When you are designing a production environment security is essential. All the Docker ecosystem but in particular Docker Swarm allows us to ship our containers out of our laptop, how can we make this process safe? During my talk, I will share tips around production environment, immutability and how troubleshooting common attack as code injection with Docker. Static analysis of our images, content trust with Notary to make our journey secure.
How can we setup a cluster on the main cloud providers with VPN and node labeling to expose only a portion of our cluster? I will also show what Docker provides (Content Trust, Static Analysis) but also open source alternatives as Notary, centos/clair and Cilium.
In the end of this talk, we had a better idea around how manage Docker in production.
I am Gianluca Arbezzano
Site Reliability Engineer at InfluxDB
oss maintainer and Docker Captain
You can find me:
@gianarb on Twitter and GitHub
Play Safe - a free ebook about Container Security.
I wrote an ebook ~55 pages
about Docker and Container
Security. It comes from my
daily experience deploying and
making containers secure.
CoreOS Clair, Apparmor,
SwarmKit, Notary, Cilium and a
Get it http://scaledocker.com
Leave your email and you will receive the ebook.
easy to do
Otherwise your colleagues
will be the perfect
It’s valid for Orchestration and
BPF - github.com/cilium/cilium
BPF is a highly flexible and efficient virtual
machine-like construct in the Linux kernel allowing to
execute bytecode at various hook points in a safe
manner. It is used in a number of Linux kernel
subsystems, most prominently networking, tracing and
There are a lot of
1. In regular intervals, Clair ingests vulnerability
metadata from a configured set of sources and
stores it in the database.
2. Clients use the Clair API to index their container
images; this parses a list of installed source
packages and stores them in the database.
3. Clients use the Clair API to query the database;
correlating data is done in real time, rather than a
cached result that needs re-scanning.
4. When updates to vulnerability metadata occur, a
webhook containing the affected images can be
configured to page or block deployments.