Situation Analysis • We are using Docker to build and deploy Web Applications • Pull images from Docker Hub • Clone and code software from Github • Install dependencies • Run
Docker Host • Keep your hosts up to date • Please schedule automatic security updates • Docker daemon runs as root • Keep it up to date • Avoid --privileged if possible this is also run as root • Avoid docker run -v /:/sysroot or the like
Docker File • Set a User • Install signed packages where possible, use apt-get or yum if possible! • Check GPG signatures of downloaded archives • Beware curl http://somewhere.com | bash • Docker Inc has some great examples of good practices, copy with gusto.
• Image contains an operating system • Typically contains a few packages • Do these packages have security issues? • Shellshock • Openssl issues Images
Images Cont. • Only use a small selection of trusted images • Build a base image with all your standard packages • Scan these images • Rebuild them regularly
Continous Integration • Build and Test our Code • Produce Docker images • Named based on service • These have a tag aka BuildNo • Short Git hash of Code • Use Buildkite
Continuous Win • CI Server controls Images • Closed System • Audit trail of what went into Docker • Web servers never talk to *Hub • When the hubs are down your app will still autoscale…
wolfeidau
oldbigbuddha
utam0k
tkhresk
shkitayama
fedepaol
shomaekawa
sansantech
palark
bun913
chiroito
lemiorhan
oracle4engineer
hursman
lara
chriscoyier
matthewcrist
paigeccino
holman
gr2m
cromwellryan
ammeep
mojombo
lauravandoore
samanthasiow