Fernando Montenegro, profile picture
Uploaded byFernando Montenegro
PDF, PPTX1,034 views

Docker security - TASK Jan 2016

The document is a presentation on Docker security, detailing the importance and challenges of securing Docker containers and images. It covers various topics, including container versus VM isolation, best practices for security, and considerations for deploying Docker in different environments. The document also discusses operational aspects, monitoring solutions, and the future of container technology.

Embed presentation

Download as PDF, PPTX
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 1/59 DOCKERSECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - TASK Jan 27, 2016 @fsmontenegro @ricardogerardi
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 2/59 WHYAREWEHERE? Google Trends: "Microservices"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 3/59 Google Trends: "Docker"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 4/59 Google Trends: "Kubernetes"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 6/59 MICROSERVICES? (Source: F5)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 7/59 MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity­sapping burden. Like any architectural style, microservices bring costs and benefits. To make a sensible choice you have to understand these and apply them to your specific context."" Martin Fowler ( ) http://martinfowler.com/articles/microservice­trade­ offs.html
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 8/59 SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational benefits of "DevOps"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 9/59 DATADOGCONTAINERSURVEY ( ) Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up https://www.datadoghq.com/docker­adoption/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 10/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 11/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 12/59 WHATWEFOUND
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 14/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 16/59 ABOUTUS-FERNANDO Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera) @fsmontenegro
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 18/59 ABOUTUS-RICARDO Senior IT Consultant Network Management/Monitoring IBM Netcool Certified Uncertified father (2x) Interests Linux/UNIX Emerging technologies Data Science @ricardogerardi
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 19/59 DOCKERINTRO
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 20/59 WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 21/59 SOFTWAREPACKAGEANDDISTRIBUTIONCHALLENGE OLDWAY-HOSTEDAPPLICATIONS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 22/59 VIRTUALMACHINES
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 23/59 ENTERTHECONTAINER
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 24/59 WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 25/59 WHATDOYOUNEEDTORUNDOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 26/59 DOCKERARCHITECTUREINANUTSHELL Source: https://www.docker.com/what­docker
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 28/59 Source: https://docs.docker.com/engine/introduction/understanding­ docker/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 29/59 DOCKERDEMO
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 30/59 DOCKERSECURITY
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 31/59 FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 32/59 SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 33/59 SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 34/59 DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 35/59 CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability­analysis­for­ containers/ https://blog.quay.io/security­ scanning­beta/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 36/59 OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 37/59 SECURITYFROMDOCKER How to contain Docker & containers?
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 38/59 NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – filesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 39/59 ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - filtering of system calls network isolation via iptables limit inter-container communication
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 40/59 SECURITYBYDOCKER Leveraging Docker features for security
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 41/59 LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - filtering system calls journaled changes
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 42/59 OPERATIONSANDECOSYSTEM
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 43/59 WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 44/59 PUBLICCLOUDPROVIDERS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 45/59 PAASPROVIDERS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 46/59 ORCHESTRATION/SCHEDULING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 47/59 NETWORKING BASICNETWORKING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 48/59 OVERLAYNETWORKING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 49/59 MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 50/59 CONTAINERMONITORINGSOLUTIONS Sysdig Cloud Weaveworks New relic Google cAdvisor
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 51/59 CONTAINERLOGMANAGEMENT ELK Stack Splunk
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 52/59 WRAPPINGUP
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 53/59 LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 54/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 55/59 WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound traffic keep up to date (news!) rethink approach ("cattle, not pets")
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 56/59 DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 57/59 RESOURCES! Twitterfolk:
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 58/59 - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC

More Related Content

PDF
Docker 1.10 1.11
bydchaffiol
 
PDF
Introduction, deployment and hybrid clouds
byFlavio Percoco Premoli
 
PPTX
Lessons Learned in Automating Compliance for Containers
byAll Things Open
 
PDF
Using OpenEmbedded
byTrevor Woerner
 
PDF
Introduction to Docker, Meetup at University of Bamberg by Hypriot
byTeam Hypriot
 
PPTX
Docker italia fatti un container tutto tuo
byGiulio De Donato
 
PDF
Conda and Bioconda
byHoffman Lab
 
PDF
The Ring programming language version 1.6 book - Part 17 of 189
byMahmoud Samir Fayed
 
Docker 1.10 1.11
bydchaffiol
 
Introduction, deployment and hybrid clouds
byFlavio Percoco Premoli
 
Lessons Learned in Automating Compliance for Containers
byAll Things Open
 
Using OpenEmbedded
byTrevor Woerner
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
byTeam Hypriot
 
Docker italia fatti un container tutto tuo
byGiulio De Donato
 
Conda and Bioconda
byHoffman Lab
 
The Ring programming language version 1.6 book - Part 17 of 189
byMahmoud Samir Fayed
 

What's hot

PDF
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
byRon Munitz
 
PDF
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
byRon Munitz
 
PDF
libreCMC : The Libre Embedded GNU/Linux Distro
byAll Things Open
 
PDF
Programming IoT with Docker: How to Start?
bymsyukor
 
PDF
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
byRon Munitz
 
PDF
Creating new Tizen profiles using the Yocto Project
byLeon Anavi
 
PDF
Enabling TPM 2.0 on coreboot based devices
byPiotr Król
 
PDF
Podman rootless containers
byGiuseppe Scrivano
 
PPTX
Android build on windows
byAddweup
 
PDF
Qubes OS and TPM 2.0
byPiotr Król
 
PDF
Fedora on risc-v_tokyo_30_sep_2019_v4
byWei Fu
 
PDF
C&C Botnet Factory
byNullbyte Security Conference
 
PDF
Lets isolate a process with no container like docker
byGiulio De Donato
 
PDF
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
byThe Incredible Automation Day
 
ODP
Create IoT with Open Source Hardware, Tizen and HTML5
byLeon Anavi
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
byRon Munitz
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
byRon Munitz
 
libreCMC : The Libre Embedded GNU/Linux Distro
byAll Things Open
 
Programming IoT with Docker: How to Start?
bymsyukor
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
byRon Munitz
 
Creating new Tizen profiles using the Yocto Project
byLeon Anavi
 
Enabling TPM 2.0 on coreboot based devices
byPiotr Król
 
Podman rootless containers
byGiuseppe Scrivano
 
Android build on windows
byAddweup
 
Qubes OS and TPM 2.0
byPiotr Król
 
Fedora on risc-v_tokyo_30_sep_2019_v4
byWei Fu
 
C&C Botnet Factory
byNullbyte Security Conference
 
Lets isolate a process with no container like docker
byGiulio De Donato
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
byThe Incredible Automation Day
 
Create IoT with Open Source Hardware, Tizen and HTML5
byLeon Anavi
 

Similar to Docker security - TASK Jan 2016

PDF
Docker security introduction-task-2016
byRicardo Gerardi
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
PPTX
Docker Security and Orchestration for DevSecOps wins
bySharath Kumar
 
PPTX
DockerCon EU 2015 Barcelona
byRoman Dembitsky
 
PPTX
Docker Container Security - A Network View
byNeuVector
 
PDF
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
PDF
Docker London: Container Security
byPhil Estes
 
PDF
Is Docker Secure?
byManideep Konakandla
 
PDF
Docker for developers
byandrzejsydor
 
PPTX
Docker Container Security
bySuraj Khetani
 
PDF
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
byJérôme Petazzoni
 
PPTX
You, and Me, and Docker Makes Three
byChristopher Grayson
 
PDF
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
byDocker, Inc.
 
PDF
A to Z of Docker
bySwapnil Jain
 
PDF
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
byNETWAYS
 
PDF
Testing Docker Images Security
byJose Manuel Ortega Candel
 
PDF
Docker Security and Content Trust
byehazlett
 
PDF
Week 8 lecture material
byAnkit Gupta
 
PDF
week8_watermark.pdfhowcanitbe minimum 40 i
bysec22ci043
 
PDF
The Docker Ecosystem
byDmitry Skaredov
 
Docker security introduction-task-2016
byRicardo Gerardi
 
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
Docker Security and Orchestration for DevSecOps wins
bySharath Kumar
 
DockerCon EU 2015 Barcelona
byRoman Dembitsky
 
Docker Container Security - A Network View
byNeuVector
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
Docker London: Container Security
byPhil Estes
 
Is Docker Secure?
byManideep Konakandla
 
Docker for developers
byandrzejsydor
 
Docker Container Security
bySuraj Khetani
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
byJérôme Petazzoni
 
You, and Me, and Docker Makes Three
byChristopher Grayson
 
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
byDocker, Inc.
 
A to Z of Docker
bySwapnil Jain
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
byNETWAYS
 
Testing Docker Images Security
byJose Manuel Ortega Candel
 
Docker Security and Content Trust
byehazlett
 
Week 8 lecture material
byAnkit Gupta
 
week8_watermark.pdfhowcanitbe minimum 40 i
bysec22ci043
 
The Docker Ecosystem
byDmitry Skaredov
 

More from Fernando Montenegro

PDF
The 4 Eyes of Information Security - AiS 2019
byFernando Montenegro
 
PDF
Evolution of Container Security - What's Next?
byFernando Montenegro
 
PDF
4 Eyes of Information Security - Converge Detroit 2017
byFernando Montenegro
 
PDF
Navigating Career Choices in InfoSec - BSides Detroit 2017
byFernando Montenegro
 
PDF
Economics of Cyber Security
byFernando Montenegro
 
PDF
Cybersecurity & Project Management
byFernando Montenegro
 
The 4 Eyes of Information Security - AiS 2019
byFernando Montenegro
 
Evolution of Container Security - What's Next?
byFernando Montenegro
 
4 Eyes of Information Security - Converge Detroit 2017
byFernando Montenegro
 
Navigating Career Choices in InfoSec - BSides Detroit 2017
byFernando Montenegro
 
Economics of Cyber Security
byFernando Montenegro
 
Cybersecurity & Project Management
byFernando Montenegro
 

Recently uploaded

PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
AI Technology important knowledge ......
byutkarshj2007
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 

Docker security - TASK Jan 2016

  • 1.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 1/59 DOCKERSECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - TASK Jan 27, 2016 @fsmontenegro @ricardogerardi
  • 2.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 2/59 WHYAREWEHERE? Google Trends: "Microservices"
  • 3.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 3/59 Google Trends: "Docker"
  • 4.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 4/59 Google Trends: "Kubernetes"
  • 5.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 6/59 MICROSERVICES? (Source: F5)
  • 6.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 7/59 MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity­sapping burden. Like any architectural style, microservices bring costs and benefits. To make a sensible choice you have to understand these and apply them to your specific context."" Martin Fowler ( ) http://martinfowler.com/articles/microservice­trade­ offs.html
  • 7.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 8/59 SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational benefits of "DevOps"
  • 8.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 9/59 DATADOGCONTAINERSURVEY ( ) Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up https://www.datadoghq.com/docker­adoption/
  • 9.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 10/59
  • 10.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 11/59
  • 11.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 12/59 WHATWEFOUND
  • 12.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 14/59
  • 13.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 16/59 ABOUTUS-FERNANDO Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera) @fsmontenegro
  • 14.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 18/59 ABOUTUS-RICARDO Senior IT Consultant Network Management/Monitoring IBM Netcool Certified Uncertified father (2x) Interests Linux/UNIX Emerging technologies Data Science @ricardogerardi
  • 15.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 19/59 DOCKERINTRO
  • 16.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 20/59 WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
  • 17.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 21/59 SOFTWAREPACKAGEANDDISTRIBUTIONCHALLENGE OLDWAY-HOSTEDAPPLICATIONS
  • 18.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 22/59 VIRTUALMACHINES
  • 19.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 23/59 ENTERTHECONTAINER
  • 20.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 24/59 WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
  • 21.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 25/59 WHATDOYOUNEEDTORUNDOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
  • 22.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 26/59 DOCKERARCHITECTUREINANUTSHELL Source: https://www.docker.com/what­docker
  • 23.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 28/59 Source: https://docs.docker.com/engine/introduction/understanding­ docker/
  • 24.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 29/59 DOCKERDEMO
  • 25.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 30/59 DOCKERSECURITY
  • 26.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 31/59 FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
  • 27.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 32/59 SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
  • 28.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 33/59 SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
  • 29.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 34/59 DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
  • 30.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 35/59 CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability­analysis­for­ containers/ https://blog.quay.io/security­ scanning­beta/
  • 31.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 36/59 OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
  • 32.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 37/59 SECURITYFROMDOCKER How to contain Docker & containers?
  • 33.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 38/59 NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – filesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
  • 34.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 39/59 ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - filtering of system calls network isolation via iptables limit inter-container communication
  • 35.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 40/59 SECURITYBYDOCKER Leveraging Docker features for security
  • 36.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 41/59 LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - filtering system calls journaled changes
  • 37.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 42/59 OPERATIONSANDECOSYSTEM
  • 38.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 43/59 WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
  • 39.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 44/59 PUBLICCLOUDPROVIDERS
  • 40.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 45/59 PAASPROVIDERS
  • 41.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 46/59 ORCHESTRATION/SCHEDULING
  • 42.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 47/59 NETWORKING BASICNETWORKING
  • 43.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 48/59 OVERLAYNETWORKING
  • 44.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 49/59 MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
  • 45.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 50/59 CONTAINERMONITORINGSOLUTIONS Sysdig Cloud Weaveworks New relic Google cAdvisor
  • 46.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 51/59 CONTAINERLOGMANAGEMENT ELK Stack Splunk
  • 47.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 52/59 WRAPPINGUP
  • 48.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 53/59 LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
  • 49.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 54/59
  • 50.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 55/59 WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound traffic keep up to date (news!) rethink approach ("cattle, not pets")
  • 51.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 56/59 DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
  • 52.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 57/59 RESOURCES! Twitterfolk:
  • 53.
    1/29/2016 Docker SecurityIntroduction http://159.203.15.183:8080/#/ 58/59 - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC