$30 off During Our Annual Pro Sale. View Details »

Docker Security

Docker Security

Talk I gave at the Docker Meetup in Melbourne on 19th of July 2016

Mark Wolfe

July 19, 2016
Tweet

More Decks by Mark Wolfe

Other Decks in Technology

Transcript

  1. Docker Security
    Mark Wolfe DevOps @ Versent

    View Slide

  2. Welcome
    • Who is this guy?
    • @wolfeidau on twitter and Github
    • Who is Versent?
    • Yes we are hiring

    View Slide

  3. Situation Analysis
    • We are using Docker to build and deploy Web
    Applications
    • Pull images from Docker Hub
    • Clone and code software from Github
    • Install dependencies
    • Run

    View Slide

  4. So what is the Problem?

    View Slide

  5. Docker Host
    • Keep your hosts up to date
    • Please schedule automatic security updates
    • Docker daemon runs as root
    • Keep it up to date
    • Avoid --privileged if possible this is also run as root
    • Avoid docker run -v /:/sysroot or the like

    View Slide

  6. Docker Security Check
    docker run -it --net host --pid host \
    --cap-add audit_control -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /etc:/etc --label docker_bench_security \
    docker/docker-bench-security
    https://github.com/docker/docker-bench-security

    View Slide

  7. Docker File
    • Set a User
    • Install signed packages where possible, use apt-get
    or yum if possible!
    • Check GPG signatures of downloaded archives
    • Beware curl http://somewhere.com | bash
    • Docker Inc has some great examples of good
    practices, copy with gusto.

    View Slide

  8. • Image contains an operating system
    • Typically contains a few packages
    • Do these packages have security issues?
    • Shellshock
    • Openssl issues
    Images

    View Slide

  9. Images Provenance
    • Who even made this image?
    • Are they trustworthy?
    • How old are your images?
    • docker inspect can help

    View Slide

  10. Images Cont.
    • Only use a small selection of trusted images
    • Build a base image with all your standard packages
    • Scan these images
    • Rebuild them regularly

    View Slide

  11. Continuous
    Integration

    View Slide

  12. Docker
    Registry
    CI
    Agent
    ELB
    Web Servers
    (Docker)
    Public Subnet

    View Slide

  13. Continous Integration
    • Build and Test our Code
    • Produce Docker images
    • Named based on service
    • These have a tag aka BuildNo
    • Short Git hash of Code
    • Use Buildkite

    View Slide

  14. Docker
    Registry
    CI
    Agent
    ELB
    Web Servers
    (Docker)
    Public Subnet
    PUSH
    PULL
    IMAGE
    IMAGE

    View Slide

  15. Continuous Win
    • CI Server controls Images
    • Closed System
    • Audit trail of what went into Docker
    • Web servers never talk to *Hub
    • When the hubs are down your app will still
    autoscale…

    View Slide

  16. Let go of bad practices

    View Slide

  17. Read this Book
    https://www.openshift.com/promotions/docker-security.html

    View Slide

  18. Questions
    • Thanks for listening
    • @wolfeidau on twitter
    • github.com/wolfeidau
    [email protected]

    View Slide

  19. References
    • https://docs.docker.com/engine/security/security/
    • https://zwischenzugs.wordpress.com/2016/07/08/
    a-checklist-for-docker-in-the-enterprise/
    • https://github.com/docker/docker-bench-security

    View Slide

  20. Images
    • "Medium" by Thomas Hawk
    • "Snowying" by fiddleoak
    • "Snowstorm" by Beaulawrence

    View Slide