SlideShare a Scribd company logo

Docker Security Overview

Download as PPTX, PDF
Sreenivas Makam
Sreenivas Makam

Overview of Docker Security features(till release 1.12)

Technology
1 of 18
DOCKER SECURITY OVERVIEW (AS OF RELEASE 1.12) Presenter Name: Sreenivas Makam Presented at: Docker Meetup Bangalore Presentation Date: July 9, 2016
About me • Senior Engineering Manager at Cisco Systems Data Center group • Author of “Mastering CoreOS” https://www.packtpub.com/networki ng-and-servers/mastering-coreos/ ) • Docker Captain(https://www.docker.com/co mmunity/docker-captains ) • Blog: https://sreeninet.wordpress.com/ • Code: https://github.com/smakam • Linkedin: https://in.linkedin.com/in/sreenivas makam • Twitter: @srmakam
Docker Security modules Docker Engine Docker Client Authorization Registry SELinux AppArmor Seccomp Capabilities Namespaces Cgroups Multitenant Security Scan Image Signing TLS Request/ Response Container image TLS RBAC
Linux kernel - Container Security support • Namespaces – PID, Mount, Network, IPC, UTC, User. • Cgroups – Limit CPU, Memory, IO • Capabilities – Reduced root access. 36 capabilities to control as of kernel 3.19.0.21. • Seccomp profiles – Control kernel system calls. 300+ system calls available that can be controlled using these profiles. • Special kernel modules like AppArmor, SELinux – Provides granular control over Kernel resources.
Namespaces – PID, Mount docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash docker run -ti --name ubuntu2 -v /usr:/ubuntu2 ubuntu bash PID namespace: Ubuntu1 Container: root@3a1bf12161c9:/# ps PID TTY TIME CMD 1 ? 00:00:00 bash 15 ? 00:00:00 ps Ubuntu2 Container: root@8beb85abe6a5:/# ps PID TTY TIME CMD 1 ? 00:00:00 bash 14 ? 00:00:00 ps Host: $ ps -eaf|grep root | grep bash root 5413 1697 0 05:54 pts/28 00:00:00 bash root 5516 1697 0 05:54 pts/31 00:00:00 bash Mount namespace: Ubuntu1 Container: root@3a1bf12161c9:/# ls / bin dev home lib64 mnt proc run srv tmp usr boot etc lib media opt root sbin sys ubuntu1 var Ubuntu2 Container: root@8beb85abe6a5:/# ls / bin dev home lib64 mnt proc run srv tmp usr boot etc lib media opt root sbin sys ubuntu2 var • With PID namespace, each Container gets its own process ID namespace. • With Mount namespace, each Container gets its own copy of filesystem.
Namespaces – Network, UTS • With Network namespace, each Container gets its own interfaces along with IP address. Ubuntu1 Container: root@3a1bf12161c9:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:ac:15:00:02 inet addr:172.21.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe15:2/64 Ubuntu2 Container: root@8beb85abe6a5:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:ac:15:00:03 inet addr:172.21.0.3 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe15:3/64 • With UTS namespace, each Container gets its own hostname and domainname. Ubuntu1 Container: root@3a1bf12161c9:/# hostname 3a1bf12161c9 Ubuntu2 Container: root@8beb85abe6a5:/# hostname 8beb85abe6a5
Namespaces - IPC • IPC namespace isolates Message queues, Semaphores, Shared memory Ubuntu 1 Container: Create shared memory: root@3a1bf12161c9:/# ipcmk -M 100 Shared memory id: 0 Display shared memory: root@3a1bf12161c9:/# ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x2fba9021 0 root 644 100 0 Ubuntu 2 Container: Create shared memory: root@8beb85abe6a5:/# ipcmk -M 100 Shared memory id: 0 Display shared memory: root@8beb85abe6a5:/# ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x1f91e62c 0 root 644 100 0
Namespaces - User • With User namespace, userid and groupid in a namespace is different from host machine’s userid and groupid for the same user and group. • User namespaces are available from Linux kernel versions > 3.8. • For example, root user inside Container is not root inside host machine. This provides greater security. • Docker introduced support for user namespace in version 1.10. • To use user namespace, Docker daemon needs to be started with “–userns-remap=username/uid:groupname/gid”. Using “default” for username will create “dockremap” user. Ubuntu1 Container: root@3a1bf12161c9:/# id uid=0(root) gid=0(root) groups=0(root) Host: $ ps -eaf|grep bash 231072 4080 4040 0 22:45 pts/13 00:00:00 bash $ cat /proc/4080/uid_map 0 231072 65536 (userid 0 in Container is mapped to 231072 in host)
cgroups • cgroups is a Linux kernel feature that provides capability to restrict resources like cpu, memory, io, network bandwidth among a set of processes. • Docker allows to create Containers using cgroup feature which allows for resource control for the specific Container. • Following is a Container created with user space memory limited to 500m, kernel memory limited to 50m, cpu share to 512, blkioweight to 400. (cpu share and blkioweight are ratios) docker run -it -m 500M --kernel-memory 50M --cpu-shares 512 --blkio-weight 400 -- name ubuntu1 ubuntu bash
Capabilities • In Linux, root user typically has all privileges enabled. Capabilities allow finer control for the capabilities that can be allowed for root user. • In Linux 3.19.0.21, there are 36 capabilities. All capabilities can be seen in “/usr/include/linux/capability.h”. • Examples of capabilities are setuid, setgid, socket access, set time. • Docker turns on only 14 capabilities by default for Containers started with default options. • Capabilities like insert/remove kernel modules, system clock manipulation are blocked. Container with raw net capability turned off: docker run -ti --name ubuntu1 --cap- drop=net_raw ubuntu bash Network access blocked: # ping google.com ping: icmp open socket: Operation not permitted
Seccomp • Linux kernel feature that limits the system calls that a process can make based on the specified profile. • Docker uses Seccomp to control the system calls that Container can make. • Examples of system calls – bind, accept, fork. • Docker disables around 44 of 300+ system calls for Containers started with default options. Example of disabled system calls include mount, settimeofday. • Default Docker Seccomp profile is available here. Profile disabling chmod system call: { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ] } Seccomp illustration: $ docker run --rm -it --security-opt seccomp:/home/smakam14/seccomp/profil e.json busybox chmod 400 /etc/hosts chmod: /etc/hosts: Operation not permitted
Linux kernel Security modules – AppArmor, SELinux • Both AppArmor and SELinux are kernel modules that gives fine grained control to restrict access to system resources. • When AppArmor is active for an application, the operating system allows the application to access only those files and folders that are mentioned in its security profile. • SElinux is a labeling system. Every process, file, directory, network ports, devices has a label assigned to it. We write rules to control the access of a process label to an a object label like a file. The kernel enforces the rules specified in the policy. • In Redhat distributions, SELinux is supported. Ubuntu distributions supports AppArmor. • AppArmor profiles are easy to create, SELinux is difficult. SELinux profiles are more comprehensive compared to AppArmor.
Docker Engine Secure access • Docker engine runs as a daemon and by default listens on the Unix socket, “unix:///var/run/docker.sock”. • For accessing Docker engine remotely, “http” or “https” using TLS can be used. • “http” is not advised to be used for security reasons. • “https” with TLS provides confidentiality, authentication as well as integrity. • Certificates can be used to establish identity of client and server. • For testing purposes, Certificates can be generated using Openssl. For commercial purposes, certificates can be purchased from sources like CA.
Authorization plugin • Authorization plugin can provide granular access to the Docker daemon based on userid, groupid, command executed, command arguments, time of day etc. • Authorization plugin informs Docker daemon if the specific command can be allowed or not based on the policy and the command executed. • Twistlock authz broker is one of the first plugins that is currently available. • In Twistlock case, policy is created as a JSON file and is given as argument to Docker daemon. • User identity support is not yet available in Docker engine. • Docker Data Center and Docker cloud provides RBAC and Multi-tenant support. Policy.json: {"name":"policy_1","users":[""],"actions":["contain er"] , "readonly":true} – Read-only Container policy Starting Docker daemon with auth policy.json: docker run -d --restart=always -v /var/lib/authz- broker/policy.json:/var/lib/authz-broker/policy.json -v /run/docker/plugins/:/run/docker/plugins twistlock/authz-broker
Container image signing • Container images needs to be signed so that the client knows that image is coming from a trusted source and that it is not tampered with. • Content publisher takes care of signing Container image and pushing it into the registry. • The Docker content trust is an implementation of the Notary open source project. The Notary open source project is based on The Update Framework (TUF) project. • When content trust is enabled, we can pull only signed images. • When content trust is not enabled, both signed and unsigned images can be pulled. • Docker content trust is enabled with “export DOCKER_CONTENT_TRUST=1”. • When the publisher pushes the image for the first time using docker push, there is a need to enter a passphrase for the root key . • When pushing new image or new image version, publisher needs to enter passphrase for repository key. • Docker has also added support for hardware keys using Yubikey • Keys should be saved safely and backups should be taken.
Container Image scanning • Docker Security Scan scans Container images and reports vulnerabilities. • Scanning is done by comparing each Container layer component with CVE databases. • Additional binary scan is done to make sure that the package is not tampered with. • Pro-active notification is given to both the publisher and user of Container images. • Available currently in Docker hub and Docker cloud. Will be added soon to Docker data center.
Docker Security - Best Practices Docker enables Security by default and the default options suffice most of the needs. Following are few best practices: • Have separate containers for each micro-service keeping Container image size small. • Don’t put ssh inside container, “docker exec” can be used to ssh to Container. • Use only signed Container images. • Mount devices and volumes as read-only. • Run application as non-root. If root access is needed, run as root only for limited operations using features like Capabilities, Seccomp, SELinux/AppArmor. • Keep OS secure with regular updates. Using Container optimized OS is an option here since they provide automatic pushed update. • Store root keys, passphrase in a safe place and not expose in Dockerfile. Docker has plans to manage keys with Docker datacenter. • Use Docker official images. These images are curated by Docker so that the highest quality and security is maintained for the official images. • Use Container security scanning to check for vulnerabilities. • Use TLS for remote Docker daemon access.
References • Docker Security documentation(https://docs.docker.com/engine/security/security/ ) • Container namespaces (http://crosbymichael.com/creating- containers-part-1.html) • Docker Security article series (https://opensource.com/business/15/3/docker-security-tuning) • Docker Security blog series (https://sreeninet.wordpress.com/2016/03/06/docker-security- part-1overview/) • Docker Security scan(https://blog.docker.com/2016/05/docker- security-scanning/) • Authorization plugin (https://www.twistlock.com/2016/02/18/docker-authz-plugins- twistlocks-contribution-to-the-docker-community/)

Recommended

Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)Gourav Varma
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerLuong Vo
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with DockerRavindu Fernando
 
Monitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMonitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMartin Etmajer
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionPeng Xiao
 

Recommended

Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)Gourav Varma
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerLuong Vo
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with DockerRavindu Fernando
 
Monitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMonitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMartin Etmajer
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionPeng Xiao
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefitsAmit Manwade
 
Docker Tutorial.pdf
Docker Tutorial.pdfDocker Tutorial.pdf
Docker Tutorial.pdfMuhammadYusuf767705
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Herofazalraja
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersYajushi Srivastava
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker ComposeAjeet Singh Raina
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesabhishek chawla
 
Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...
Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...
Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...Simplilearn
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Getting Started With Docker | Docker Tutorial | Docker Training | Edureka
Getting Started With Docker | Docker Tutorial | Docker Training | EdurekaGetting Started With Docker | Docker Tutorial | Docker Training | Edureka
Getting Started With Docker | Docker Tutorial | Docker Training | EdurekaEdureka!
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking OverviewSreenivas Makam
 
Docker Basics
Docker BasicsDocker Basics
Docker BasicsDuckDuckGo
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX ContainerAraf Karsh Hamid
 
A Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfA Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfEdith Puclla
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerJohn Willis
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageejlp12
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumSreenivas Makam
 

More Related Content

What's hot

Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefitsAmit Manwade
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Herofazalraja
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersYajushi Srivastava
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker ComposeAjeet Singh Raina
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesabhishek chawla
 
Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...
Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...
Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...Simplilearn
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Getting Started With Docker | Docker Tutorial | Docker Training | Edureka
Getting Started With Docker | Docker Tutorial | Docker Training | EdurekaGetting Started With Docker | Docker Tutorial | Docker Training | Edureka
Getting Started With Docker | Docker Tutorial | Docker Training | EdurekaEdureka!
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking OverviewSreenivas Makam
 
A Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfA Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfEdith Puclla
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerJohn Willis
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageejlp12
 

What's hot (20)

Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefits
 
Docker Tutorial.pdf
Docker Tutorial.pdfDocker Tutorial.pdf
Docker Tutorial.pdf
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Container security
Container securityContainer security
Container security
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and Containers
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker Compose
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
 
Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...
Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...
Docker Compose | Docker Compose Tutorial | Docker Tutorial For Beginners | De...
 
Container Security
Container SecurityContainer Security
Container Security
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
 
Getting Started With Docker | Docker Tutorial | Docker Training | Edureka
Getting Started With Docker | Docker Tutorial | Docker Training | EdurekaGetting Started With Docker | Docker Tutorial | Docker Training | Edureka
Getting Started With Docker | Docker Tutorial | Docker Training | Edureka
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
A Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfA Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdf
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and image
 

Viewers also liked

Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumSreenivas Makam
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 PresentationSreenivas Makam
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current StatusSreenivas Makam
 
Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverDocker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverSreenivas Makam
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 
Compare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudCompare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudSreenivas Makam
 
Docker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsDocker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsSreenivas Makam
 
Monetising Your Skill
Monetising Your SkillMonetising Your Skill
Monetising Your Skill'Detola Amure
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Why You Need to Rethink Container Security
Why You Need to Rethink Container SecurityWhy You Need to Rethink Container Security
Why You Need to Rethink Container SecurityFlawCheck
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 

Viewers also liked (20)

Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and Tutum
 
Devops in Networking
Devops in NetworkingDevops in Networking
Devops in Networking
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
 
Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverDocker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driver
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
Compare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudCompare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloud
 
Docker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsDocker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing options
 
Monetising Your Skill
Monetising Your SkillMonetising Your Skill
Monetising Your Skill
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Why You Need to Rethink Container Security
Why You Need to Rethink Container SecurityWhy You Need to Rethink Container Security
Why You Need to Rethink Container Security
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 

Similar to Docker Security Overview

Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPivotalOpenSourceHub
 
PostgreSQL and Linux Containers
PostgreSQL and Linux ContainersPostgreSQL and Linux Containers
PostgreSQL and Linux ContainersJignesh Shah
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariMetosin Oy
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Patrick Chanezon
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
What You Should Know About Container Security
What You Should Know About Container SecurityWhat You Should Know About Container Security
What You Should Know About Container SecurityAll Things Open
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionBen Hall
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatDocker, Inc.
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetesDongwon Kim
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesYigal Elefant
 
Dockercon 2015 Recap
Dockercon 2015 RecapDockercon 2015 Recap
Dockercon 2015 Recapehazlett
 

Similar to Docker Security Overview (20)

Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh Shah
 
PostgreSQL and Linux Containers
PostgreSQL and Linux ContainersPostgreSQL and Linux Containers
PostgreSQL and Linux Containers
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas Saari
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
 
Container security
Container securityContainer security
Container security
 
What You Should Know About Container Security
What You Should Know About Container SecurityWhat You Should Know About Container Security
What You Should Know About Container Security
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
 
Dockercon 2015 Recap
Dockercon 2015 RecapDockercon 2015 Recap
Dockercon 2015 Recap
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 

More from Sreenivas Makam

GKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringGKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringSreenivas Makam
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run Sreenivas Makam
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemSreenivas Makam
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
How Kubernetes helps Devops
How Kubernetes helps DevopsHow Kubernetes helps Devops
How Kubernetes helps DevopsSreenivas Makam
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingSreenivas Makam
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesSreenivas Makam
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 
Docker 1.9 Feature Overview
Docker 1.9 Feature OverviewDocker 1.9 Feature Overview
Docker 1.9 Feature OverviewSreenivas Makam
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingSreenivas Makam
 

More from Sreenivas Makam (11)

GKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringGKE Tip Series - Usage Metering
GKE Tip Series - Usage Metering
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystem
 
My kubernetes toolkit
My kubernetes toolkitMy kubernetes toolkit
My kubernetes toolkit
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
How Kubernetes helps Devops
How Kubernetes helps DevopsHow Kubernetes helps Devops
How Kubernetes helps Devops
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
 
Docker 1.9 Feature Overview
Docker 1.9 Feature OverviewDocker 1.9 Feature Overview
Docker 1.9 Feature Overview
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental Networking
 

Recently uploaded

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Docker Security Overview

  • 1. DOCKER SECURITY OVERVIEW (AS OF RELEASE 1.12) Presenter Name: Sreenivas Makam Presented at: Docker Meetup Bangalore Presentation Date: July 9, 2016
  • 2. About me • Senior Engineering Manager at Cisco Systems Data Center group • Author of “Mastering CoreOS” https://www.packtpub.com/networki ng-and-servers/mastering-coreos/ ) • Docker Captain(https://www.docker.com/co mmunity/docker-captains ) • Blog: https://sreeninet.wordpress.com/ • Code: https://github.com/smakam • Linkedin: https://in.linkedin.com/in/sreenivas makam • Twitter: @srmakam
  • 3. Docker Security modules Docker Engine Docker Client Authorization Registry SELinux AppArmor Seccomp Capabilities Namespaces Cgroups Multitenant Security Scan Image Signing TLS Request/ Response Container image TLS RBAC
  • 4. Linux kernel - Container Security support • Namespaces – PID, Mount, Network, IPC, UTC, User. • Cgroups – Limit CPU, Memory, IO • Capabilities – Reduced root access. 36 capabilities to control as of kernel 3.19.0.21. • Seccomp profiles – Control kernel system calls. 300+ system calls available that can be controlled using these profiles. • Special kernel modules like AppArmor, SELinux – Provides granular control over Kernel resources.
  • 5. Namespaces – PID, Mount docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash docker run -ti --name ubuntu2 -v /usr:/ubuntu2 ubuntu bash PID namespace: Ubuntu1 Container: root@3a1bf12161c9:/# ps PID TTY TIME CMD 1 ? 00:00:00 bash 15 ? 00:00:00 ps Ubuntu2 Container: root@8beb85abe6a5:/# ps PID TTY TIME CMD 1 ? 00:00:00 bash 14 ? 00:00:00 ps Host: $ ps -eaf|grep root | grep bash root 5413 1697 0 05:54 pts/28 00:00:00 bash root 5516 1697 0 05:54 pts/31 00:00:00 bash Mount namespace: Ubuntu1 Container: root@3a1bf12161c9:/# ls / bin dev home lib64 mnt proc run srv tmp usr boot etc lib media opt root sbin sys ubuntu1 var Ubuntu2 Container: root@8beb85abe6a5:/# ls / bin dev home lib64 mnt proc run srv tmp usr boot etc lib media opt root sbin sys ubuntu2 var • With PID namespace, each Container gets its own process ID namespace. • With Mount namespace, each Container gets its own copy of filesystem.
  • 6. Namespaces – Network, UTS • With Network namespace, each Container gets its own interfaces along with IP address. Ubuntu1 Container: root@3a1bf12161c9:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:ac:15:00:02 inet addr:172.21.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe15:2/64 Ubuntu2 Container: root@8beb85abe6a5:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:ac:15:00:03 inet addr:172.21.0.3 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe15:3/64 • With UTS namespace, each Container gets its own hostname and domainname. Ubuntu1 Container: root@3a1bf12161c9:/# hostname 3a1bf12161c9 Ubuntu2 Container: root@8beb85abe6a5:/# hostname 8beb85abe6a5
  • 7. Namespaces - IPC • IPC namespace isolates Message queues, Semaphores, Shared memory Ubuntu 1 Container: Create shared memory: root@3a1bf12161c9:/# ipcmk -M 100 Shared memory id: 0 Display shared memory: root@3a1bf12161c9:/# ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x2fba9021 0 root 644 100 0 Ubuntu 2 Container: Create shared memory: root@8beb85abe6a5:/# ipcmk -M 100 Shared memory id: 0 Display shared memory: root@8beb85abe6a5:/# ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x1f91e62c 0 root 644 100 0
  • 8. Namespaces - User • With User namespace, userid and groupid in a namespace is different from host machine’s userid and groupid for the same user and group. • User namespaces are available from Linux kernel versions > 3.8. • For example, root user inside Container is not root inside host machine. This provides greater security. • Docker introduced support for user namespace in version 1.10. • To use user namespace, Docker daemon needs to be started with “–userns-remap=username/uid:groupname/gid”. Using “default” for username will create “dockremap” user. Ubuntu1 Container: root@3a1bf12161c9:/# id uid=0(root) gid=0(root) groups=0(root) Host: $ ps -eaf|grep bash 231072 4080 4040 0 22:45 pts/13 00:00:00 bash $ cat /proc/4080/uid_map 0 231072 65536 (userid 0 in Container is mapped to 231072 in host)
  • 9. cgroups • cgroups is a Linux kernel feature that provides capability to restrict resources like cpu, memory, io, network bandwidth among a set of processes. • Docker allows to create Containers using cgroup feature which allows for resource control for the specific Container. • Following is a Container created with user space memory limited to 500m, kernel memory limited to 50m, cpu share to 512, blkioweight to 400. (cpu share and blkioweight are ratios) docker run -it -m 500M --kernel-memory 50M --cpu-shares 512 --blkio-weight 400 -- name ubuntu1 ubuntu bash
  • 10. Capabilities • In Linux, root user typically has all privileges enabled. Capabilities allow finer control for the capabilities that can be allowed for root user. • In Linux 3.19.0.21, there are 36 capabilities. All capabilities can be seen in “/usr/include/linux/capability.h”. • Examples of capabilities are setuid, setgid, socket access, set time. • Docker turns on only 14 capabilities by default for Containers started with default options. • Capabilities like insert/remove kernel modules, system clock manipulation are blocked. Container with raw net capability turned off: docker run -ti --name ubuntu1 --cap- drop=net_raw ubuntu bash Network access blocked: # ping google.com ping: icmp open socket: Operation not permitted
  • 11. Seccomp • Linux kernel feature that limits the system calls that a process can make based on the specified profile. • Docker uses Seccomp to control the system calls that Container can make. • Examples of system calls – bind, accept, fork. • Docker disables around 44 of 300+ system calls for Containers started with default options. Example of disabled system calls include mount, settimeofday. • Default Docker Seccomp profile is available here. Profile disabling chmod system call: { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ] } Seccomp illustration: $ docker run --rm -it --security-opt seccomp:/home/smakam14/seccomp/profil e.json busybox chmod 400 /etc/hosts chmod: /etc/hosts: Operation not permitted
  • 12. Linux kernel Security modules – AppArmor, SELinux • Both AppArmor and SELinux are kernel modules that gives fine grained control to restrict access to system resources. • When AppArmor is active for an application, the operating system allows the application to access only those files and folders that are mentioned in its security profile. • SElinux is a labeling system. Every process, file, directory, network ports, devices has a label assigned to it. We write rules to control the access of a process label to an a object label like a file. The kernel enforces the rules specified in the policy. • In Redhat distributions, SELinux is supported. Ubuntu distributions supports AppArmor. • AppArmor profiles are easy to create, SELinux is difficult. SELinux profiles are more comprehensive compared to AppArmor.
  • 13. Docker Engine Secure access • Docker engine runs as a daemon and by default listens on the Unix socket, “unix:///var/run/docker.sock”. • For accessing Docker engine remotely, “http” or “https” using TLS can be used. • “http” is not advised to be used for security reasons. • “https” with TLS provides confidentiality, authentication as well as integrity. • Certificates can be used to establish identity of client and server. • For testing purposes, Certificates can be generated using Openssl. For commercial purposes, certificates can be purchased from sources like CA.
  • 14. Authorization plugin • Authorization plugin can provide granular access to the Docker daemon based on userid, groupid, command executed, command arguments, time of day etc. • Authorization plugin informs Docker daemon if the specific command can be allowed or not based on the policy and the command executed. • Twistlock authz broker is one of the first plugins that is currently available. • In Twistlock case, policy is created as a JSON file and is given as argument to Docker daemon. • User identity support is not yet available in Docker engine. • Docker Data Center and Docker cloud provides RBAC and Multi-tenant support. Policy.json: {"name":"policy_1","users":[""],"actions":["contain er"] , "readonly":true} – Read-only Container policy Starting Docker daemon with auth policy.json: docker run -d --restart=always -v /var/lib/authz- broker/policy.json:/var/lib/authz-broker/policy.json -v /run/docker/plugins/:/run/docker/plugins twistlock/authz-broker
  • 15. Container image signing • Container images needs to be signed so that the client knows that image is coming from a trusted source and that it is not tampered with. • Content publisher takes care of signing Container image and pushing it into the registry. • The Docker content trust is an implementation of the Notary open source project. The Notary open source project is based on The Update Framework (TUF) project. • When content trust is enabled, we can pull only signed images. • When content trust is not enabled, both signed and unsigned images can be pulled. • Docker content trust is enabled with “export DOCKER_CONTENT_TRUST=1”. • When the publisher pushes the image for the first time using docker push, there is a need to enter a passphrase for the root key . • When pushing new image or new image version, publisher needs to enter passphrase for repository key. • Docker has also added support for hardware keys using Yubikey • Keys should be saved safely and backups should be taken.
  • 16. Container Image scanning • Docker Security Scan scans Container images and reports vulnerabilities. • Scanning is done by comparing each Container layer component with CVE databases. • Additional binary scan is done to make sure that the package is not tampered with. • Pro-active notification is given to both the publisher and user of Container images. • Available currently in Docker hub and Docker cloud. Will be added soon to Docker data center.
  • 17. Docker Security - Best Practices Docker enables Security by default and the default options suffice most of the needs. Following are few best practices: • Have separate containers for each micro-service keeping Container image size small. • Don’t put ssh inside container, “docker exec” can be used to ssh to Container. • Use only signed Container images. • Mount devices and volumes as read-only. • Run application as non-root. If root access is needed, run as root only for limited operations using features like Capabilities, Seccomp, SELinux/AppArmor. • Keep OS secure with regular updates. Using Container optimized OS is an option here since they provide automatic pushed update. • Store root keys, passphrase in a safe place and not expose in Dockerfile. Docker has plans to manage keys with Docker datacenter. • Use Docker official images. These images are curated by Docker so that the highest quality and security is maintained for the official images. • Use Container security scanning to check for vulnerabilities. • Use TLS for remote Docker daemon access.
  • 18. References • Docker Security documentation(https://docs.docker.com/engine/security/security/ ) • Container namespaces (http://crosbymichael.com/creating- containers-part-1.html) • Docker Security article series (https://opensource.com/business/15/3/docker-security-tuning) • Docker Security blog series (https://sreeninet.wordpress.com/2016/03/06/docker-security- part-1overview/) • Docker Security scan(https://blog.docker.com/2016/05/docker- security-scanning/) • Authorization plugin (https://www.twistlock.com/2016/02/18/docker-authz-plugins- twistlocks-contribution-to-the-docker-community/)

Editor's Notes

  1. Microsoft Confidential