SlideShare a Scribd company logo

Docker security - TASK Jan 2016

Fernando Montenegro
Fernando Montenegro

Ricardo Gerardi and I had the privilege of delivering an introductory talk on Docker & Docker Security to the Toronto Area Security Klatch (TASK) this week. Here are the slides.

Technology
1 of 53
Download to read offline
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 1/59 DOCKERSECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - TASK Jan 27, 2016 @fsmontenegro @ricardogerardi
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 2/59 WHYAREWEHERE? Google Trends: "Microservices"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 3/59 Google Trends: "Docker"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 4/59 Google Trends: "Kubernetes"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 6/59 MICROSERVICES? (Source: F5)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 7/59 MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity­sapping burden. Like any architectural style, microservices bring costs and benefits. To make a sensible choice you have to understand these and apply them to your specific context."" Martin Fowler ( ) http://martinfowler.com/articles/microservice­trade­ offs.html
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 8/59 SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational benefits of "DevOps"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 9/59 DATADOGCONTAINERSURVEY ( ) Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up https://www.datadoghq.com/docker­adoption/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 10/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 11/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 12/59 WHATWEFOUND
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 14/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 16/59 ABOUTUS-FERNANDO Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera) @fsmontenegro
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 18/59 ABOUTUS-RICARDO Senior IT Consultant Network Management/Monitoring IBM Netcool Certified Uncertified father (2x) Interests Linux/UNIX Emerging technologies Data Science @ricardogerardi
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 19/59 DOCKERINTRO
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 20/59 WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 21/59 SOFTWAREPACKAGEANDDISTRIBUTIONCHALLENGE OLDWAY-HOSTEDAPPLICATIONS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 22/59 VIRTUALMACHINES
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 23/59 ENTERTHECONTAINER
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 24/59 WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 25/59 WHATDOYOUNEEDTORUNDOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 26/59 DOCKERARCHITECTUREINANUTSHELL Source: https://www.docker.com/what­docker
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 28/59 Source: https://docs.docker.com/engine/introduction/understanding­ docker/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 29/59 DOCKERDEMO
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 30/59 DOCKERSECURITY
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 31/59 FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 32/59 SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 33/59 SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 34/59 DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 35/59 CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability­analysis­for­ containers/ https://blog.quay.io/security­ scanning­beta/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 36/59 OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 37/59 SECURITYFROMDOCKER How to contain Docker & containers?
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 38/59 NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – filesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 39/59 ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - filtering of system calls network isolation via iptables limit inter-container communication
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 40/59 SECURITYBYDOCKER Leveraging Docker features for security
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 41/59 LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - filtering system calls journaled changes
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 42/59 OPERATIONSANDECOSYSTEM
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 43/59 WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 44/59 PUBLICCLOUDPROVIDERS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 45/59 PAASPROVIDERS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 46/59 ORCHESTRATION/SCHEDULING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 47/59 NETWORKING BASICNETWORKING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 48/59 OVERLAYNETWORKING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 49/59 MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 50/59 CONTAINERMONITORINGSOLUTIONS Sysdig Cloud Weaveworks New relic Google cAdvisor
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 51/59 CONTAINERLOGMANAGEMENT ELK Stack Splunk
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 52/59 WRAPPINGUP
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 53/59 LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 54/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 55/59 WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound traffic keep up to date (news!) rethink approach ("cattle, not pets")
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 56/59 DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 57/59 RESOURCES! Twitterfolk:
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 58/59 - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC

Recommended

Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
Introduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsIntroduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsFlavio Percoco Premoli
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Using OpenEmbedded
Using OpenEmbeddedUsing OpenEmbedded
Using OpenEmbeddedTrevor Woerner
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotIntroduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotTeam Hypriot
 
Docker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoDocker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoGiulio De Donato
 
Conda and Bioconda
Conda and BiocondaConda and Bioconda
Conda and BiocondaHoffman Lab
 
The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189Mahmoud Samir Fayed
 

Recommended

Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
Introduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsIntroduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsFlavio Percoco Premoli
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Using OpenEmbedded
Using OpenEmbeddedUsing OpenEmbedded
Using OpenEmbeddedTrevor Woerner
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotIntroduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotTeam Hypriot
 
Docker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoDocker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoGiulio De Donato
 
Conda and Bioconda
Conda and BiocondaConda and Bioconda
Conda and BiocondaHoffman Lab
 
The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189Mahmoud Samir Fayed
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Ron Munitz
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Ron Munitz
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?msyukor
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Ron Munitz
 
Creating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectCreating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectLeon Anavi
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containersGiuseppe Scrivano
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windowsAddweup
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Piotr Król
 
Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Wei Fu
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet FactoryNullbyte Security Conference
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like dockerGiulio De Donato
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerA smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerThe Incredible Automation Day
 
Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Leon Anavi
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from MicrosoftNaoki (Neo) SATO
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfkanedafromparis
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 RecapJochen Zehnder
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Docker for HPC in a Nutshell
Docker for HPC in a NutshellDocker for HPC in a Nutshell
Docker for HPC in a Nutshellinside-BigData.com
 

More Related Content

What's hot

Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Ron Munitz
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Ron Munitz
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?msyukor
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Ron Munitz
 
Creating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectCreating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectLeon Anavi
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windowsAddweup
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Piotr Król
 
Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Wei Fu
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like dockerGiulio De Donato
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerA smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerThe Incredible Automation Day
 
Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Leon Anavi
 

What's hot (15)

Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux Distro
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
 
Creating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectCreating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto Project
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devices
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windows
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0
 
Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like docker
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerA smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
 
Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5
 

Similar to Docker security - TASK Jan 2016

Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from MicrosoftNaoki (Neo) SATO
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfkanedafromparis
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesSreenivas Makam
 
Azure Container Services​
Azure Container Services​Azure Container Services​
Azure Container Services​Pedro Sousa
 
A Dive Into Containers and Docker
A Dive Into Containers and DockerA Dive Into Containers and Docker
A Dive Into Containers and DockerMatthew Farina
 
Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionYu-Lun Chen
 
Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Commit University
 
Docker and containerization
Docker and containerizationDocker and containerization
Docker and containerizationAmulya Saxena
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?ArangoDB Database
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 
CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023Anthony Dahanne
 
Docker for Java Developers
Docker for Java DevelopersDocker for Java Developers
Docker for Java DevelopersImesh Gunaratne
 
DevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and SeleniumhubDevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and Seleniumhubkloia
 
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on ContainersWSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on ContainersLakmal Warusawithana
 
Deploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersDeploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersImesh Gunaratne
 

Similar to Docker security - TASK Jan 2016 (20)

Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016
 
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdf
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recap
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Docker for HPC in a Nutshell
Docker for HPC in a NutshellDocker for HPC in a Nutshell
Docker for HPC in a Nutshell
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
 
Azure Container Services​
Azure Container Services​Azure Container Services​
Azure Container Services​
 
A Dive Into Containers and Docker
A Dive Into Containers and DockerA Dive Into Containers and Docker
A Dive Into Containers and Docker
 
Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event Inspection
 
Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!
 
Docker and containerization
Docker and containerizationDocker and containerization
Docker and containerization
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023
 
Docker for Java Developers
Docker for Java DevelopersDocker for Java Developers
Docker for Java Developers
 
DevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and SeleniumhubDevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and Seleniumhub
 
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on ContainersWSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
 
Deploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersDeploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on Containers
 

More from Fernando Montenegro

The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019Fernando Montenegro
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Fernando Montenegro
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017Fernando Montenegro
 
Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Fernando Montenegro
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project ManagementFernando Montenegro
 

More from Fernando Montenegro (6)

The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017
 
Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017
 
Economics of Cyber Security
Economics of Cyber SecurityEconomics of Cyber Security
Economics of Cyber Security
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project Management
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Docker security - TASK Jan 2016

  • 1. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 1/59 DOCKERSECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - TASK Jan 27, 2016 @fsmontenegro @ricardogerardi
  • 2. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 2/59 WHYAREWEHERE? Google Trends: "Microservices"
  • 3. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 3/59 Google Trends: "Docker"
  • 4. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 4/59 Google Trends: "Kubernetes"
  • 5. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 6/59 MICROSERVICES? (Source: F5)
  • 6. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 7/59 MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity­sapping burden. Like any architectural style, microservices bring costs and benefits. To make a sensible choice you have to understand these and apply them to your specific context."" Martin Fowler ( ) http://martinfowler.com/articles/microservice­trade­ offs.html
  • 7. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 8/59 SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational benefits of "DevOps"
  • 8. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 9/59 DATADOGCONTAINERSURVEY ( ) Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up https://www.datadoghq.com/docker­adoption/
  • 9. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 10/59
  • 10. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 11/59
  • 11. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 12/59 WHATWEFOUND
  • 12. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 14/59
  • 13. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 16/59 ABOUTUS-FERNANDO Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera) @fsmontenegro
  • 14. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 18/59 ABOUTUS-RICARDO Senior IT Consultant Network Management/Monitoring IBM Netcool Certified Uncertified father (2x) Interests Linux/UNIX Emerging technologies Data Science @ricardogerardi
  • 15. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 19/59 DOCKERINTRO
  • 16. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 20/59 WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
  • 17. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 21/59 SOFTWAREPACKAGEANDDISTRIBUTIONCHALLENGE OLDWAY-HOSTEDAPPLICATIONS
  • 18. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 22/59 VIRTUALMACHINES
  • 19. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 23/59 ENTERTHECONTAINER
  • 20. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 24/59 WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
  • 21. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 25/59 WHATDOYOUNEEDTORUNDOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
  • 22. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 26/59 DOCKERARCHITECTUREINANUTSHELL Source: https://www.docker.com/what­docker
  • 23. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 28/59 Source: https://docs.docker.com/engine/introduction/understanding­ docker/
  • 24. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 29/59 DOCKERDEMO
  • 25. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 30/59 DOCKERSECURITY
  • 26. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 31/59 FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
  • 27. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 32/59 SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
  • 28. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 33/59 SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
  • 29. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 34/59 DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
  • 30. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 35/59 CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability­analysis­for­ containers/ https://blog.quay.io/security­ scanning­beta/
  • 31. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 36/59 OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
  • 32. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 37/59 SECURITYFROMDOCKER How to contain Docker & containers?
  • 33. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 38/59 NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – filesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
  • 34. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 39/59 ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - filtering of system calls network isolation via iptables limit inter-container communication
  • 35. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 40/59 SECURITYBYDOCKER Leveraging Docker features for security
  • 36. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 41/59 LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - filtering system calls journaled changes
  • 37. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 42/59 OPERATIONSANDECOSYSTEM
  • 38. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 43/59 WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
  • 39. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 44/59 PUBLICCLOUDPROVIDERS
  • 40. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 45/59 PAASPROVIDERS
  • 41. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 46/59 ORCHESTRATION/SCHEDULING
  • 42. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 47/59 NETWORKING BASICNETWORKING
  • 43. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 48/59 OVERLAYNETWORKING
  • 44. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 49/59 MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
  • 45. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 50/59 CONTAINERMONITORINGSOLUTIONS Sysdig Cloud Weaveworks New relic Google cAdvisor
  • 46. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 51/59 CONTAINERLOGMANAGEMENT ELK Stack Splunk
  • 47. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 52/59 WRAPPINGUP
  • 48. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 53/59 LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
  • 49. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 54/59
  • 50. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 55/59 WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound traffic keep up to date (news!) rethink approach ("cattle, not pets")
  • 51. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 56/59 DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
  • 52. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 57/59 RESOURCES! Twitterfolk:
  • 53. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 58/59 - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC