DCSF19 Tips and Tricks of the Docker Captains Docker, Inc.
Brandon Mitchell, BoxBoat
Docker Captain Brandon Mitchell will help you accelerate your adoption of Docker containers by delivering tips and tricks on getting the most out of Docker. Topics include managing disk usage, preventing subnet collisions, debugging container networking, understanding image layers, getting more value out of the default volume driver, and solving the UID/GID permission issues with volumes in a way that allows images to be portable from any developer laptop and to production.
Docker Practice for beginner.
- docker install on ubuntu 18.04 LTS
- docker pull/push
- making docker-compose file which serving spring-boot+ mySql application
DCSF 19 Deploying Rootless buildkit on KubernetesDocker, Inc.
DockerCon Open Source Summit: BuildKit
Akihiro Suda, NTT Corporation
Building images on Kubernetes is attractive for distributing workload across multiple nodes, typically in CI/CD pipeline. However, it had been considered dangerous due to the dependency on `securityContext.privileged`.
In this talk, Akihiro will show how to use Rootless BuildKit in Kubernetes, which can be executed as a non-root user without extra `securityContext` configuration.
Cette présentation vous montrera comment utiliser et profiter rapidement de Docker, quelles commandes utiliser et quelles fonctionnalités sont disponibles.
sfPot de Lille - Le 15 janvier 2015
Slides for my talk at the Blue4IT meeting in Utrecht. It shows you how to run everything in a Docker container. You can run the DTAP environment, the build environment and the development environment (including IDE) in Docker.
kubernetes install and practice
* Environment (bare metal installation, not using cloud service)
- VM 1 : Mater node, 30GB, 2 vCPU, 4GB Mem
- VM 2 : Worker node, 30GB, 2 vCPU, 4GB Mem
* Practice
- deploying pod, make a deployment and service
- expose service using ingress(nginx-ingress)
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
This talks' focus lays on a popular containerization tool called Kubernetes. Common implementations of Kubernetes are not secure by default and a lot of information about hardening is not known to the public. Since version 1.7 the security level has increased and common security misconfigurations have been mitigated. During this talk it will be demonstrated what happens if these mitigations are not applied and how to abuse them. The talk will be about both securing and attacking the platform and could be considered a 'purple team' talk. Multiple live demos are planned, most of them ending in a guest-to-host escape and a root shell.
While there have been many improvements around securing containers, there is still a large gap in monitoring the behaviour of containers in production. Sysdig Falco is an open source behavioural activity monitor for containerized environments.
Sysdig Falco can detect and alert on anomalous behaviour at the application, file, system, and network level. In this session get a deep dive into Falco: How does behavioural security differ from existing security solutions like image scanning, seccomp, SELinux or AppArmor? What can Sysdig Falco detect? Building and customizing rules for your Docker and Kubernetes apps. Forensics analysis with Sysdig Inspect even when the container doesn't exist anymore!
Read more on:
https://sysdig.com/blog/docker-runtime-security/
https://sysdig.com/blog/runtime-security-kubernetes-sysdig-falco/
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Docker, Inc.
At Docker, we are striving to enable the extensibility of Docker via "Plugins" and make them available for developers and enterprises alike. Come attend this talk to understand what it takes to build, ship, store and run plugins. We will deep dive into plugin lifecycle management on a single engine and across a swarm cluster. We will also demonstrate how you can integrate plugins from other enterprises or developers into your ecosystem. There will be fun demos accompanying this talk! This will be session will be beneficial to you if you: 1) Are an ops team member trying to integrate Docker with your favorite storage or network vendor 2) Are Interested in extending or customizing Docker; or 3) Want to become a Docker partner, and want to make the technology integration seamless.
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachPROIDEA
This session covers a bunch of tips and tricks for getting the most out of Docker. The tips were inspired by suggestions, blogs, and presentations and everyday challenges encountered by other Docker Captains but also the members of the Docker community. Come and see the unobvious and unexpected in terms of orchestration, image creation and management, also networking and volumes!
Vagrant is a well-known tool for creating development environments in a simple and consistent way. Since we adopted in our organization we experienced several benefits: lower project setup times, better shared knowledge among team members, less wtf moments ;-)
In this session I'd like to share our experience, including but not limited to:
- advanced vagrantfile configuration
- vm configuration tips for dev environment: performance, debug, tuning
- our wtf moments
- puphet/phansilbe: hot or not?
- tips for sharing a box
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveDocker, Inc.
Dockerfiles are great. They provide a zero-barrier-to-entry format for
describing a single Docker image which is immediately clear to anyone
reading them. But with that simplicity comes problems that become
apparent as your adoption of Docker gathers pace.
* Dockerfiles can inherit from other docker images, but images are not
Dockerfiles
* Dockerfile provides no built-in mechanism for creating abstractions,
so as usage grows identical or similar instructions can be duplicated
across many files
* The Docker APi exposes a build endpoint, but the API is very course,
taking Dockerfile as the transport rather than exposing the individual
instructions
* Dockerfiles are just that, files. So they can come from anywhere
The one layer per line in a Dockerfile limitation can lead to an
explosion of layers, which fail to take advantage of the promised
space and performance benefits.
DCSF19 Tips and Tricks of the Docker Captains Docker, Inc.
Brandon Mitchell, BoxBoat
Docker Captain Brandon Mitchell will help you accelerate your adoption of Docker containers by delivering tips and tricks on getting the most out of Docker. Topics include managing disk usage, preventing subnet collisions, debugging container networking, understanding image layers, getting more value out of the default volume driver, and solving the UID/GID permission issues with volumes in a way that allows images to be portable from any developer laptop and to production.
Docker Practice for beginner.
- docker install on ubuntu 18.04 LTS
- docker pull/push
- making docker-compose file which serving spring-boot+ mySql application
DCSF 19 Deploying Rootless buildkit on KubernetesDocker, Inc.
DockerCon Open Source Summit: BuildKit
Akihiro Suda, NTT Corporation
Building images on Kubernetes is attractive for distributing workload across multiple nodes, typically in CI/CD pipeline. However, it had been considered dangerous due to the dependency on `securityContext.privileged`.
In this talk, Akihiro will show how to use Rootless BuildKit in Kubernetes, which can be executed as a non-root user without extra `securityContext` configuration.
Cette présentation vous montrera comment utiliser et profiter rapidement de Docker, quelles commandes utiliser et quelles fonctionnalités sont disponibles.
sfPot de Lille - Le 15 janvier 2015
Slides for my talk at the Blue4IT meeting in Utrecht. It shows you how to run everything in a Docker container. You can run the DTAP environment, the build environment and the development environment (including IDE) in Docker.
kubernetes install and practice
* Environment (bare metal installation, not using cloud service)
- VM 1 : Mater node, 30GB, 2 vCPU, 4GB Mem
- VM 2 : Worker node, 30GB, 2 vCPU, 4GB Mem
* Practice
- deploying pod, make a deployment and service
- expose service using ingress(nginx-ingress)
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
This talks' focus lays on a popular containerization tool called Kubernetes. Common implementations of Kubernetes are not secure by default and a lot of information about hardening is not known to the public. Since version 1.7 the security level has increased and common security misconfigurations have been mitigated. During this talk it will be demonstrated what happens if these mitigations are not applied and how to abuse them. The talk will be about both securing and attacking the platform and could be considered a 'purple team' talk. Multiple live demos are planned, most of them ending in a guest-to-host escape and a root shell.
While there have been many improvements around securing containers, there is still a large gap in monitoring the behaviour of containers in production. Sysdig Falco is an open source behavioural activity monitor for containerized environments.
Sysdig Falco can detect and alert on anomalous behaviour at the application, file, system, and network level. In this session get a deep dive into Falco: How does behavioural security differ from existing security solutions like image scanning, seccomp, SELinux or AppArmor? What can Sysdig Falco detect? Building and customizing rules for your Docker and Kubernetes apps. Forensics analysis with Sysdig Inspect even when the container doesn't exist anymore!
Read more on:
https://sysdig.com/blog/docker-runtime-security/
https://sysdig.com/blog/runtime-security-kubernetes-sysdig-falco/
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Docker, Inc.
At Docker, we are striving to enable the extensibility of Docker via "Plugins" and make them available for developers and enterprises alike. Come attend this talk to understand what it takes to build, ship, store and run plugins. We will deep dive into plugin lifecycle management on a single engine and across a swarm cluster. We will also demonstrate how you can integrate plugins from other enterprises or developers into your ecosystem. There will be fun demos accompanying this talk! This will be session will be beneficial to you if you: 1) Are an ops team member trying to integrate Docker with your favorite storage or network vendor 2) Are Interested in extending or customizing Docker; or 3) Want to become a Docker partner, and want to make the technology integration seamless.
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachPROIDEA
This session covers a bunch of tips and tricks for getting the most out of Docker. The tips were inspired by suggestions, blogs, and presentations and everyday challenges encountered by other Docker Captains but also the members of the Docker community. Come and see the unobvious and unexpected in terms of orchestration, image creation and management, also networking and volumes!
Vagrant is a well-known tool for creating development environments in a simple and consistent way. Since we adopted in our organization we experienced several benefits: lower project setup times, better shared knowledge among team members, less wtf moments ;-)
In this session I'd like to share our experience, including but not limited to:
- advanced vagrantfile configuration
- vm configuration tips for dev environment: performance, debug, tuning
- our wtf moments
- puphet/phansilbe: hot or not?
- tips for sharing a box
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveDocker, Inc.
Dockerfiles are great. They provide a zero-barrier-to-entry format for
describing a single Docker image which is immediately clear to anyone
reading them. But with that simplicity comes problems that become
apparent as your adoption of Docker gathers pace.
* Dockerfiles can inherit from other docker images, but images are not
Dockerfiles
* Dockerfile provides no built-in mechanism for creating abstractions,
so as usage grows identical or similar instructions can be duplicated
across many files
* The Docker APi exposes a build endpoint, but the API is very course,
taking Dockerfile as the transport rather than exposing the individual
instructions
* Dockerfiles are just that, files. So they can come from anywhere
The one layer per line in a Dockerfile limitation can lead to an
explosion of layers, which fail to take advantage of the promised
space and performance benefits.
Bartosz Tkaczewski - Przygód z Dockerem ciąg dalszy
http://www.tsh.io
Docker jest zauważalny już niemal wszędzie. Na prezentacji zobaczysz działające środowisko developerskie, poznasz kilka sztuczek, jak sobie z nim dobrze radzić i efektywnie pracować, zobaczysz też, jak szybko można prosty projekt wzbogacić o zaawansowane stacki aplikacji (na przykładzie ELK). Postaram się również opowiedzieć, jak można sobie z tym potworkiem poradzić na produkcji.
Prezentacja z Uszanowanka Programowanka #16 - http://www.meetup.com/Uszanowanko-Programowanko/events/234826115/
About 94% of AI Adopters are planning to use containers in the next 1 year. What’s driving this exponential growth? Faster time to deployment and Faster AI workload processing are the two major reasons. You can use GPUs in big data applications such as machine learning, data analytics, and genome sequencing. Docker containerization makes it easier for you to package and distribute applications. You can enable GPU support when using YARN on Docker containers. In this talk, I will demonstrate how Docker accelerates the AI workload development and deployment over the IoT Edge devices in efficient manner
In addition to authorization policies that control what a user can do, OpenShift Container Platform gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting pods and securing their cluster.
Default security context may be too restrictive for containers pulled down from DockerHub, thorugh this talk we'll explore the various steps to execute for enabling required permissions on selected OpenShift's pods.
Streamline your development environment with dockerGiacomo Bagnoli
These days applications are getting more and more complex. It's becoming quite
difficult to keep track of all the different components an application needs in order to
function (a database, a message queueing system, a web server, a document
store, a search engine, you name it.). How many times we heard 'it worked on my
machine'?. In this talk we are going to explore Docker, what it is, how it works
and how much it can benefit in keeping the development environment consistent.
We are going to talk about Dockerfiles, best practices, tools like fig and vagrant,
and finally show an example of how it applies to a ruby on rails
application.
Running the Oracle SOA Suite Environment in a Docker ContainerGuido Schmutz
Docker is all about making it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. Docker helps creating, moving and duplicating environments.
This presentation will give an introduction to Docker, the ideas behind containerization and explain why there is so much hype around Docker and why you should be taking notice. I will show how Docker containers can be used to setup different environments, such as SOA Suite, Service Bus, Business Activity Monitoring and Event Processing and Stream Explorer. The talk will also include various short live demos.
Docker has created enormous buzz in the last few years. Docker is a open-source software containerization platform. It provides an ability to package software into standardised units on Docker for software development. In this hands-on introductory session, I introduce the concept of containers, provide an overview of Docker, and take the participants through the steps for installing Docker. The main session involves using Docker CLI (Command Line Interface) - all the concepts such as images, managing containers, and getting useful work done is illustrated step-by-step by running commands.
Beyond Golden Containers: Complementing Docker with Puppetlutter
Often, Docker or more generally containers and immutable infrastructure are viewed as a replacement for configuration management. This talk explains why that is not the case, and that they are in fact complementary.
Containers move the challenges that configuration management solves to different places in the application lifecycle. The talk explains where Puppet fits into this changed lifecycle, and what tools Puppet provides there.
Slides for a talk I gave at the Linux Foundation Colaboration Summit 2015
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
2. Isn't docker secure?
Ars Technica: Infected images mined digital coins
"17 images posted by a single account over10 months may have
generated $90,000."
"For ordinary users, just pulling a Docker image from Docker Hub is like
pulling arbitrary binary data from somewhere, executing it, and hoping
for the best without really knowing what’s in it.”
https://arstechnica.com/information-
technology/2018/06/backdoored-images-downloaded-5-million-times-
finally-removed-from-docker-hub/
3. CVE-2019-5736
"runc through 1.0-rc6, as used in Docker before 18.09.2 and other
products, allows attackers to overwrite the host runc binary (and
consequently obtain host root access) by leveragingthe ability to
execute a command as root within one of these types of containers:
(1) a new container withan attacker-controlled image, or (2) an
existing container, to which the attacker previously had write access,
that can be attached with docker exec. This occurs because of file-
descriptor mishandling, related to /proc/self/exe.
4. Important stuff I won't talk this time
Physical security
Host security (patched OS, only necessary packages, OS hardening, ...)
Networksecurity (open ports, firewalls, strict SSH access, …)
Educating users
...
6. Official images
Essential base OS repositoriesas the starting point for users
Lead examples of Dockerfile best practices
Security updates are applied in a timely manner
Scanned for vulnerabilities
https://docs.docker.com/docker-hub/official_images/
7.
8. Docker Content Trust (DCT)
Use digital signatures for data sent to and receivedfrom remote
Docker registries.
These signatures allow client-sideor runtime verification of the integrity
and publisher of specific image tags.
Through DCT, image publishers can sign their images and image
consumers can ensure that the images they use are signed.
9. DCT #2
export DOCKER_CONTENT_TRUST="1"
docker pull user/someimage
Error: remote trust data does not exist for docker.io/user/someimage:
notary.docker.io does not have trust data for
docker.io/user/someimage
https://docs.docker.com/engine/security/trust/content_trust/
14. Build your own images
Start from official images
Use a reasonable distro (eg. alpine)
Include only what's really required (eg. --no-install-recommends)
USER someuser
No sudo
No sshd
15. Don't bake any secrets to the image
ENV MYSQL_PASSWORD "aaaa"
16. Scan your images
Microscanner: https://github.com/aquasecurity/microscanner
FROM debian:jessie-slim
RUN apt-get update && apt-get -y install ca-certificates
ADD https://get.aquasec.com/microscanner /
ARG token
RUN chmod +x /microscanner && /microscanner ${token}
17. "vulnerabilities": [
{
"name": "CVE-2017-8398",
"description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an
invalid read of size 1 during dumping of debug information from a
corrupt binary …".
"nvd_score": 5,
"nvd_score_version": "CVSS v2",
"nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"nvd_severity": "medium",
"nvd_url": https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-
2017-8398,
…..
},
21. [INFO] 2 - Docker daemon configuration
[PASS] 2.1 - Ensure network traffic is restricted between containers on the
default bridge
[PASS] 2.2 - Ensure the logging level is set to 'info'
[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4 - Ensure insecure registries are not used
[PASS] 2.5 - Ensure aufs storage driver is not used
[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured
[INFO] * Docker daemon not listening on TCP
[INFO] 2.7 - Ensure the default ulimit is configured appropriately
[INFO] * Default ulimit doesn't appear to be set
26. Resource limits
--memory 2G: The maximum amount of memory the container can use
--memory-swap 2G: The amount of memory the container is allowed to
swap to disk
--shm-size 64M: Size of /dev/shm
--cpus=1.5 how much of the available CPU resources a container can use.
--cpuset-cpus=0,1,2: Limit the specific CPUs or cores a container can use
--gpus device=0,2: nvidia gpu access
--pids-limit: Limit number of processes started inside docker container
--ulimit <options>, eg. --ulimit nproc=256:512
https://docs.docker.com/config/containers/resource_constraints/
40. User remapping #5
$ docker run --rm -ti -v /tmp:/tmp ubuntu bash
root@7b66cc086eb4:/# touch /tmp/aaa
root@7b66cc086eb4:/# ls -la /tmp/aaa
-rw-r--r--1 root root 0 Sep 22 10:13 /tmp/aaa
root@7b66cc086eb4:/# exit
$ ls -la /tmp/aaa
-rw-r--r-- 1 john users 0 Sep 22 12:13 /tmp/aaa
https://ilya-bystrov.github.io/posts/docker-daemon-remapping/
41. Don't use privileged mode
"Privileged mode enables access to all deviceson the host as wellas
set some configuration in AppArmor or SELinux to allow the container
nearly all the same access to the host as processes running outside
containers on the host."
42. Don't use the host's namespaces
$ docker run --userns=host -ti --rm -v /tmp:/tmpubuntu bash
root@a78119823836:/# touch /tmp/hahaha
root@a78119823836:/# ls -la /tmp/hahaha
-rw-r--r--1 root root 0 Oct 3 10:08 /tmp/hahaha
root@a78119823836:/# exit
$ ls -la /tmp/hahaha
-rw-r--r-- 1 root root 0 Oct 3 12:08 /tmp/hahaha
45. Secrets in container
$ docker run --rm –ti –e SOME_PASSWORD=aaaa ubuntu bash
root@7b66cc086eb4:/#echo $SOME_PASSWORD
aaaa
root@7b66cc086eb4:/#
Environments are often logged!
#less /proc/29487/task/29487/environ
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin^@HOSTN
AME=7b66cc086eb4^@TERM=xterm^@SOME_PASSWORD=aaaa^@H
OME=/root
46. Secrets in config files in container
docker run –v /path/to/1.cfg:/etc/yourapp/1.cfg:royourimage
47. Docker secrets
Container orchestrationsystems offer some basic secret management
Kubernetes: secrets, configmaps (Namespaces, RBAC)
Docker Swarm: secrets
Not for a standalone docker installation :-(
Setup a single node swarm or k8s deployment:-)
https://www.hashicorp.com/resources/securing-container-secrets-vault
48. Elevating privileges
FROM ubuntu:latest
RUN apt-get update &&
apt-get install –y sudo &&
echo "sj ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sj &&
echo "sj:x:1000:100::/home/sj:/bin/bash" >> /etc/passwd
USER 1000
49. Elevating privileges #2
$ docker run --rm -ti aaa bash
sj@177cd44c70c0:/$ id
uid=1000(sj) gid=100(users) groups=100(users)
sj@177cd44c70c0:/$ sudo bash
root@177cd44c70c0:/# id
uid=0(root) gid=0(root) groups=0(root)
51. Elevating privileges #4
$ docker run --rm -ti aaa bash
sj@177cd44c70c0:/$ id
uid=1000(sj) gid=100(users) groups=100(users)
sj@177cd44c70c0:/$ sudo bash
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
'nosuid' option set or an NFS file system without root privileges?
52. More daemon.json settings
{
"icc": false, // Disable inter container communication
"userland-proxy": false, // Disable userland proxy for loopback traffic
….
}
53. Activity monitoring with sysdig/falco
Notify other systems or humans of abnormal behavior.
https://sysdig.com/opensource/falco/
54. Activity monitoring with sysdig/falco #2
***Actionchange_thread_namespace
Calling setns() to change namespaces...
***Actioncreate_files_below_dev
Creating /dev/created-by-event-generator-sh...
***Actiondb_program_spawn_process
Becomingthe program "mysql" and then running ls
***Actionexec_ls
bin dev etc …
***Actionexfiltration
Reading /etc/shadow and sending to 10.5.2.6:8197...
55. Activity monitoring with sysdig/falco #3
2019-10-03T13:17:21.968443650+0000: Notice Namespace change (setns) by
unexpected program (user=root command=event_generator
parent=<NA> <NA> (id=2f5a7b42362a) container_id=2f5a7b42362a
image=<NA>)
2019-10-03T13:17:22.968679872+0000: Error File created below /dev by
untrusted program (user=root command=event_generator
file=/dev/created-by-event-generator-sh container_id=2f5a7b42362a
image=sysdig/falco-event-generator)
2019-10-03T13:17:23.971571824+0000: Notice Database-related program
spawned process other than itself (user=root program=ls parent=mysqld
container_id=2f5a7b42362a image=sysdig/falco-event-generator)
2019-10-03T13:17:24.972983032+0000: Warning Sensitive file opened for
reading by non-trusted program (user=root program=event_generator
command=event_generator file=/etc/shadow parent=<NA>
gparent=<NA> ggparent=<NA> gggparent=<NA>
container_id=2f5a7b42362a image=sysdig/falco-event-generator)