Docker Security

Docker Security Mark Wolfe DevOps @ Versent

Welcome • Who is this guy? • @wolfeidau on twitter
and Github • Who is Versent? • Yes we are hiring

Situation Analysis • We are using Docker to build and
deploy Web Applications • Pull images from Docker Hub • Clone and code software from Github • Install dependencies • Run

So what is the Problem?

Docker Host • Keep your hosts up to date •
Please schedule automatic security updates • Docker daemon runs as root • Keep it up to date • Avoid --privileged if possible this is also run as root • Avoid docker run -v /:/sysroot or the like

Docker Security Check docker run -it --net host --pid host
\ --cap-add audit_control -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security https://github.com/docker/docker-bench-security

Docker File • Set a User • Install signed packages
where possible, use apt-get or yum if possible! • Check GPG signatures of downloaded archives • Beware curl http://somewhere.com | bash • Docker Inc has some great examples of good practices, copy with gusto.

• Image contains an operating system • Typically contains a
few packages • Do these packages have security issues? • Shellshock • Openssl issues Images

Images Provenance • Who even made this image? • Are
they trustworthy? • How old are your images? • docker inspect can help

Images Cont. • Only use a small selection of trusted
images • Build a base image with all your standard packages • Scan these images • Rebuild them regularly

Continuous Integration

Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet

Continous Integration • Build and Test our Code • Produce
Docker images • Named based on service • These have a tag aka BuildNo • Short Git hash of Code • Use Buildkite

Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet
PUSH PULL IMAGE IMAGE

Continuous Win • CI Server controls Images • Closed System
• Audit trail of what went into Docker • Web servers never talk to *Hub • When the hubs are down your app will still autoscale…

Let go of bad practices

Read this Book https://www.openshift.com/promotions/docker-security.html

Questions • Thanks for listening • @wolfeidau on twitter •
github.com/wolfeidau • [email protected]

References • https://docs.docker.com/engine/security/security/ • https://zwischenzugs.wordpress.com/2016/07/08/ a-checklist-for-docker-in-the-enterprise/ • https://github.com/docker/docker-bench-security

Images • "Medium" by Thomas Hawk • "Snowying" by ﬁddleoak
• "Snowstorm" by Beaulawrence

Docker Security

Docker Security

Mark Wolfe

More Decks by Mark Wolfe

Other Decks in Technology

Featured

Transcript

Docker Security Mark Wolfe DevOps @ Versent

Welcome • Who is this guy? • @wolfeidau on twitter

Situation Analysis • We are using Docker to build and

So what is the Problem?

Docker Host • Keep your hosts up to date •

Docker Security Check docker run -it --net host --pid host

Docker File • Set a User • Install signed packages

• Image contains an operating system • Typically contains a

Images Provenance • Who even made this image? • Are

Images Cont. • Only use a small selection of trusted

Continuous Integration

Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet

Continous Integration • Build and Test our Code • Produce

Docker Registry CI Agent ELB Web Servers (Docker) Public Subnet

Continuous Win • CI Server controls Images • Closed System

Let go of bad practices

Read this Book https://www.openshift.com/promotions/docker-security.html

Questions • Thanks for listening • @wolfeidau on twitter •

References • https://docs.docker.com/engine/security/security/ • https://zwischenzugs.wordpress.com/2016/07/08/ a-checklist-for-docker-in-the-enterprise/ • https://github.com/docker/docker-bench-security

Images • "Medium" by Thomas Hawk • "Snowying" by ﬁddleoak