Talk I gave at the Docker Meetup in Melbourne on 19th of July 2016
Mark Wolfe DevOps @ Versent
• Who is this guy?
• @wolfeidau on twitter and Github
• Who is Versent?
• Yes we are hiring
• We are using Docker to build and deploy Web
• Pull images from Docker Hub
• Clone and code software from Github
• Install dependencies
So what is the Problem?
• Keep your hosts up to date
• Please schedule automatic security updates
• Docker daemon runs as root
• Keep it up to date
• Avoid --privileged if possible this is also run as root
• Avoid docker run -v /:/sysroot or the like
Docker Security Check
docker run -it --net host --pid host \
--cap-add audit_control -v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label docker_bench_security \
• Set a User
• Install signed packages where possible, use apt-get
or yum if possible!
• Check GPG signatures of downloaded archives
• Beware curl http://somewhere.com | bash
• Docker Inc has some great examples of good
practices, copy with gusto.
• Image contains an operating system
• Typically contains a few packages
• Do these packages have security issues?
• Openssl issues
• Who even made this image?
• Are they trustworthy?
• How old are your images?
• docker inspect can help
• Only use a small selection of trusted images
• Build a base image with all your standard packages
• Scan these images
• Rebuild them regularly
• Build and Test our Code
• Produce Docker images
• Named based on service
• These have a tag aka BuildNo
• Short Git hash of Code
• Use Buildkite
• CI Server controls Images
• Closed System
• Audit trail of what went into Docker
• Web servers never talk to *Hub
• When the hubs are down your app will still
Let go of bad practices
Read this Book
• Thanks for listening
• @wolfeidau on twitter
• [email protected]
• "Medium" by Thomas Hawk
• "Snowying" by ﬁddleoak
• "Snowstorm" by Beaulawrence