SlideShare a Scribd company logo
1 of 33
Download to read offline
September 28, 2017
VASCAN
Michael Irwin
● 2011 - Graduated (CS@VT); started full-time at VT
● Sept 2015 - Started using Docker for QA
● June 2016 - Attended first DockerCon
● August 2016 - Deployed Summit (research admin app)
○ First production IT project using Docker
○ First IT project deployed on AWS
● Sept 2016 - Started Blacksburg Docker Meetup
○ Have met monthly since then
● March 2017 - Recognized as Docker Captain
“Any sufficiently advanced technology
is equivalent to magic.”
- Arthur C. Clarke
“In order to truly utilize any technology,
you must first understand how it works
and its motivations.”
- Someone, somewhere (me, now)
VASCAN - Docker and Security
● NOT a VM, but simply an isolated process
● Isolation is provided by kernel namespaces
○ Process - PID 1 in container may be PID 3753 on host
○ Network - container can have its own network interfaces/IP address/sockets
○ Mount - container can have its own root filesystem/mountpoints
○ User - root/user ID 1 in container may actually be user ID 10976 on host
○ UTS - container gets its own hostname
VASCAN - Docker and Security
Infrastructure
Host Operating System
Hypervisor
Guest OS
Bins/Libs
App 1
Guest OS
Bins/Libs
App 2
Guest OS
Bins/Libs
App 3
Infrastructure
Operating System
Bins/Libs
App 1
Bins/Libs
App 2
Bins/Libs
App 3
● A root filesystem
● Networking setup...
○ To let the container talk to the world
○ To let one container talk to others
○ To expose ports from container to host
● Various namespaces
● Launch the initial command
● Clean things up afterwards
Docker provides an integrated technology suite that enables development and IT
operations teams to build, ship, and run applications anywhere.
● Build - package an application with its dependencies and environment
● Ship - share the package with all deployment environments
● Run - run, scale, and monitor your application
VASCAN - Docker and Security
● Every image contains a manifest and a collection of layers
● Each layer consists of...
○ Metadata (json) - container config, reference to parent layer, etc
○ A tarball of filesystem diffs
Alpine Base Image
OpenJDK 9
Tomcat Wildfly
App 1 App 2 App 3
Apache httpd 2.4
PHP 7.1 PHP 5.6
App 4 App 5
● Layers can be reused by multiple children
○ Provides ability to have common base layers
● Since each layer is immutable, only one copy is needed
○ Reduces both registry and local storage requirements
● Preferred method is to create a Dockerfile
● Text-based script with commands to configure/create filesystem layers
○ Allows it to be version controlled with a project
● Each command ends up being another layer in the Dockerfile
● Multi-stage builds allow final images to contain only runtime dependencies
FROM mvn:3.5-jdk8 AS build
WORKDIR /app
COPY . .
RUN mvn package
FROM tomcat:7-jre8-alpine
COPY --from=build /app/target/*.war /usr/local/tomcat/webapps
VASCAN - Docker and Security
VASCAN - Docker and Security
VASCAN - Docker and Security
VASCAN - Docker and Security
http://lotrminecraftmod.wikia.com/wiki/File:The-one-ring.jpg
● Development
○ Developer pulls environment images and code
○ Performs development in environment
○ Pushes code
● Staging/Production
○ Images pulled on to various infrastructure
(on-prem/cloud/hybrid)
● CI/CD Server
○ Builds code and runs automated test suites
○ Produces image using same environment base,
but with build artifact added
○ Push to image registry
● Forces earlier collaboration with sysadmins
○ Do you actually trust your devs to come up with safe base images?
● Gives confidence that the app will work the same everywhere
○ Has allowed Summit to be deployed 49 times in the last year
● Images in registries can then be scanned for vulnerabilities!
https://www.youtube.com/watch?v=K37G2j0K8BA
OpenJDK 9 (VULNERABLE!!)
Tomcat Wildfly
App 1 App 2 App 3
● No longer need to go to each individual machine and patch
● Simply update images to point to patched parent
OpenJDK 9 (PATCHED)
Tomcat Wildfly
App 1 App 2 App 3
OpenJDK 9 (VULNERABLE!!)
Tomcat Wildfly
App 1 App 2 App 3
Alpine Base Image
VASCAN - Docker and Security
VASCAN - Docker and Security
VASCAN - Docker and Security
● Hosts only need to run containers
○ Reduces potential attack vectors
○ Reduces number of things that need to be patched
● Makes host machines easily replaceable
○ No need to have direct access to the machine to "make tweaks"
○ Lock yourself out of production
"Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces. When using a
container-specific host OS, attack surfaces are typically much smaller than they would be with a general-purpose host
OS, so there are fewer opportunities to attack and compromise a container-specific host OS. Accordingly, whenever
possible, organizations should use container-specific host OSs to reduce their risk. However, it is important to note
that container-specific host OSs will still have vulnerabilities over time that require remediation."
-NIST draft Application Container Security Guide
● Deployment (and patching) becomes…
○ Spin up new hosts
○ Start containers on new hosts
○ Transfer traffic to new containers
○ Burn down old machines
VASCAN - Docker and Security
● Base from official images as much as possible
● Keep images as minimal as possible
○ Install only what you need
○ Use multi-stage builds to keep final images focused
● Use --privileged very, very sparingly
○ Treat such a container as any other process running as root
● Run containers in read-only mode (if possible)
● Limit user capabilities by using AppArmor, seccomp, SELinux
● Sign images when pushing to repos using
● Use Docker Bench benchmark to evaluate container host security
● Start experimenting… you’re already doing most of the work
● You don’t need to do everything Day One
○ Still deploy on the hosts you’re using, but move artifacts using Docker
● Twitter - @mikesir87
● Email - mikesir@vt.edu
● Docker Blacksburg Meetup (or another one near your location)
● Docker Community Slack
VASCAN - Docker and Security

More Related Content

What's hot

Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with dockerLalatendu Mohanty
 
Wordcamp Bratislava 2017 - Docker! Why?
Wordcamp Bratislava 2017 - Docker! Why?Wordcamp Bratislava 2017 - Docker! Why?
Wordcamp Bratislava 2017 - Docker! Why?Adam Štipák
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Idan Tohami
 
Docker 101 - Getting started
Docker 101 - Getting startedDocker 101 - Getting started
Docker 101 - Getting startedMatheus Marabesi
 
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQIntroduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQdotCloud
 
Rkt Container Engine
Rkt Container EngineRkt Container Engine
Rkt Container EngineThuc Le Dong
 
Looking Under The Hood: containerD
Looking Under The Hood: containerDLooking Under The Hood: containerD
Looking Under The Hood: containerDDocker, Inc.
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoCristian Consonni
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewiredotCloud
 
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)Docker, Inc.
 
John Engates Keynote at Dockercon 14
John Engates Keynote at Dockercon 14John Engates Keynote at Dockercon 14
John Engates Keynote at Dockercon 14dotCloud
 
Containers #101 : Docker ONBUILD triggers and Introduction to Docker Compose
Containers #101 : Docker ONBUILD triggers and Introduction to Docker ComposeContainers #101 : Docker ONBUILD triggers and Introduction to Docker Compose
Containers #101 : Docker ONBUILD triggers and Introduction to Docker ComposeRaziel Tabib (Join our team)
 
Wso2 con 2014-us-tutorial-apache stratos-wso2 private paas with docker integr...
Wso2 con 2014-us-tutorial-apache stratos-wso2 private paas with docker integr...Wso2 con 2014-us-tutorial-apache stratos-wso2 private paas with docker integr...
Wso2 con 2014-us-tutorial-apache stratos-wso2 private paas with docker integr...Lakmal Warusawithana
 
KubeCon EU 2016: Bringing an open source Containerized Container Platform to ...
KubeCon EU 2016: Bringing an open source Containerized Container Platform to ...KubeCon EU 2016: Bringing an open source Containerized Container Platform to ...
KubeCon EU 2016: Bringing an open source Containerized Container Platform to ...KubeAcademy
 

What's hot (20)

Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with docker
 
Wordcamp Bratislava 2017 - Docker! Why?
Wordcamp Bratislava 2017 - Docker! Why?Wordcamp Bratislava 2017 - Docker! Why?
Wordcamp Bratislava 2017 - Docker! Why?
 
Scaling Docker Registry
Scaling Docker RegistryScaling Docker Registry
Scaling Docker Registry
 
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.Ansible 2.0 - How to use Ansible to automate your applications in AWS.
Ansible 2.0 - How to use Ansible to automate your applications in AWS.
 
Docker 101 - Getting started
Docker 101 - Getting startedDocker 101 - Getting started
Docker 101 - Getting started
 
Docker 101
Docker 101Docker 101
Docker 101
 
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQIntroduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
 
Rkt Container Engine
Rkt Container EngineRkt Container Engine
Rkt Container Engine
 
JOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to dockerJOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to docker
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Looking Under The Hood: containerD
Looking Under The Hood: containerDLooking Under The Hood: containerD
Looking Under The Hood: containerD
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrento
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
 
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
 
John Engates Keynote at Dockercon 14
John Engates Keynote at Dockercon 14John Engates Keynote at Dockercon 14
John Engates Keynote at Dockercon 14
 
Containers #101 : Docker ONBUILD triggers and Introduction to Docker Compose
Containers #101 : Docker ONBUILD triggers and Introduction to Docker ComposeContainers #101 : Docker ONBUILD triggers and Introduction to Docker Compose
Containers #101 : Docker ONBUILD triggers and Introduction to Docker Compose
 
Wso2 con 2014-us-tutorial-apache stratos-wso2 private paas with docker integr...
Wso2 con 2014-us-tutorial-apache stratos-wso2 private paas with docker integr...Wso2 con 2014-us-tutorial-apache stratos-wso2 private paas with docker integr...
Wso2 con 2014-us-tutorial-apache stratos-wso2 private paas with docker integr...
 
KubeCon EU 2016: Bringing an open source Containerized Container Platform to ...
KubeCon EU 2016: Bringing an open source Containerized Container Platform to ...KubeCon EU 2016: Bringing an open source Containerized Container Platform to ...
KubeCon EU 2016: Bringing an open source Containerized Container Platform to ...
 

Similar to VASCAN - Docker and Security

Docker primer and tips
Docker primer and tipsDocker primer and tips
Docker primer and tipsSamuel Chow
 
Docker on Power Systems
Docker on Power SystemsDocker on Power Systems
Docker on Power SystemsCesar Maciel
 
Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerEric Smalling
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniTheFamily
 
Introduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataIntroduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataInfluxData
 
Docker up and Running For Web Developers
Docker up and Running For Web DevelopersDocker up and Running For Web Developers
Docker up and Running For Web DevelopersBADR
 
Docker Up and Running for Web Developers
Docker Up and Running for Web DevelopersDocker Up and Running for Web Developers
Docker Up and Running for Web DevelopersAmr Fawzy
 
Kubernetes: training micro-dragons for a serious battle
Kubernetes: training micro-dragons for a serious battleKubernetes: training micro-dragons for a serious battle
Kubernetes: training micro-dragons for a serious battleAmir Moghimi
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Docker for developers
Docker for developersDocker for developers
Docker for developersDrupalDay
 
Thinking inside the box (shared)
Thinking inside the box (shared)Thinking inside the box (shared)
Thinking inside the box (shared)Joe Brockmeier
 
Docker for Professionals: The Practical Guide
Docker for Professionals: The Practical GuideDocker for Professionals: The Practical Guide
Docker for Professionals: The Practical GuidePaddy Lock
 
Making Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with NovaMaking Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with NovaGregor Heine
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Jérôme Petazzoni
 
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3 Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3 Puppet
 
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...Puppet
 
Accelerate your development with Docker
Accelerate your development with DockerAccelerate your development with Docker
Accelerate your development with DockerAndrey Hristov
 

Similar to VASCAN - Docker and Security (20)

JOSA TechTalks - Docker in Production
JOSA TechTalks - Docker in ProductionJOSA TechTalks - Docker in Production
JOSA TechTalks - Docker in Production
 
Docker primer and tips
Docker primer and tipsDocker primer and tips
Docker primer and tips
 
Docker on Power Systems
Docker on Power SystemsDocker on Power Systems
Docker on Power Systems
 
Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with Docker
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
 
Introduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataIntroduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxData
 
Docker up and Running For Web Developers
Docker up and Running For Web DevelopersDocker up and Running For Web Developers
Docker up and Running For Web Developers
 
Docker Up and Running for Web Developers
Docker Up and Running for Web DevelopersDocker Up and Running for Web Developers
Docker Up and Running for Web Developers
 
Kubernetes: training micro-dragons for a serious battle
Kubernetes: training micro-dragons for a serious battleKubernetes: training micro-dragons for a serious battle
Kubernetes: training micro-dragons for a serious battle
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Docker for developers
Docker for developersDocker for developers
Docker for developers
 
Thinking inside the box (shared)
Thinking inside the box (shared)Thinking inside the box (shared)
Thinking inside the box (shared)
 
Docker for Professionals: The Practical Guide
Docker for Professionals: The Practical GuideDocker for Professionals: The Practical Guide
Docker for Professionals: The Practical Guide
 
Making Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with NovaMaking Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with Nova
 
Docker_AGH_v0.1.3
Docker_AGH_v0.1.3Docker_AGH_v0.1.3
Docker_AGH_v0.1.3
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
 
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3 Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
 
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
 
Docker for dev
Docker for devDocker for dev
Docker for dev
 
Accelerate your development with Docker
Accelerate your development with DockerAccelerate your development with Docker
Accelerate your development with Docker
 

Recently uploaded

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Recently uploaded (20)

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

VASCAN - Docker and Security

  • 2. ● 2011 - Graduated (CS@VT); started full-time at VT ● Sept 2015 - Started using Docker for QA ● June 2016 - Attended first DockerCon ● August 2016 - Deployed Summit (research admin app) ○ First production IT project using Docker ○ First IT project deployed on AWS ● Sept 2016 - Started Blacksburg Docker Meetup ○ Have met monthly since then ● March 2017 - Recognized as Docker Captain
  • 3. “Any sufficiently advanced technology is equivalent to magic.” - Arthur C. Clarke
  • 4. “In order to truly utilize any technology, you must first understand how it works and its motivations.” - Someone, somewhere (me, now)
  • 6. ● NOT a VM, but simply an isolated process ● Isolation is provided by kernel namespaces ○ Process - PID 1 in container may be PID 3753 on host ○ Network - container can have its own network interfaces/IP address/sockets ○ Mount - container can have its own root filesystem/mountpoints ○ User - root/user ID 1 in container may actually be user ID 10976 on host ○ UTS - container gets its own hostname
  • 8. Infrastructure Host Operating System Hypervisor Guest OS Bins/Libs App 1 Guest OS Bins/Libs App 2 Guest OS Bins/Libs App 3 Infrastructure Operating System Bins/Libs App 1 Bins/Libs App 2 Bins/Libs App 3
  • 9. ● A root filesystem ● Networking setup... ○ To let the container talk to the world ○ To let one container talk to others ○ To expose ports from container to host ● Various namespaces ● Launch the initial command ● Clean things up afterwards
  • 10. Docker provides an integrated technology suite that enables development and IT operations teams to build, ship, and run applications anywhere. ● Build - package an application with its dependencies and environment ● Ship - share the package with all deployment environments ● Run - run, scale, and monitor your application
  • 12. ● Every image contains a manifest and a collection of layers ● Each layer consists of... ○ Metadata (json) - container config, reference to parent layer, etc ○ A tarball of filesystem diffs
  • 13. Alpine Base Image OpenJDK 9 Tomcat Wildfly App 1 App 2 App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 App 4 App 5 ● Layers can be reused by multiple children ○ Provides ability to have common base layers ● Since each layer is immutable, only one copy is needed ○ Reduces both registry and local storage requirements
  • 14. ● Preferred method is to create a Dockerfile ● Text-based script with commands to configure/create filesystem layers ○ Allows it to be version controlled with a project ● Each command ends up being another layer in the Dockerfile ● Multi-stage builds allow final images to contain only runtime dependencies FROM mvn:3.5-jdk8 AS build WORKDIR /app COPY . . RUN mvn package FROM tomcat:7-jre8-alpine COPY --from=build /app/target/*.war /usr/local/tomcat/webapps
  • 20. ● Development ○ Developer pulls environment images and code ○ Performs development in environment ○ Pushes code ● Staging/Production ○ Images pulled on to various infrastructure (on-prem/cloud/hybrid) ● CI/CD Server ○ Builds code and runs automated test suites ○ Produces image using same environment base, but with build artifact added ○ Push to image registry
  • 21. ● Forces earlier collaboration with sysadmins ○ Do you actually trust your devs to come up with safe base images? ● Gives confidence that the app will work the same everywhere ○ Has allowed Summit to be deployed 49 times in the last year ● Images in registries can then be scanned for vulnerabilities!
  • 23. OpenJDK 9 (VULNERABLE!!) Tomcat Wildfly App 1 App 2 App 3 ● No longer need to go to each individual machine and patch ● Simply update images to point to patched parent OpenJDK 9 (PATCHED) Tomcat Wildfly App 1 App 2 App 3 OpenJDK 9 (VULNERABLE!!) Tomcat Wildfly App 1 App 2 App 3 Alpine Base Image
  • 27. ● Hosts only need to run containers ○ Reduces potential attack vectors ○ Reduces number of things that need to be patched ● Makes host machines easily replaceable ○ No need to have direct access to the machine to "make tweaks" ○ Lock yourself out of production "Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces. When using a container-specific host OS, attack surfaces are typically much smaller than they would be with a general-purpose host OS, so there are fewer opportunities to attack and compromise a container-specific host OS. Accordingly, whenever possible, organizations should use container-specific host OSs to reduce their risk. However, it is important to note that container-specific host OSs will still have vulnerabilities over time that require remediation." -NIST draft Application Container Security Guide
  • 28. ● Deployment (and patching) becomes… ○ Spin up new hosts ○ Start containers on new hosts ○ Transfer traffic to new containers ○ Burn down old machines
  • 30. ● Base from official images as much as possible ● Keep images as minimal as possible ○ Install only what you need ○ Use multi-stage builds to keep final images focused ● Use --privileged very, very sparingly ○ Treat such a container as any other process running as root ● Run containers in read-only mode (if possible) ● Limit user capabilities by using AppArmor, seccomp, SELinux ● Sign images when pushing to repos using ● Use Docker Bench benchmark to evaluate container host security
  • 31. ● Start experimenting… you’re already doing most of the work ● You don’t need to do everything Day One ○ Still deploy on the hosts you’re using, but move artifacts using Docker
  • 32. ● Twitter - @mikesir87 ● Email - mikesir@vt.edu ● Docker Blacksburg Meetup (or another one near your location) ● Docker Community Slack