12. Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet

  13. Continous Integration • Build and Test our Code • Produce

    Docker images • Named based on service • These have a tag aka BuildNo • Short Git hash of Code • Use Buildkite
  14. Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet

    PUSH PULL IMAGE IMAGE
  15. Continuous Win • CI Server controls Images • Closed System

    • Audit trail of what went into Docker • Web servers never talk to *Hub • When the hubs are down your app will still autoscale…
  16. Let go of bad practices

  17. Read this Book https://www.openshift.com/promotions/docker-security.html

  18. Questions • Thanks for listening • @wolfeidau on twitter •

    github.com/wolfeidau • [email protected]
  19. References • https://docs.docker.com/engine/security/security/ • https://zwischenzugs.wordpress.com/2016/07/08/ a-checklist-for-docker-in-the-enterprise/ • https://github.com/docker/docker-bench-security

  20. Images • "Medium" by Thomas Hawk • "Snowying" by fiddleoak

    • "Snowstorm" by Beaulawrence