This document discusses Docker security. It begins by introducing Docker and containers, then covers securing Docker images through signing and scanning. It discusses how Docker uses namespaces and cgroups for isolation. It also addresses securing the Docker daemon and containers, as well as operational concerns around deployment, networking, monitoring, and logging of containers. It concludes by looking at future directions like unikernels and serverless architectures.

1. DOCKER
SECURITY
Fernando Montenegro, CISSP -
Ricardo Gerardi -
@fsmontenegro
@ricardogerardi
TASK Jan 27, 2016

2. WHYAREWEHERE?
Google Trends: "Microservices"

3. Google Trends: "Docker"

4. Google Trends: "Kubernetes"

5. MICROSERVICES?
(Source: F5)

6. MICROSERVICES
"Many development teams have found the microservices
architectural style to be a superior approach to a
monolithic architecture. But other teams have found them
to be a productivity-sapping burden. Like any architectural
style, microservices bring costs and bene ts. To make a
sensible choice you have to understand these and apply
them to your speci c context.""
Martin Fowler ( )http://martinfowler.com/articles/microservice-trade-o s.html

7. SIGNIFICANTBENEFITS
Support CI/CD practices
Easier to achieve scale
Operational bene ts of "DevOps"

8. DATADOGCONTAINERSURVEY
( )https://www.datadoghq.com/docker-adoption/
Two schools of thought:
Containers as up&down microservices
Containers as "lightweight servers" that stay up

11. WHATWEFOUND

13. ABOUTUS-FERNANDO
@fsmontenegro
Sales Engineer
Online Fraud
Network Security
CompSci ’94
Greying hair
Curious
Finance (DIY)
Economics (EMH, Behaviour)
Data Science (Coursera)

14. ABOUTUS-RICARDO
@ricardogerardi
Senior IT Consultant
Network
Management/Monitoring
IBM Netcool Certi ed
Uncerti ed father (2x)
Interests
Linux/UNIX
Emerging technologies
Data Science

15. DOCKERINTRO

16. WHATISDOCKER?
DOCKER,THEPLATFORM
Docker is a container based platform used to package
and run applications in a variety of systems
DOCKER,THECOMPANY
Docker Inc. (https://www.docker.com/company)

17. SOFTWAREPACKAGEAND
DISTRIBUTIONCHALLENGE
OLDWAY-HOSTEDAPPLICATIONS

18. VIRTUALMACHINES

19. ENTERTHECONTAINER

20. WHYDOCKER?
Linux containers
Around for a long time (Open VZ, LXC, etc)
Not very "friendly"
Docker streamlines the process and makes it very easy
to create and use containers
Speed (Development/Scalability)
Portability
Driver to DevOps and Microservices

21. WHATDOYOUNEEDTORUN
DOCKER?
Recent Linux Kernel (3.8+)
Namespaces
cGroups
Network connection

22. DOCKERARCHITECTUREINA
NUTSHELL
Source: https://www.docker.com/what-docker

23. Source: https://docs.docker.com/engine/introduction/understanding-docker/

24. DOCKERDEMO

25. DOCKER
SECURITY

26. FIRSTTHINGSFIRST...
Containers vs. VMs?
Containers not as isolated as VMs.
but much more isolated than processes...
cgroups & namespaces
Containers are OS-dependant.
Containers for multi-tenancy? Not so fast...
Containers & VMs :-)

27. SECURITYFORDOCKER
How to secure the Docker "pipeline"
How to secure Docker containers themselves

28. SECURITYFORDOCKERIMAGES
Secure Registry/Mirror Access
Getting trustworthy images
trusted sources - docker hub, private registry
building secure
Docker Content Trust (1.8) [Notary]
"only signed content in production"
Yubico Keys

29. DOCKER'SPROJECTNAUTILUS
Docker securing images on DockerHub
Image security
Component inventory/license management
Image optimization
Basic functional testing

30. CLAIRBYCOREOS
Security scanning of images -
Available on Quay
Security Scanning Beta -
https://coreos.com/blog/vulnerability-analysis-for-
containers/
https://blog.quay.io/security-
scanning-beta/

31. OTHERCONSIDERATIONS
Containers are stateless
Can mount additional volumes
How to do Secrets Management?
ENV variables - not recommended
Key/Value Pair solutions
Embedded in orchestration ( )
Vault & Keywhiz
Kubernetes
Custom solutions

32. SECURITYFROMDOCKER
How to contain Docker & containers?

33. NAMESPACES&CGROUPS
PID – process isolation
Network – NICs, IPs, routing tabes et al.
UTS – hostnames
Mount – lesystem layouts/ properties
IPC – interprocess communication
User – users ("root" != root)
Control groups: resource utilization (RAM, swap, CPU,
IO, controls)

34. ADDITIONALFEATURES
capabilities - add or drop capabilities
seccomp - ltering of system calls
network isolation via iptables
limit inter-container communication

35. SECURITYBYDOCKER
Leveraging Docker features for security

36. LEVERAGINGDOCKERFORSECURITY
microservice -> reduced attack surface
enforce content trust to protect production
r/o FileSystems
drop capabilities when possible
seccomp - ltering system calls
journaled changes

37. OPERATIONS
ANDECOSYSTEM

38. WHERETODEPLOYDOCKER?
ONPREMISES
Baremetal (on Linux)
Virtual Machines
IaaS, OpenStack, etc

39. PUBLICCLOUDPROVIDERS

40. PAASPROVIDERS

41. ORCHESTRATION/
SCHEDULING

42. NETWORKING
BASICNETWORKING

43. OVERLAYNETWORKING

44. MONITORING
CHALLENGES
Scalability (100s of containers in a single host)
Host Monitoring x Container Monitoring
Container instrumentation (1 process/container
philosophy)
API instability

45. CONTAINERMONITORINGSOLUTIONS
Sysdig Cloud
Weaveworks
New relic
Google cAdvisor

46. CONTAINERLOGMANAGEMENT
ELK Stack
Splunk

47. WRAPPINGUP

48. LOOKINGATTHEFUTURE
Containers exist in a continuum of options.
Unikernels
one degree further
compile kernel for application
Undebuggable?
Serverless Architecture?
AWS Lambda
Azure Service Fabric
potentially bad idea?

50. WRAPPINGUP
Docker Security "Anti-Patterns"
free-for-all (unrestricted containers in Prod)
treating containers as servers
Recommendations for Security
Don't try to stop it!!!
recognize massive potential for disruption
no agents on containers
watch for outbound tra c
keep up to date (news!)
rethink approach ("cattle, not pets")

51. DOCKERALLOVER
Last few weeks of news:
Docker buys Unikernel
Arista announces Container support in EOS
Citrix supports NetScaler as Container
Amazon announces Docker 1.9 support

52. RESOURCES!
Twitterfolk:
- AWS architect, tons of
Docker links
- Docker Security
- Tons of Container work
- Pluralsight course
- KeepingItClassless,
TechFieldDay
- WebScale @ Shopify
- DevOps
- Shmoocon 2016 preso
and - Company &
Conference
- Kubernetes confab
Websites:
- Checklist
- portal of all things "modern" stacks
- Network-focused approach
- Open Container Initiative
@mattnowina
@diogomonica
@frazelledazzell
@nigelpoulton
@mierdin
@Sirupsen
@blinken_lichten
@jaybeale
@docker @dockercon
@kubeconio
DockerBench
TheNewStack
Packet Pushers
RunC