RF
Uploaded byRiyaz Faizullabhoy
222 views

Securing your Containers

The document outlines security measures for container management, emphasizing the importance of using official images, Docker Bench for Security, and Docker Content Trust. It highlights key technologies such as user namespaces, cgroups, capabilities, seccomp, and AppArmor to ensure a secure pipeline during the build, ship, and run phases. The content stresses the need for auditing, vulnerability scanning, and systematically managing resource usage for effective container security.

Embed presentation

Download to read offline
Securing your Containers Steps to becoming Seaworthy Riyaz Faizullabhoy - @riyazdf Docker Security Team
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
Official Images • Vetted for best practices • Scanned for CVEs • Lobby upstream to fix security problems • Promptly updated
• Check for secure daemon + system configuration • Audit containers in context • Check for best practices Docker Bench for Security
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
Docker Content Trust • Sign images at point of authorship (using Notary) • Removes implicit trust of storage service and network • Guarantee integrity of your images when pulled
Nautilus • Scan images for CVEs • Detects vulns in libraries statically compiled into binaries
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
User Namespaces • Map users and groups to their own UID/GID range • TL;DR - Root in a container is not root outside a container Docker Host Container 1 Container 2 Container 3
Control Groups • a.k.a cgroups • Control resource usage of a container • Good for container multitenancy
Capabilities • No longer root vs. non-root • Finer grained control on what the process can do
Seccomp • SECure COMPuting mode. • Filter permitted system calls
AppArmor • Per process security profiles • Define once, apply many times • Finest grained control
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
THANK YOU

More Related Content

PPTX
Owning aws infrastructure services
bySuraj Khetani
 
PDF
Docker Basics
byPeter Perger
 
PDF
Container Security
bySalman Baset
 
PPTX
Docker Container Security
bySuraj Khetani
 
PPTX
Csa container-security-in-aws-dw
byCloud Security Alliance, UK chapter
 
PPTX
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
PDF
Container Security
byJie Liau
 
PDF
Networking Overview for Docker Platform
byAditya Patawari
 
Owning aws infrastructure services
bySuraj Khetani
 
Docker Basics
byPeter Perger
 
Container Security
bySalman Baset
 
Docker Container Security
bySuraj Khetani
 
Csa container-security-in-aws-dw
byCloud Security Alliance, UK chapter
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
Container Security
byJie Liau
 
Networking Overview for Docker Platform
byAditya Patawari
 

What's hot

PDF
Docker Advanced registry usage
byDocker, Inc.
 
ODP
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
PDF
Docker Security and Content Trust
byehazlett
 
PPTX
RBAC in Azure Kubernetes Service AKS
byEmad Alashi
 
PDF
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
byDocker, Inc.
 
PDF
Container Security Essentials
byDNIF
 
PPTX
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
byDocker, Inc.
 
PDF
Docker Security - Continuous Container Security
byDieter Reuter
 
PDF
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
PPTX
Kubernetes security
bySaiyam Pathak
 
PPTX
Jenkins as a Service - Code all the way down
bySteve Mactaggart
 
PDF
Intro to docker - innovation demo 2022
byHussain Mansoor
 
PDF
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)
byMichelle Antebi
 
PDF
Veer's Container Security
byJim Barlow
 
PPTX
Understanding container security
byJohn Kinsella
 
PDF
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
byDocker, Inc.
 
PPTX
Docker Security Overview
bySreenivas Makam
 
PPTX
How to be successful running Docker in Production
byDocker, Inc.
 
PPTX
Oracle database on Docker Container
byJesus Guzman
 
Docker Advanced registry usage
byDocker, Inc.
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
Docker Security and Content Trust
byehazlett
 
RBAC in Azure Kubernetes Service AKS
byEmad Alashi
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
byDocker, Inc.
 
Container Security Essentials
byDNIF
 
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
byDocker, Inc.
 
Docker Security - Continuous Container Security
byDieter Reuter
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
Kubernetes security
bySaiyam Pathak
 
Jenkins as a Service - Code all the way down
bySteve Mactaggart
 
Intro to docker - innovation demo 2022
byHussain Mansoor
 
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)
byMichelle Antebi
 
Veer's Container Security
byJim Barlow
 
Understanding container security
byJohn Kinsella
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
byDocker, Inc.
 
Docker Security Overview
bySreenivas Makam
 
How to be successful running Docker in Production
byDocker, Inc.
 
Oracle database on Docker Container
byJesus Guzman
 

Viewers also liked

DOC
Syirkah dan Ji'alah
byayusl268
 
PDF
SlideShare 101
byAmit Ranjan
 
PDF
Habits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit Summit
byHabit Summit
 
PDF
TheFinalOdyssey.docx
byWilliam Holman
 
PDF
VMET_Document
byAnthony Lampe
 
PDF
Camping On The Water
byrory444
 
PPTX
Gomyfrut
byh3wbarsenal
 
PPTX
FP Brochure Rev 7
byTim Holbrook
 
PDF
Interview In Suedtirol 2013
byStefanie Zambelli CMP
 
PDF
Visit Orlando Case Study Competition
byStefanie Zambelli CMP
 
DOC
Young_Huang_Resume
byYoung Huang
 
PDF
DockerCon EU 2015: The Latest in Docker Engine
byDocker, Inc.
 
PDF
DockerCon SF 2015: Docker Security
byDocker, Inc.
 
Syirkah dan Ji'alah
byayusl268
 
SlideShare 101
byAmit Ranjan
 
Habits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit Summit
byHabit Summit
 
TheFinalOdyssey.docx
byWilliam Holman
 
VMET_Document
byAnthony Lampe
 
Camping On The Water
byrory444
 
Gomyfrut
byh3wbarsenal
 
FP Brochure Rev 7
byTim Holbrook
 
Interview In Suedtirol 2013
byStefanie Zambelli CMP
 
Visit Orlando Case Study Competition
byStefanie Zambelli CMP
 
Young_Huang_Resume
byYoung Huang
 
DockerCon EU 2015: The Latest in Docker Engine
byDocker, Inc.
 
DockerCon SF 2015: Docker Security
byDocker, Inc.
 

Similar to Securing your Containers

PDF
Testing Docker Security Linuxlab 2017
byJose Manuel Ortega Candel
 
PDF
Automate Your Container Deployments Securely
byDevOps.com
 
PPTX
Docker Security
byantitree
 
PDF
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
byNETWAYS
 
PDF
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
byDevOpsDays Riga
 
PDF
Testing Docker Images Security
byJose Manuel Ortega Candel
 
PDF
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
PPTX
Docker_Security_Complete_Guide for audit
byCseManit
 
PDF
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
byJérôme Petazzoni
 
PDF
Docker container security
byThoughtworks
 
PDF
Containers and security
bysriram_rajan
 
PDF
Securing the Container Pipeline at Salesforce by Cem Gurkok
byDocker, Inc.
 
PDF
Deep Dive into Container Security
byWhiteSource
 
PDF
Docker London: Container Security
byPhil Estes
 
PDF
Docker, Linux Containers, and Security: Does It Add Up?
byJérôme Petazzoni
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
PDF
Security on a Container Platform
byAll Things Open
 
PDF
Everything you need to know about containers security
byJose Manuel Ortega Candel
 
PPTX
Kubernetes and container security
byVolodymyr Shynkar
 
PDF
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 
Testing Docker Security Linuxlab 2017
byJose Manuel Ortega Candel
 
Automate Your Container Deployments Securely
byDevOps.com
 
Docker Security
byantitree
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
byNETWAYS
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
byDevOpsDays Riga
 
Testing Docker Images Security
byJose Manuel Ortega Candel
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
Docker_Security_Complete_Guide for audit
byCseManit
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
byJérôme Petazzoni
 
Docker container security
byThoughtworks
 
Containers and security
bysriram_rajan
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
byDocker, Inc.
 
Deep Dive into Container Security
byWhiteSource
 
Docker London: Container Security
byPhil Estes
 
Docker, Linux Containers, and Security: Does It Add Up?
byJérôme Petazzoni
 
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
Security on a Container Platform
byAll Things Open
 
Everything you need to know about containers security
byJose Manuel Ortega Candel
 
Kubernetes and container security
byVolodymyr Shynkar
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 

Recently uploaded

PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 

Securing your Containers

  • 1.
    Securing your Containers Stepsto becoming Seaworthy Riyaz Faizullabhoy - @riyazdf Docker Security Team
  • 2.
    Securing the pipeline BuildShip Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 4.
    Securing the pipeline BuildShip Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 5.
    Official Images • Vettedfor best practices • Scanned for CVEs • Lobby upstream to fix security problems • Promptly updated
  • 6.
    • Check forsecure daemon + system configuration • Audit containers in context • Check for best practices Docker Bench for Security
  • 7.
    Securing the pipeline BuildShip Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 8.
    Docker Content Trust •Sign images at point of authorship (using Notary) • Removes implicit trust of storage service and network • Guarantee integrity of your images when pulled
  • 9.
    Nautilus • Scan imagesfor CVEs • Detects vulns in libraries statically compiled into binaries
  • 10.
    Securing the pipeline BuildShip Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 11.
    User Namespaces • Mapusers and groups to their own UID/GID range • TL;DR - Root in a container is not root outside a container Docker Host Container 1 Container 2 Container 3
  • 12.
    Control Groups • a.k.acgroups • Control resource usage of a container • Good for container multitenancy
  • 13.
    Capabilities • No longerroot vs. non-root • Finer grained control on what the process can do
  • 14.
    Seccomp • SECure COMPutingmode. • Filter permitted system calls
  • 15.
    AppArmor • Per processsecurity profiles • Define once, apply many times • Finest grained control
  • 16.
    Securing the pipeline BuildShip Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 17.