SlideShare a Scribd company logo

Securing Containers From Day One | null Ahmedabad Meetup

K
Kumar Ashwin

Kumar Ashwin gives a presentation on securing containers from day one. The presentation covers what containers are, why we need them, the difference between virtual machines and containers, cgroups and namespaces, Docker basics, building optimized Docker images, and best practices for Dockerfile security. Some key points discussed include using minimal base images, ignoring unnecessary files, creating "golden images" as hardened base templates, not running as root, avoiding secrets in Dockerfiles, and using tools like Hadolint and Dockle to scan for issues.

1 of 24
Download to read offline
Securing Containers from Day One Kumar Ashwin 0xcardinal.com null Ahmedabad Container Security
About Me Kumar Ashwin • Security Consultant @ Payatu • Manages null Study Groups for six different Security Domains and also contributes to other communities • 0xcardinal.com • 0xCardinal on social platforms
Agenda • What are containers? • Why we need containers? • VM v/s Containers • Cgroups & Namespaces • Docker Primer • Build Optimization • Security • Resources • QnA https://giphy.com/gifs/rockstargames-usz0fqhUiVxSs6IUKB
What are containers? Containers are nothing but just another Linux process which is isolated from other processes running on the same host.
Why do we need containers?
Virtual Machines v/s Containers https://www.docker.com/blog/containers-replacing-virtual-machines/
cgroups & namespaces
namespaces It defines what a container can see, uses syscalls to do so. https://wizardzines.com/comics/namespaces/
Demo : namespaces Will share how the name spaces work using unshare and creating namespaces for user and network, and demonstrating the difference.
cgroups It defines what a container can use or access, uses syscalls to do so. https://wizardzines.com/comics/cgroups/
Docker Primer 🐳
Docker itself is not a Container. Myth busting
What is Docker? • Docker is a container engine, which is a piece of software that accepts user requests, including command line options, pulls images, and from the end user's perspective runs the container. • Other than docker there are other container engines as well, like - RKT, CRI-O, and LXD
Docker Architecture https://docs.docker.com/get-started/overview/
Docker Basics • There are different images, which are stored in the registry, from where it pull the image, to create different containers. • Generally, a Dockerfile (contains commands/instructions) is used to build a container. • If you want to run a multi-container Docker application – Docker Compose is your go to tool. • Common docker/docker compose commands, that are generally used - • docker pull <image-name> - used to pull images from registry • docker run [args] <image-name> - used to run a container from the image defined • docker build [args] – used to build a container out of a Dockerfile • docker-compose up – used to build a multi-container setup from docker-compose.yml • docker ps – used to list down the active containers • For every RUN, COPY, ADD instruction in a Dockerfile, a layer is created.
Dockerfile * insecure
Build Optimization • Minimize number of layers. Improves performance. • Multi-Stage Builds • Do not install unnecessary packages • Decouple the application • Slim down the image – using docker-slim • It promises to slim down the image by 30x - https://github.com/docker-slim/docker-slim
Why Dockerfile Security? • Here we will be talking about securing the images pre-build and what are the practices that we can follow. • A great start point to look for security issues are Dockerfile. • Dockerfiles? • These are the blueprints of the system/container that is to be created. • Infrastructure as a Code (IaaC) • One of the main components for the entire supply chain security.
Security Best-Practices • Prefer minimal base images • Use .dockerignore file to exclude files from build • Create Golden Images • Golden Images are hardened base images than can be used further development • Do not run containers as root • Adding this in the Dockerfile will help in chainging the user FROM alpine:latest RUN useradd –u 1234 non-root-user USER non-root-user • Do not commit secrets in Dockerfile or Containers • Can use BuildKit to pass secrets to use in containers securely • Use COPY instead of ADD, wherever possible
More Security Stuff • Use linters like hadolint, that will help to build best practice Docker Images.
More Security Stuff • Use dockle to scan images against CIS benchmarks. • CIS Benchmark security Comparision
Seccomp • It is a security feature in the Linux kernel. It can be used to restrict any system calls in the docker container. • E.g.,
Some Resources • Containers from Scratch [YouTube] • Dockerfile Best Practices • Multi-stage builds • dockle checkpoint comparison • Tips for optimizing builds • Dockerfile Tutorial • Practical guide to write Dockerfile
QnA Securing Containers from Day One Thank You! twitter.com/0xcardinal Kumar Ashwin

Recommended

Introduction to Docker - Docker workshop @Twitter
Introduction to Docker - Docker workshop @TwitterIntroduction to Docker - Docker workshop @Twitter
Introduction to Docker - Docker workshop @Twitter
dotCloud
 
Learning Dockers - Step by Step
Learning Dockers - Step by StepLearning Dockers - Step by Step
Learning Dockers - Step by Step
Adnan Siddiqi
 
Docker architecture-04-1
Docker architecture-04-1Docker architecture-04-1
Docker architecture-04-1
Mohammadreza Amini
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
presentation on Docker
presentation on Dockerpresentation on Docker
presentation on Docker
Virendra Ruhela
 
Docker 101 - Getting started
Docker 101 - Getting startedDocker 101 - Getting started
Docker 101 - Getting started
Matheus Marabesi
 
DockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ DockerDockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ Docker
Docker, Inc.
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Walid Ashraf
 

Recommended

Introduction to Docker - Docker workshop @Twitter
Introduction to Docker - Docker workshop @TwitterIntroduction to Docker - Docker workshop @Twitter
Introduction to Docker - Docker workshop @Twitter
dotCloud
 
Learning Dockers - Step by Step
Learning Dockers - Step by StepLearning Dockers - Step by Step
Learning Dockers - Step by Step
Adnan Siddiqi
 
Docker architecture-04-1
Docker architecture-04-1Docker architecture-04-1
Docker architecture-04-1
Mohammadreza Amini
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
presentation on Docker
presentation on Dockerpresentation on Docker
presentation on Docker
Virendra Ruhela
 
Docker 101 - Getting started
Docker 101 - Getting startedDocker 101 - Getting started
Docker 101 - Getting started
Matheus Marabesi
 
DockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ DockerDockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ Docker
Docker, Inc.
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Walid Ashraf
 
Intro to Docker - London meetup oct. 2013
Intro to Docker - London meetup oct. 2013Intro to Docker - London meetup oct. 2013
Intro to Docker - London meetup oct. 2013
stevedomin
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Amandeep Singh
 
DockerCon SF 2015: Orchestration for Devs (machine + compose)
DockerCon SF 2015: Orchestration for Devs (machine + compose)DockerCon SF 2015: Orchestration for Devs (machine + compose)
DockerCon SF 2015: Orchestration for Devs (machine + compose)
Docker, Inc.
 
Webinar: Development Swarm Cluster with Docker Compose V3
Webinar: Development Swarm Cluster with Docker Compose V3Webinar: Development Swarm Cluster with Docker Compose V3
Webinar: Development Swarm Cluster with Docker Compose V3
Codefresh
 
Docker get started
Docker get startedDocker get started
Docker get started
Truong LD
 
Docker Basic Presentation
Docker Basic PresentationDocker Basic Presentation
Docker Basic Presentation
Aman Chhabra
 
Docker intro
Docker introDocker intro
Docker intro
Oleg Z
 
Docker
DockerDocker
Docker
SangtongPeesing
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
Ravindu Fernando
 
DockerCon 2015: Docker Engine Breakout Session
DockerCon 2015: Docker Engine Breakout SessionDockerCon 2015: Docker Engine Breakout Session
DockerCon 2015: Docker Engine Breakout Session
Docker, Inc.
 
Docker 101 for Developer
Docker 101 for DeveloperDocker 101 for Developer
Docker 101 for Developer
Sofian Hadiwijaya
 
Cohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel PalstraCohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel Palstra
Daniel Palstra
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Frederik Mogensen
 
Dockerizing your applications - Docker workshop @Twitter
Dockerizing your applications - Docker workshop @TwitterDockerizing your applications - Docker workshop @Twitter
Dockerizing your applications - Docker workshop @Twitter
dotCloud
 
Containerization using docker
Containerization using dockerContainerization using docker
Containerization using docker
WingChan46
 
Docker Fundamentals
Docker FundamentalsDocker Fundamentals
Docker Fundamentals
Mien Dinh
 
Webinar: Using Docker Multi-stage Build to Create Advanced Pipelines
Webinar: Using Docker Multi-stage Build to Create Advanced PipelinesWebinar: Using Docker Multi-stage Build to Create Advanced Pipelines
Webinar: Using Docker Multi-stage Build to Create Advanced Pipelines
Codefresh
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil Estes
Docker, Inc.
 
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with BuildxVirtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Docker, Inc.
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
Ramit Surana
 
Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
Ahmed AbouZaid
 
Django and Docker
Django and DockerDjango and Docker
Django and Docker
Docker, Inc.
 

More Related Content

What's hot

Intro to Docker - London meetup oct. 2013
Intro to Docker - London meetup oct. 2013Intro to Docker - London meetup oct. 2013
Intro to Docker - London meetup oct. 2013
stevedomin
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Amandeep Singh
 
DockerCon SF 2015: Orchestration for Devs (machine + compose)
DockerCon SF 2015: Orchestration for Devs (machine + compose)DockerCon SF 2015: Orchestration for Devs (machine + compose)
DockerCon SF 2015: Orchestration for Devs (machine + compose)
Docker, Inc.
 
Webinar: Development Swarm Cluster with Docker Compose V3
Webinar: Development Swarm Cluster with Docker Compose V3Webinar: Development Swarm Cluster with Docker Compose V3
Webinar: Development Swarm Cluster with Docker Compose V3
Codefresh
 
Docker get started
Docker get startedDocker get started
Docker get started
Truong LD
 
Docker Basic Presentation
Docker Basic PresentationDocker Basic Presentation
Docker Basic Presentation
Aman Chhabra
 
Docker intro
Docker introDocker intro
Docker intro
Oleg Z
 
Docker
DockerDocker
Docker
SangtongPeesing
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
Ravindu Fernando
 
DockerCon 2015: Docker Engine Breakout Session
DockerCon 2015: Docker Engine Breakout SessionDockerCon 2015: Docker Engine Breakout Session
DockerCon 2015: Docker Engine Breakout Session
Docker, Inc.
 
Docker 101 for Developer
Docker 101 for DeveloperDocker 101 for Developer
Docker 101 for Developer
Sofian Hadiwijaya
 
Cohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel PalstraCohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel Palstra
Daniel Palstra
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Frederik Mogensen
 
Dockerizing your applications - Docker workshop @Twitter
Dockerizing your applications - Docker workshop @TwitterDockerizing your applications - Docker workshop @Twitter
Dockerizing your applications - Docker workshop @Twitter
dotCloud
 
Containerization using docker
Containerization using dockerContainerization using docker
Containerization using docker
WingChan46
 
Docker Fundamentals
Docker FundamentalsDocker Fundamentals
Docker Fundamentals
Mien Dinh
 
Webinar: Using Docker Multi-stage Build to Create Advanced Pipelines
Webinar: Using Docker Multi-stage Build to Create Advanced PipelinesWebinar: Using Docker Multi-stage Build to Create Advanced Pipelines
Webinar: Using Docker Multi-stage Build to Create Advanced Pipelines
Codefresh
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil Estes
Docker, Inc.
 
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with BuildxVirtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Docker, Inc.
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
Ramit Surana
 

What's hot (20)

Intro to Docker - London meetup oct. 2013
Intro to Docker - London meetup oct. 2013Intro to Docker - London meetup oct. 2013
Intro to Docker - London meetup oct. 2013
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
DockerCon SF 2015: Orchestration for Devs (machine + compose)
DockerCon SF 2015: Orchestration for Devs (machine + compose)DockerCon SF 2015: Orchestration for Devs (machine + compose)
DockerCon SF 2015: Orchestration for Devs (machine + compose)
 
Webinar: Development Swarm Cluster with Docker Compose V3
Webinar: Development Swarm Cluster with Docker Compose V3Webinar: Development Swarm Cluster with Docker Compose V3
Webinar: Development Swarm Cluster with Docker Compose V3
 
Docker get started
Docker get startedDocker get started
Docker get started
 
Docker Basic Presentation
Docker Basic PresentationDocker Basic Presentation
Docker Basic Presentation
 
Docker intro
Docker introDocker intro
Docker intro
 
Docker
DockerDocker
Docker
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
 
DockerCon 2015: Docker Engine Breakout Session
DockerCon 2015: Docker Engine Breakout SessionDockerCon 2015: Docker Engine Breakout Session
DockerCon 2015: Docker Engine Breakout Session
 
Docker 101 for Developer
Docker 101 for DeveloperDocker 101 for Developer
Docker 101 for Developer
 
Cohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel PalstraCohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel Palstra
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
Dockerizing your applications - Docker workshop @Twitter
Dockerizing your applications - Docker workshop @TwitterDockerizing your applications - Docker workshop @Twitter
Dockerizing your applications - Docker workshop @Twitter
 
Containerization using docker
Containerization using dockerContainerization using docker
Containerization using docker
 
Docker Fundamentals
Docker FundamentalsDocker Fundamentals
Docker Fundamentals
 
Webinar: Using Docker Multi-stage Build to Create Advanced Pipelines
Webinar: Using Docker Multi-stage Build to Create Advanced PipelinesWebinar: Using Docker Multi-stage Build to Create Advanced Pipelines
Webinar: Using Docker Multi-stage Build to Create Advanced Pipelines
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil Estes
 
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with BuildxVirtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
 

Similar to Securing Containers From Day One | null Ahmedabad Meetup

Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
Ahmed AbouZaid
 
Django and Docker
Django and DockerDjango and Docker
Django and Docker
Docker, Inc.
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken Cochrane
dotCloud
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
abhishek chawla
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with Docker
Geeta Vinnakota
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
Docker, Inc.
 
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and PipelinesDocker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Matt Bentley
 
Docker Workshop
Docker WorkshopDocker Workshop
Docker Workshop
Ahmad Rafiee
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
Dave Ward
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
Rajesh Kolla
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Docker
DockerDocker
Docker
Abhishek Tomar
 
Containers and security
Containers and securityContainers and security
Containers and security
sriram_rajan
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Dockerize the World
Dockerize the WorldDockerize the World
Dockerize the World
damovsky
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and Tutum
Sreenivas Makam
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with docker
Wyn B. Van Devanter
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
Sparkbit
 

Similar to Securing Containers From Day One | null Ahmedabad Meetup (20)

Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
 
Django and Docker
Django and DockerDjango and Docker
Django and Docker
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken Cochrane
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with Docker
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and PipelinesDocker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
 
Docker Workshop
Docker WorkshopDocker Workshop
Docker Workshop
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Docker
DockerDocker
Docker
 
Containers and security
Containers and securityContainers and security
Containers and security
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Dockerize the World
Dockerize the WorldDockerize the World
Dockerize the World
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and Tutum
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with docker
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 

Recently uploaded

Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 

Recently uploaded (20)

Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 

Securing Containers From Day One | null Ahmedabad Meetup

  • 1. Securing Containers from Day One Kumar Ashwin 0xcardinal.com null Ahmedabad Container Security
  • 2. About Me Kumar Ashwin • Security Consultant @ Payatu • Manages null Study Groups for six different Security Domains and also contributes to other communities • 0xcardinal.com • 0xCardinal on social platforms
  • 3. Agenda • What are containers? • Why we need containers? • VM v/s Containers • Cgroups & Namespaces • Docker Primer • Build Optimization • Security • Resources • QnA https://giphy.com/gifs/rockstargames-usz0fqhUiVxSs6IUKB
  • 4. What are containers? Containers are nothing but just another Linux process which is isolated from other processes running on the same host.
  • 6. Virtual Machines v/s Containers https://www.docker.com/blog/containers-replacing-virtual-machines/
  • 8. namespaces It defines what a container can see, uses syscalls to do so. https://wizardzines.com/comics/namespaces/
  • 9. Demo : namespaces Will share how the name spaces work using unshare and creating namespaces for user and network, and demonstrating the difference.
  • 10. cgroups It defines what a container can use or access, uses syscalls to do so. https://wizardzines.com/comics/cgroups/
  • 12. Docker itself is not a Container. Myth busting
  • 13. What is Docker? • Docker is a container engine, which is a piece of software that accepts user requests, including command line options, pulls images, and from the end user's perspective runs the container. • Other than docker there are other container engines as well, like - RKT, CRI-O, and LXD
  • 15. Docker Basics • There are different images, which are stored in the registry, from where it pull the image, to create different containers. • Generally, a Dockerfile (contains commands/instructions) is used to build a container. • If you want to run a multi-container Docker application – Docker Compose is your go to tool. • Common docker/docker compose commands, that are generally used - • docker pull <image-name> - used to pull images from registry • docker run [args] <image-name> - used to run a container from the image defined • docker build [args] – used to build a container out of a Dockerfile • docker-compose up – used to build a multi-container setup from docker-compose.yml • docker ps – used to list down the active containers • For every RUN, COPY, ADD instruction in a Dockerfile, a layer is created.
  • 17. Build Optimization • Minimize number of layers. Improves performance. • Multi-Stage Builds • Do not install unnecessary packages • Decouple the application • Slim down the image – using docker-slim • It promises to slim down the image by 30x - https://github.com/docker-slim/docker-slim
  • 18. Why Dockerfile Security? • Here we will be talking about securing the images pre-build and what are the practices that we can follow. • A great start point to look for security issues are Dockerfile. • Dockerfiles? • These are the blueprints of the system/container that is to be created. • Infrastructure as a Code (IaaC) • One of the main components for the entire supply chain security.
  • 19. Security Best-Practices • Prefer minimal base images • Use .dockerignore file to exclude files from build • Create Golden Images • Golden Images are hardened base images than can be used further development • Do not run containers as root • Adding this in the Dockerfile will help in chainging the user FROM alpine:latest RUN useradd –u 1234 non-root-user USER non-root-user • Do not commit secrets in Dockerfile or Containers • Can use BuildKit to pass secrets to use in containers securely • Use COPY instead of ADD, wherever possible
  • 20. More Security Stuff • Use linters like hadolint, that will help to build best practice Docker Images.
  • 21. More Security Stuff • Use dockle to scan images against CIS benchmarks. • CIS Benchmark security Comparision
  • 22. Seccomp • It is a security feature in the Linux kernel. It can be used to restrict any system calls in the docker container. • E.g.,
  • 23. Some Resources • Containers from Scratch [YouTube] • Dockerfile Best Practices • Multi-stage builds • dockle checkpoint comparison • Tips for optimizing builds • Dockerfile Tutorial • Practical guide to write Dockerfile
  • 24. QnA Securing Containers from Day One Thank You! twitter.com/0xcardinal Kumar Ashwin