[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam
Docker containers are a fast-growing technology that has become hugely popular in the software industry nowadays. It offers amazing benefits but also presents the developer with lots of security challenges. This talk will give you an introduction to Docker as well basic security best practices. But don’t worry, we will also do some live hacking :).
The more VMs you run, the more resources you need Guest OS means wasted resources Application portability not guaranteed
Containers virtualize at the operating system level, Hypervisors virtualize at the hardware level. Hypervisors abstract the operating system from hardware, containers abstract the application from the operation system. Hypervisors consumes storage space for each instance. Containers use a single storage space plus smaller deltas for each layer and thus are much more efficient. Containers can boot and be application-ready in less than 500ms and creates new designs opportunities for rapid scaling. Hypervisors boot according to the OS typically 20 seconds, depending on storage speed.
Interact with audience: questions? Do you dockerize How many of you know docker
Image The basis of a Docker container. The content at rest. Container The image when it is ‘running.’ The standard unit for app service Engine The software that executes commands for containers. Networking and volumes are part of Engine. Can be clustered together. Registry Stores, distributes and manages Docker images
17 cryptomining containers on Docker Hub
Active for almost a year
Made around $90,000 = 2 Billion VND in Bitcoins
Docker Image Security
Use official repositories as parent images
Scan images! Micro Badger
Sign images / verify signatures
Do not put secrets in images!
What can we do to have a safe image?
Private Registry Security
Cheap, under your control
You have to think about everything yourself!
AWS or Google or DockerHub
A secure Docker Registry
Docker Container Security
Can be more robust
Do not use --privileged
Docker runs as root by default! docker run --user 1001 <img>
Use security policies!
Seccomp (default profile)
What can we do to have a safe container?
docker run -it --memory=2G --memory-swap=1G ubuntu bash
Docker is only as secure as the underlying host!
Make sure your system is patched and monitored!
Use minimal systems designed for this purpose as base system
Docker itself should be configured securely
Docker Host Security HOST
Know your attack surface!
Docker: okay by default
Harden your Containers!
Test and audit regularly
Keep everything up to date
Tips: “How to be safe“!