Docker, Inc., profile picture
Uploaded byDocker, Inc.
PDF, PPTX16,107 views

Docker Security Deep Dive by Ying Li and David Lawrence

Securing software supply chains and deployed systems is important. The document discusses using Docker Content Trust (DCT) to ensure authenticity, integrity, and freshness of container images. It also recommends validating dependencies, signing applications, scanning for vulnerabilities, and using features in Docker 1.12 like mutual TLS and certificate rotation to securely manage Docker clusters.

Embed presentation

Download as PDF, PPTX
Securing your software supply chain David Lawrence Ying Li Security Engineers
Cat Laser/Cam™ Supply Chain
Software Supply Chain source/ dependencies build systems/ engineers network application repository deployed systems
Identity
IMAGE name: alpine:3.4 sha256: ea08...950 ID: f70c828098f5 expires: 2019-06-20 USER name: user org: organization DOCKER HOST name: node-1 ID: 9j1kxp7cd1z...22c *manager expires: 2016-06-21 ID: 58slx2ra5qiee92n4uf56ocvf
$ docker login docker.io Username (user): user Password: Login Succeeded $ notary -d ~/.docker/trust key list ROLE GUN KEY ID LOCATION ---------------------------------------------------------------------------------- root 5f8ec4acd0a9ca301ef84ac...587 file (...) targets user/myrepo 71662d563fc1dfd0a83c5b3...9ce file (...) user d73b1075076e39a0c3ed638...05e file (...)
$ swarmctl node ls ID Name Membership Status Availability Manager Status -- ---- ---------- ------ ------------ -------------- 3w8pfmhn6janhhzg7pu7ktxd2 node-3 ACCEPTED READY ACTIVE 9dva02k3khzbrgyok9dqwvv2m node-2 ACCEPTED READY ACTIVE 9j1kxp7cd1zs7a2njgyz6q22c node-1 ACCEPTED READY ACTIVE REACHABLE *
$ openssl x509 -in node-3/certificates/swarm-node.crt -text Certificate: ... Issuer: CN=swarm-ca Validity Not Before: Jun 17 20:30:00 2016 GMT Not After : Sep 15 20:30:00 2016 GMT Subject: O=58slx2ra5qiee92n4uf..., OU=swarm-worker, CN=3w8pfmhn6janhhzg7pu7ktxd2 ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:swarm-worker ... -----BEGIN CERTIFICATE----- ...
$ docker images --digests REPOSITORY TAG DIGEST IMAGE ID CREATED... debian latest sha256:e7d38b3517548a1c...0aa f50f9524513f 8 weeks... busybox latest sha256:4a731fb46adc5cef...a92 47bcc53f74dc 11 days... user/myrepo latest sha256:ea0d1389812f43e4...950 f9858dea7747 6 hours... $ notary -d ~/.docker/trust list docker.io/user/myrepo NAME DIGEST SIZE (BYTES) ROLE --------------------------------------------------------------------------------- latest ea0d1389812f43e474c50155ec4914e1b48792...950 1360 targets
source/ dependencies Consistent Builds build systems/ engineers
Good Input → Good Output
$ cat dependency_checklist.txt * quality * authenticity * integrity * freshness * consistency
1 FROM ubuntu:16.04 | Use official images * TLS/DCT → authenticity * TLS/DCT → integrity * DCT → freshness Pin image version
1 FROM ubuntu:16.04 2 RUN wget https://<mysite.io>/apt.key && echo “<checksum> apt.key” | shasum -a 256 -c | Use HTTPS * TLS → authenticity * TLS → integrity Validate content
3 RUN apt-key add apt.key && add-apt-repository ppa:<mysite.io> && apt-get update && apt-get install mypackage | Validate signatures GPG → integrity GPG → authenticity
Application Signing network
Developer or CI
$ # enable docker content trust $ export DOCKER_CONTENT_TRUST=1
$ # protects against untrusted images $ head -n 1 Dockerfile FROM user/repo:unsigned $ docker build -t user/myrailsbase . No trust data for unsigned
$ # protects against maliciously signed images $ head -n 1 Dockerfile FROM user/repo:fakesigned $ docker build -t user/myrailsbase . Warning: potential malicious behavior - trust data has insufficient signatures for remote repository docker.io/ user/repo: valid signatures did not meet threshold
$ # protects against stale images $ head -n 1 Dockerfile FROM user/repo:reallyold $ docker build -t user/myrailsbase . Error: remote repository docker.io/user/repo out-of-date: targets expired at Thu Jun 16 10:47:43 PDT 2016
Developer or CI
321 Trusted Image Chaining
debian:jessie ruby 2.3.1 ruby:2.3 rails 4.2.6 rails:4.2.6 extra libraries mycompany/ railsbase:1.0
Security Scanning + Gating application repository
Scanner CVE Scanning validation service Docker Security Scanning Scan Trigger (APIs) Plugin Framework CVE/NVD Database BOM DatabaseBOM Notifications Push image Docker Cloud
Auto-Chained Remediation
$ docker ps --format “table {{.ID}}t{{.Image}}t{{.Created}}” -f ancestor=user/pypy:3-5.2 -f ancestor=user/pypy:2-5.3 CONTAINER ID IMAGE CREATED COMMAND bf8966f2dc59 user/django:pypy 2 weeks "python manage.py run" 263158cab9f0 twisted_web 2 hours "twistd -n web --path" 005c98e79459 user/pypy:3-5.2 1 hours “scrapy crawl dmoz" 005c98e79459 user/pypy:2-5.3 1 hours “youtube-dl ‘http://w"
Orchestration deployed systems
$ docker run -it --net host --pid host --cap-add audit_control ... docker/docker-bench-security [INFO] 1 - Host Configuration [WARN] 1.1 - Create a separate partition for containers [PASS] 1.2 - Use an updated Linux Kernel [PASS] 1.4 - Remove all non-essential services from the host - Network [PASS] 1.5 - Keep Docker up to date [INFO] * Using 1.11.2 which is current as of 2016-06-02 [INFO] * Check with your operating system vendor for support and security maintenance for docker [INFO] 1.6 - Only allow trusted users to control Docker daemon [INFO] * docker:x:999:docker [WARN] 1.7 - Failed to inspect: auditctl command not found. [WARN] 1.8 - Failed to inspect: auditctl command not found. [WARN] 1.9 - Failed to inspect: auditctl command not found. [INFO] 1.10 - Audit Docker files and directories - docker.service [INFO] * File not found [INFO] 1.11 - Audit Docker files and directories - docker.socket [INFO] * File not found ...
Secure Cluster Management • Docker 1.12 integrates swarm. • Strong default swarm security.
Mutual TLS by default • Leader acts as CA. • Any Manager can be promoted to leader. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS.
Support for External CAs • Managers support BYO CA. • Forwards CSRs to external CA.
Automatic Certificate Rotation • Customizable certificate rotation periods. • Occurs automatically. • Ensures potentially compromised or leaked certificates are rotated out of use. • Whitelist of currently valid certificates.
Secure Addition of Nodes Three ways to approve addition of a node to the cluster: • Automatic acceptance. • Secret token. • Manual approval.
DEMO
Thank you!

More Related Content

PDF
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
byDocker, Inc.
 
PPTX
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
byDocker, Inc.
 
PDF
Docker for Developers - Part 1 by David Gageot
byDocker, Inc.
 
PDF
Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)
byNils De Moor
 
PPTX
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
byDocker, Inc.
 
PDF
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
byDocker, Inc.
 
PDF
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
byMike Goelzer
 
PDF
DockerCon EU 2015: The Latest in Docker Engine
byDocker, Inc.
 
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
byDocker, Inc.
 
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
byDocker, Inc.
 
Docker for Developers - Part 1 by David Gageot
byDocker, Inc.
 
Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)
byNils De Moor
 
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
byDocker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
byDocker, Inc.
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
byMike Goelzer
 
DockerCon EU 2015: The Latest in Docker Engine
byDocker, Inc.
 

What's hot

PPTX
Docker Security workshop slides
byDocker, Inc.
 
PDF
What’s New in Docker - Victor Vieux, Docker
byDocker, Inc.
 
PDF
DockerDay2015: Docker orchestration for developers
byDocker-Hanoi
 
PDF
runC: The little engine that could (run Docker containers) by Docker Captain ...
byDocker, Inc.
 
PPTX
Integration with Docker and .NET Core
bySriram Hariharan
 
PDF
Docker serverless v1.0
byThomas Chacko
 
PPT
Amazon Web Services and Docker
byPaolo latella
 
PDF
Docker security introduction-task-2016
byRicardo Gerardi
 
PPTX
Docker orchestration
byOpen Source Consulting
 
PDF
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
byDocker, Inc.
 
PPTX
Comprehensive Monitoring for Docker
byChristian Beedgen
 
PPTX
Docker Mentorweek beginner workshop notes
bySreenivas Makam
 
PDF
Online Meetup: Why should container system / platform builders care about con...
byDocker, Inc.
 
PDF
DockerCon EU 2015: Trading Bitcoin with Docker
byDocker, Inc.
 
PDF
Docker Orchestration at Production Scale
byDocker, Inc.
 
PPTX
Docker 1.9 Feature Overview
bySreenivas Makam
 
PDF
Docker Basics & Alfresco Content Services
bySujay Pillai
 
PDF
Docker on Google App Engine
byDocker, Inc.
 
PDF
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
byDocker, Inc.
 
PDF
DockerCon US 2016 - Extending Docker With APIs, Drivers, and Plugins
byArnaud Porterie
 
Docker Security workshop slides
byDocker, Inc.
 
What’s New in Docker - Victor Vieux, Docker
byDocker, Inc.
 
DockerDay2015: Docker orchestration for developers
byDocker-Hanoi
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
byDocker, Inc.
 
Integration with Docker and .NET Core
bySriram Hariharan
 
Docker serverless v1.0
byThomas Chacko
 
Amazon Web Services and Docker
byPaolo latella
 
Docker security introduction-task-2016
byRicardo Gerardi
 
Docker orchestration
byOpen Source Consulting
 
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
byDocker, Inc.
 
Comprehensive Monitoring for Docker
byChristian Beedgen
 
Docker Mentorweek beginner workshop notes
bySreenivas Makam
 
Online Meetup: Why should container system / platform builders care about con...
byDocker, Inc.
 
DockerCon EU 2015: Trading Bitcoin with Docker
byDocker, Inc.
 
Docker Orchestration at Production Scale
byDocker, Inc.
 
Docker 1.9 Feature Overview
bySreenivas Makam
 
Docker Basics & Alfresco Content Services
bySujay Pillai
 
Docker on Google App Engine
byDocker, Inc.
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
byDocker, Inc.
 
DockerCon US 2016 - Extending Docker With APIs, Drivers, and Plugins
byArnaud Porterie
 

Viewers also liked

PPTX
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
byDocker, Inc.
 
PDF
Containerd: Building a Container Supervisor by Michael Crosby
byDocker, Inc.
 
PDF
Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...
byDocker, Inc.
 
PDF
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
byDocker, Inc.
 
PDF
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
byDocker, Inc.
 
PDF
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
byDocker, Inc.
 
PPTX
DockerCon 16 General Session Day 1
byDocker, Inc.
 
PPTX
DockerCon 16 General Session Day 2
byDocker, Inc.
 
PDF
Docker for Developers - Part 2 by Borja Burgos and Fernando Mayo
byDocker, Inc.
 
PDF
Docker for Mac and Windows: The Insider's Guide by Justin Cormack
byDocker, Inc.
 
PPTX
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
byDocker, Inc.
 
PPTX
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
byDocker, Inc.
 
PDF
Docker Networking Deep Dive
byDocker, Inc.
 
PPTX
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
byDocker, Inc.
 
PPTX
Docker for the Enterprise with Containers as a Service by Banjot Chanana
byDocker, Inc.
 
PDF
DockerCon SF 2015: Docker Security
byDocker, Inc.
 
PDF
What's New in Docker 1.12 by Mike Goelzer and Andrea Luzzardi
byDocker, Inc.
 
PDF
Kernel load-balancing for Docker containers using IPVS
byDocker, Inc.
 
PDF
Managing Persistent Storage with Docker Containers by John Griffith and Garre...
byDocker, Inc.
 
PPTX
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
byDocker, Inc.
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
byDocker, Inc.
 
Containerd: Building a Container Supervisor by Michael Crosby
byDocker, Inc.
 
Docker for Ops: Extending Docker with APIs, Drivers and Plugins by Arnaud Por...
byDocker, Inc.
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
byDocker, Inc.
 
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
byDocker, Inc.
 
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
byDocker, Inc.
 
DockerCon 16 General Session Day 1
byDocker, Inc.
 
DockerCon 16 General Session Day 2
byDocker, Inc.
 
Docker for Developers - Part 2 by Borja Burgos and Fernando Mayo
byDocker, Inc.
 
Docker for Mac and Windows: The Insider's Guide by Justin Cormack
byDocker, Inc.
 
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
byDocker, Inc.
 
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
byDocker, Inc.
 
Docker Networking Deep Dive
byDocker, Inc.
 
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
byDocker, Inc.
 
Docker for the Enterprise with Containers as a Service by Banjot Chanana
byDocker, Inc.
 
DockerCon SF 2015: Docker Security
byDocker, Inc.
 
What's New in Docker 1.12 by Mike Goelzer and Andrea Luzzardi
byDocker, Inc.
 
Kernel load-balancing for Docker containers using IPVS
byDocker, Inc.
 
Managing Persistent Storage with Docker Containers by John Griffith and Garre...
byDocker, Inc.
 
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
byDocker, Inc.
 

Similar to Docker Security Deep Dive by Ying Li and David Lawrence

PPTX
Start tracking your ruby infrastructure
bySergiy Kukunin
 
PDF
Docker security
byJanos Suto
 
PDF
Testing Docker Images Security -All day dev ops 2017
byJose Manuel Ortega Candel
 
PDF
Containerizing your Security Operations Center
byJimmy Mesta
 
PDF
Securité des container
byRachid Zarouali
 
PDF
Docker for developers
byandrzejsydor
 
PPTX
Docker Roadshow 2016
byDocker, Inc.
 
PDF
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
byDocker, Inc.
 
PPTX
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
byDataArt
 
PDF
DCEU 18: Tips and Tricks of the Docker Captains
byDocker, Inc.
 
PDF
DCEU 18: Docker Container Security
byDocker, Inc.
 
PDF
Production sec ops with kubernetes in docker
byDocker, Inc.
 
PDF
Real-World Docker: 10 Things We've Learned
byRightScale
 
PPTX
Devoxx 2016 - Docker Nuts and Bolts
byPatrick Chanezon
 
PPTX
Docker Networking - Common Issues and Troubleshooting Techniques
bySreenivas Makam
 
PPTX
Kubernetes security with AWS
byKasun Madura Rathnayaka
 
PDF
Docker, the Future of DevOps
byandersjanmyr
 
PDF
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
PDF
Kubernetes security
byThomas Fricke
 
PDF
Testing Docker Images Security
byJose Manuel Ortega Candel
 
Start tracking your ruby infrastructure
bySergiy Kukunin
 
Docker security
byJanos Suto
 
Testing Docker Images Security -All day dev ops 2017
byJose Manuel Ortega Candel
 
Containerizing your Security Operations Center
byJimmy Mesta
 
Securité des container
byRachid Zarouali
 
Docker for developers
byandrzejsydor
 
Docker Roadshow 2016
byDocker, Inc.
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
byDocker, Inc.
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
byDataArt
 
DCEU 18: Tips and Tricks of the Docker Captains
byDocker, Inc.
 
DCEU 18: Docker Container Security
byDocker, Inc.
 
Production sec ops with kubernetes in docker
byDocker, Inc.
 
Real-World Docker: 10 Things We've Learned
byRightScale
 
Devoxx 2016 - Docker Nuts and Bolts
byPatrick Chanezon
 
Docker Networking - Common Issues and Troubleshooting Techniques
bySreenivas Makam
 
Kubernetes security with AWS
byKasun Madura Rathnayaka
 
Docker, the Future of DevOps
byandersjanmyr
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
Kubernetes security
byThomas Fricke
 
Testing Docker Images Security
byJose Manuel Ortega Candel
 

More from Docker, Inc.

PDF
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
PDF
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
PDF
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
PDF
Hands-on Helm
byDocker, Inc.
 
PDF
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
PDF
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
PDF
Monitoring in a Microservices World
byDocker, Inc.
 
PDF
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
PDF
Predicting Space Weather with Docker
byDocker, Inc.
 
PDF
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
PDF
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
PDF
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
PDF
Kubernetes at Datadog Scale
byDocker, Inc.
 
PDF
Labels, Labels, Labels
byDocker, Inc.
 
PDF
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
PDF
Developing with Docker for the Arm Architecture
byDocker, Inc.
 
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
Hands-on Helm
byDocker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
Monitoring in a Microservices World
byDocker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
Predicting Space Weather with Docker
byDocker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
Kubernetes at Datadog Scale
byDocker, Inc.
 
Labels, Labels, Labels
byDocker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
Developing with Docker for the Arm Architecture
byDocker, Inc.
 

Recently uploaded

PDF
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
AI assisted Software Development - Agentic and Vibe Coding
byAndrei Oros
 
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
AI assisted Software Development - Agentic and Vibe Coding
byAndrei Oros
 

Docker Security Deep Dive by Ying Li and David Lawrence

  • 1.
    Securing your software supply chain DavidLawrence Ying Li Security Engineers
  • 2.
  • 3.
    Software Supply Chain source/ dependencies buildsystems/ engineers network application repository deployed systems
  • 4.
  • 5.
    IMAGE name: alpine:3.4 sha256: ea08...950 ID:f70c828098f5 expires: 2019-06-20 USER name: user org: organization DOCKER HOST name: node-1 ID: 9j1kxp7cd1z...22c *manager expires: 2016-06-21 ID: 58slx2ra5qiee92n4uf56ocvf
  • 6.
    $ docker logindocker.io Username (user): user Password: Login Succeeded $ notary -d ~/.docker/trust key list ROLE GUN KEY ID LOCATION ---------------------------------------------------------------------------------- root 5f8ec4acd0a9ca301ef84ac...587 file (...) targets user/myrepo 71662d563fc1dfd0a83c5b3...9ce file (...) user d73b1075076e39a0c3ed638...05e file (...)
  • 7.
    $ swarmctl nodels ID Name Membership Status Availability Manager Status -- ---- ---------- ------ ------------ -------------- 3w8pfmhn6janhhzg7pu7ktxd2 node-3 ACCEPTED READY ACTIVE 9dva02k3khzbrgyok9dqwvv2m node-2 ACCEPTED READY ACTIVE 9j1kxp7cd1zs7a2njgyz6q22c node-1 ACCEPTED READY ACTIVE REACHABLE *
  • 8.
    $ openssl x509-in node-3/certificates/swarm-node.crt -text Certificate: ... Issuer: CN=swarm-ca Validity Not Before: Jun 17 20:30:00 2016 GMT Not After : Sep 15 20:30:00 2016 GMT Subject: O=58slx2ra5qiee92n4uf..., OU=swarm-worker, CN=3w8pfmhn6janhhzg7pu7ktxd2 ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:swarm-worker ... -----BEGIN CERTIFICATE----- ...
  • 9.
    $ docker images--digests REPOSITORY TAG DIGEST IMAGE ID CREATED... debian latest sha256:e7d38b3517548a1c...0aa f50f9524513f 8 weeks... busybox latest sha256:4a731fb46adc5cef...a92 47bcc53f74dc 11 days... user/myrepo latest sha256:ea0d1389812f43e4...950 f9858dea7747 6 hours... $ notary -d ~/.docker/trust list docker.io/user/myrepo NAME DIGEST SIZE (BYTES) ROLE --------------------------------------------------------------------------------- latest ea0d1389812f43e474c50155ec4914e1b48792...950 1360 targets
  • 10.
  • 11.
    Good Input →Good Output
  • 12.
    $ cat dependency_checklist.txt *quality * authenticity * integrity * freshness * consistency
  • 13.
    1 FROM ubuntu:16.04| Use official images * TLS/DCT → authenticity * TLS/DCT → integrity * DCT → freshness Pin image version
  • 14.
    1 FROM ubuntu:16.04 2RUN wget https://<mysite.io>/apt.key && echo “<checksum> apt.key” | shasum -a 256 -c | Use HTTPS * TLS → authenticity * TLS → integrity Validate content
  • 15.
    3 RUN apt-keyadd apt.key && add-apt-repository ppa:<mysite.io> && apt-get update && apt-get install mypackage | Validate signatures GPG → integrity GPG → authenticity
  • 16.
  • 17.
  • 18.
    $ # enabledocker content trust $ export DOCKER_CONTENT_TRUST=1
  • 19.
    $ # protectsagainst untrusted images $ head -n 1 Dockerfile FROM user/repo:unsigned $ docker build -t user/myrailsbase . No trust data for unsigned
  • 20.
    $ # protectsagainst maliciously signed images $ head -n 1 Dockerfile FROM user/repo:fakesigned $ docker build -t user/myrailsbase . Warning: potential malicious behavior - trust data has insufficient signatures for remote repository docker.io/ user/repo: valid signatures did not meet threshold
  • 21.
    $ # protectsagainst stale images $ head -n 1 Dockerfile FROM user/repo:reallyold $ docker build -t user/myrailsbase . Error: remote repository docker.io/user/repo out-of-date: targets expired at Thu Jun 16 10:47:43 PDT 2016
  • 22.
  • 23.
  • 24.
  • 25.
    Security Scanning +Gating application repository
  • 27.
    Scanner CVE Scanning validation service Docker SecurityScanning Scan Trigger (APIs) Plugin Framework CVE/NVD Database BOM DatabaseBOM Notifications Push image Docker Cloud
  • 29.
  • 32.
    $ docker ps--format “table {{.ID}}t{{.Image}}t{{.Created}}” -f ancestor=user/pypy:3-5.2 -f ancestor=user/pypy:2-5.3 CONTAINER ID IMAGE CREATED COMMAND bf8966f2dc59 user/django:pypy 2 weeks "python manage.py run" 263158cab9f0 twisted_web 2 hours "twistd -n web --path" 005c98e79459 user/pypy:3-5.2 1 hours “scrapy crawl dmoz" 005c98e79459 user/pypy:2-5.3 1 hours “youtube-dl ‘http://w"
  • 33.
  • 35.
    $ docker run-it --net host --pid host --cap-add audit_control ... docker/docker-bench-security [INFO] 1 - Host Configuration [WARN] 1.1 - Create a separate partition for containers [PASS] 1.2 - Use an updated Linux Kernel [PASS] 1.4 - Remove all non-essential services from the host - Network [PASS] 1.5 - Keep Docker up to date [INFO] * Using 1.11.2 which is current as of 2016-06-02 [INFO] * Check with your operating system vendor for support and security maintenance for docker [INFO] 1.6 - Only allow trusted users to control Docker daemon [INFO] * docker:x:999:docker [WARN] 1.7 - Failed to inspect: auditctl command not found. [WARN] 1.8 - Failed to inspect: auditctl command not found. [WARN] 1.9 - Failed to inspect: auditctl command not found. [INFO] 1.10 - Audit Docker files and directories - docker.service [INFO] * File not found [INFO] 1.11 - Audit Docker files and directories - docker.socket [INFO] * File not found ...
  • 36.
    Secure Cluster Management •Docker 1.12 integrates swarm. • Strong default swarm security.
  • 37.
    Mutual TLS bydefault • Leader acts as CA. • Any Manager can be promoted to leader. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS.
  • 38.
    Support for ExternalCAs • Managers support BYO CA. • Forwards CSRs to external CA.
  • 39.
    Automatic Certificate Rotation •Customizable certificate rotation periods. • Occurs automatically. • Ensures potentially compromised or leaked certificates are rotated out of use. • Whitelist of currently valid certificates.
  • 40.
    Secure Addition ofNodes Three ways to approve addition of a node to the cluster: • Automatic acceptance. • Secret token. • Manual approval.
  • 41.
  • 44.