SlideShare une entreprise Scribd logo
1  sur  17
Télécharger pour lire hors ligne
Securing your Containers
Steps to becoming Seaworthy
Riyaz Faizullabhoy - @riyazdf
Docker Security Team
Securing the pipeline
Build Ship Run
• Official Images
• Docker Bench for Security
• Docker Content Trust
• Nautilus
• User Namespaces
• Cgroups
• Capabilities
• Seccomp
• Apparmor
Securing your Containers (Meetup at Docker HQ 4/7)
Securing the pipeline
Build Ship Run
• Official Images
• Docker Bench for Security
• Docker Content Trust
• Nautilus
• User Namespaces
• Cgroups
• Capabilities
• Seccomp
• Apparmor
Official Images
• Vetted for best practices
• Scanned for CVEs
• Lobby upstream to fix security problems
• Promptly updated
• Check for secure daemon + system
configuration
• Audit containers in context
• Check for best practices
Docker Bench for Security
Securing the pipeline
Build Ship Run
• Official Images
• Docker Bench for Security
• Docker Content Trust
• Nautilus
• User Namespaces
• Cgroups
• Capabilities
• Seccomp
• Apparmor
Docker Content Trust
• Sign images at point of authorship (using
Notary)
• Removes implicit trust of storage service and
network
• Guarantee integrity of your images when
pulled
Nautilus
• Scan images for CVEs
• Detects vulns in libraries statically compiled into
binaries
Securing the pipeline
Build Ship Run
• Official Images
• Docker Bench for Security
• Docker Content Trust
• Nautilus
• User Namespaces
• Cgroups
• Capabilities
• Seccomp
• Apparmor
User Namespaces
• Map users and groups to their own UID/GID range
• TL;DR - Root in a container is not root
outside a container
Docker Host
Container 1 Container 2 Container 3
Control Groups
• a.k.a cgroups
• Control resource usage of a container
• Good for container multitenancy
Capabilities
• No longer root vs. non-root
• Finer grained control on what the process can do
Seccomp
• SECure COMPuting mode.
• Filter permitted system calls
AppArmor
• Per process security profiles
• Define once, apply many times
• Finest grained control
Securing the pipeline
Build Ship Run
• Official Images
• Docker Bench for Security
• Docker Content Trust
• Nautilus
• User Namespaces
• Cgroups
• Capabilities
• Seccomp
• Apparmor
THANK YOU

Contenu connexe

Tendances

Production Ready Containers from IBM and Docker
Production Ready Containers from IBM and DockerProduction Ready Containers from IBM and Docker
Production Ready Containers from IBM and DockerDocker, Inc.
 
Monitoring Dell Infrastructure using Docker & Microservices
Monitoring Dell Infrastructure using Docker & MicroservicesMonitoring Dell Infrastructure using Docker & Microservices
Monitoring Dell Infrastructure using Docker & MicroservicesAjeet Singh Raina
 
Orchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresOrchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresDocker, Inc.
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017Docker, Inc.
 
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Docker, Inc.
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016Docker, Inc.
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDocker, Inc.
 
Global Persistence for Docker
Global Persistence for DockerGlobal Persistence for Docker
Global Persistence for DockerDocker, Inc.
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in ProductionDocker, Inc.
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatDocker, Inc.
 
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...Docker, Inc.
 
DockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDocker, Inc.
 
Docker Online Meetup #30: Docker Trusted Registry 1.4.1
Docker Online Meetup #30: Docker Trusted Registry 1.4.1Docker Online Meetup #30: Docker Trusted Registry 1.4.1
Docker Online Meetup #30: Docker Trusted Registry 1.4.1Docker, Inc.
 
DockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker EngineDockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker EngineDocker, Inc.
 
Docker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to DockerDocker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to DockerDocker, Inc.
 
DockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTRDockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTRDocker, Inc.
 
Docker Platform 1.9
Docker Platform 1.9Docker Platform 1.9
Docker Platform 1.9Docker, Inc.
 
Containers orchestrators: Docker vs. Kubernetes
Containers orchestrators: Docker vs. KubernetesContainers orchestrators: Docker vs. Kubernetes
Containers orchestrators: Docker vs. KubernetesDmitry Lazarenko
 
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...Docker, Inc.
 
Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Hussain Mansoor
 

Tendances (20)

Production Ready Containers from IBM and Docker
Production Ready Containers from IBM and DockerProduction Ready Containers from IBM and Docker
Production Ready Containers from IBM and Docker
 
Monitoring Dell Infrastructure using Docker & Microservices
Monitoring Dell Infrastructure using Docker & MicroservicesMonitoring Dell Infrastructure using Docker & Microservices
Monitoring Dell Infrastructure using Docker & Microservices
 
Orchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresOrchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failures
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
 
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life Observations
 
Global Persistence for Docker
Global Persistence for DockerGlobal Persistence for Docker
Global Persistence for Docker
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in Production
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
 
DockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General Session
 
Docker Online Meetup #30: Docker Trusted Registry 1.4.1
Docker Online Meetup #30: Docker Trusted Registry 1.4.1Docker Online Meetup #30: Docker Trusted Registry 1.4.1
Docker Online Meetup #30: Docker Trusted Registry 1.4.1
 
DockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker EngineDockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker Engine
 
Docker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to DockerDocker Bday #5, SF Edition: Introduction to Docker
Docker Bday #5, SF Edition: Introduction to Docker
 
DockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTRDockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTR
 
Docker Platform 1.9
Docker Platform 1.9Docker Platform 1.9
Docker Platform 1.9
 
Containers orchestrators: Docker vs. Kubernetes
Containers orchestrators: Docker vs. KubernetesContainers orchestrators: Docker vs. Kubernetes
Containers orchestrators: Docker vs. Kubernetes
 
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
 
Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022
 

En vedette

Building Images from dockerfiles
Building Images from dockerfilesBuilding Images from dockerfiles
Building Images from dockerfilesDocker, Inc.
 
DockerCon SF 2015: From Months to Minutes
DockerCon SF 2015: From Months to MinutesDockerCon SF 2015: From Months to Minutes
DockerCon SF 2015: From Months to MinutesDocker, Inc.
 
Distributed, Real-time Web Apps
Distributed, Real-time Web AppsDistributed, Real-time Web Apps
Distributed, Real-time Web AppsDocker, Inc.
 
DockerCon SF 2015: Education for a digital world
DockerCon SF 2015: Education for a digital worldDockerCon SF 2015: Education for a digital world
DockerCon SF 2015: Education for a digital worldDocker, Inc.
 
Dockerizing Stashboard
Dockerizing StashboardDockerizing Stashboard
Dockerizing StashboardDocker, Inc.
 
Dockercon Swarm Updated
Dockercon Swarm UpdatedDockercon Swarm Updated
Dockercon Swarm UpdatedDocker, Inc.
 
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDocker, Inc.
 
Dockerizing WordPress
Dockerizing WordPressDockerizing WordPress
Dockerizing WordPressDocker, Inc.
 
DockerCon SF 2015: How to Build a Secure DevOps Environment for the Government
DockerCon SF 2015: How to Build a Secure DevOps Environment for the GovernmentDockerCon SF 2015: How to Build a Secure DevOps Environment for the Government
DockerCon SF 2015: How to Build a Secure DevOps Environment for the GovernmentDocker, Inc.
 
Deploying Containers and Managing Them
Deploying Containers and Managing ThemDeploying Containers and Managing Them
Deploying Containers and Managing ThemDocker, Inc.
 
DockerCon 14 Keynote Day 2
DockerCon 14 Keynote Day 2DockerCon 14 Keynote Day 2
DockerCon 14 Keynote Day 2Docker, Inc.
 
Victor Vieux at Docker Paris Meetup #1
Victor Vieux at Docker Paris Meetup #1Victor Vieux at Docker Paris Meetup #1
Victor Vieux at Docker Paris Meetup #1Docker, Inc.
 
LXC to Docker Via Continuous Delivery
LXC to Docker Via Continuous DeliveryLXC to Docker Via Continuous Delivery
LXC to Docker Via Continuous DeliveryDocker, Inc.
 
Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...Docker, Inc.
 
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar TogetherDockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar TogetherDocker, Inc.
 
DockerCon14 Automated Chef Cookbook Testing
DockerCon14 Automated Chef Cookbook TestingDockerCon14 Automated Chef Cookbook Testing
DockerCon14 Automated Chef Cookbook TestingDocker, Inc.
 
Introduction to Docker I Docker Workshop @ Twitter
Introduction to Docker I Docker Workshop @ TwitterIntroduction to Docker I Docker Workshop @ Twitter
Introduction to Docker I Docker Workshop @ TwitterDocker, Inc.
 
DockerCon SF 2015: Orchestration for Devs (machine + compose)
DockerCon SF 2015:  Orchestration for Devs (machine + compose)DockerCon SF 2015:  Orchestration for Devs (machine + compose)
DockerCon SF 2015: Orchestration for Devs (machine + compose)Docker, Inc.
 
DockerCon SF 2015: Beyond CI to Production Scale PaaS with Docker
DockerCon SF 2015: Beyond CI to Production Scale PaaS with DockerDockerCon SF 2015: Beyond CI to Production Scale PaaS with Docker
DockerCon SF 2015: Beyond CI to Production Scale PaaS with DockerDocker, Inc.
 
Understanding Containers through Gaming by Brendan Fosberry
Understanding Containers through Gaming by Brendan Fosberry Understanding Containers through Gaming by Brendan Fosberry
Understanding Containers through Gaming by Brendan Fosberry Docker, Inc.
 

En vedette (20)

Building Images from dockerfiles
Building Images from dockerfilesBuilding Images from dockerfiles
Building Images from dockerfiles
 
DockerCon SF 2015: From Months to Minutes
DockerCon SF 2015: From Months to MinutesDockerCon SF 2015: From Months to Minutes
DockerCon SF 2015: From Months to Minutes
 
Distributed, Real-time Web Apps
Distributed, Real-time Web AppsDistributed, Real-time Web Apps
Distributed, Real-time Web Apps
 
DockerCon SF 2015: Education for a digital world
DockerCon SF 2015: Education for a digital worldDockerCon SF 2015: Education for a digital world
DockerCon SF 2015: Education for a digital world
 
Dockerizing Stashboard
Dockerizing StashboardDockerizing Stashboard
Dockerizing Stashboard
 
Dockercon Swarm Updated
Dockercon Swarm UpdatedDockercon Swarm Updated
Dockercon Swarm Updated
 
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
 
Dockerizing WordPress
Dockerizing WordPressDockerizing WordPress
Dockerizing WordPress
 
DockerCon SF 2015: How to Build a Secure DevOps Environment for the Government
DockerCon SF 2015: How to Build a Secure DevOps Environment for the GovernmentDockerCon SF 2015: How to Build a Secure DevOps Environment for the Government
DockerCon SF 2015: How to Build a Secure DevOps Environment for the Government
 
Deploying Containers and Managing Them
Deploying Containers and Managing ThemDeploying Containers and Managing Them
Deploying Containers and Managing Them
 
DockerCon 14 Keynote Day 2
DockerCon 14 Keynote Day 2DockerCon 14 Keynote Day 2
DockerCon 14 Keynote Day 2
 
Victor Vieux at Docker Paris Meetup #1
Victor Vieux at Docker Paris Meetup #1Victor Vieux at Docker Paris Meetup #1
Victor Vieux at Docker Paris Meetup #1
 
LXC to Docker Via Continuous Delivery
LXC to Docker Via Continuous DeliveryLXC to Docker Via Continuous Delivery
LXC to Docker Via Continuous Delivery
 
Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...Making it Easier to Contribute to Open Source Projects Using Docker Container...
Making it Easier to Contribute to Open Source Projects Using Docker Container...
 
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar TogetherDockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
 
DockerCon14 Automated Chef Cookbook Testing
DockerCon14 Automated Chef Cookbook TestingDockerCon14 Automated Chef Cookbook Testing
DockerCon14 Automated Chef Cookbook Testing
 
Introduction to Docker I Docker Workshop @ Twitter
Introduction to Docker I Docker Workshop @ TwitterIntroduction to Docker I Docker Workshop @ Twitter
Introduction to Docker I Docker Workshop @ Twitter
 
DockerCon SF 2015: Orchestration for Devs (machine + compose)
DockerCon SF 2015:  Orchestration for Devs (machine + compose)DockerCon SF 2015:  Orchestration for Devs (machine + compose)
DockerCon SF 2015: Orchestration for Devs (machine + compose)
 
DockerCon SF 2015: Beyond CI to Production Scale PaaS with Docker
DockerCon SF 2015: Beyond CI to Production Scale PaaS with DockerDockerCon SF 2015: Beyond CI to Production Scale PaaS with Docker
DockerCon SF 2015: Beyond CI to Production Scale PaaS with Docker
 
Understanding Containers through Gaming by Brendan Fosberry
Understanding Containers through Gaming by Brendan Fosberry Understanding Containers through Gaming by Brendan Fosberry
Understanding Containers through Gaming by Brendan Fosberry
 

Similaire à Securing your Containers (Meetup at Docker HQ 4/7)

IBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerIBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerDavid Currie
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsRamit Surana
 
DockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ DockerDockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ DockerDocker, Inc.
 
GlobalAzureBootCamp 2018
GlobalAzureBootCamp 2018GlobalAzureBootCamp 2018
GlobalAzureBootCamp 2018girish goudar
 
Oracle database on Docker Container
Oracle database on Docker ContainerOracle database on Docker Container
Oracle database on Docker ContainerJesus Guzman
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
Docker Registry V2
Docker Registry V2Docker Registry V2
Docker Registry V2Docker, Inc.
 
DockerCon SF 2015: A New Model for Image Distribution
DockerCon SF 2015: A New Model for Image DistributionDockerCon SF 2015: A New Model for Image Distribution
DockerCon SF 2015: A New Model for Image DistributionDocker, Inc.
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciRajesh Kolla
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesabhishek chawla
 
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18CodeOps Technologies LLP
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerJohn Willis
 

Similaire à Securing your Containers (Meetup at Docker HQ 4/7) (20)

IBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerIBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and Docker
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
 
DockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ DockerDockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ Docker
 
GlobalAzureBootCamp 2018
GlobalAzureBootCamp 2018GlobalAzureBootCamp 2018
GlobalAzureBootCamp 2018
 
Containers 101
Containers 101Containers 101
Containers 101
 
Oracle database on Docker Container
Oracle database on Docker ContainerOracle database on Docker Container
Oracle database on Docker Container
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
 
Docker Registry V2
Docker Registry V2Docker Registry V2
Docker Registry V2
 
DockerCon SF 2015: A New Model for Image Distribution
DockerCon SF 2015: A New Model for Image DistributionDockerCon SF 2015: A New Model for Image Distribution
DockerCon SF 2015: A New Model for Image Distribution
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
 
Docker lxc win
Docker lxc winDocker lxc win
Docker lxc win
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
 
Virtualized containers
Virtualized containersVirtualized containers
Virtualized containers
 
ExpoQA 2017 Docker and CI
ExpoQA 2017 Docker and CIExpoQA 2017 Docker and CI
ExpoQA 2017 Docker and CI
 
Docker & ci
Docker & ciDocker & ci
Docker & ci
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 

Plus de Docker, Inc.

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Docker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSDocker, Inc.
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXDocker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeDocker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDocker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubDocker, Inc.
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices WorldDocker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with DockerDocker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeDocker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryDocker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Docker, Inc.
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog ScaleDocker, Inc.
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels Docker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSDocker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...Docker, Inc.
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDocker, Inc.
 

Plus de Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker Build
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and Compose
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker Hub
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio Code
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container Registry
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
 

Dernier

Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 

Dernier (20)

Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 

Securing your Containers (Meetup at Docker HQ 4/7)

  • 1. Securing your Containers Steps to becoming Seaworthy Riyaz Faizullabhoy - @riyazdf Docker Security Team
  • 2. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 4. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 5. Official Images • Vetted for best practices • Scanned for CVEs • Lobby upstream to fix security problems • Promptly updated
  • 6. • Check for secure daemon + system configuration • Audit containers in context • Check for best practices Docker Bench for Security
  • 7. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 8. Docker Content Trust • Sign images at point of authorship (using Notary) • Removes implicit trust of storage service and network • Guarantee integrity of your images when pulled
  • 9. Nautilus • Scan images for CVEs • Detects vulns in libraries statically compiled into binaries
  • 10. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 11. User Namespaces • Map users and groups to their own UID/GID range • TL;DR - Root in a container is not root outside a container Docker Host Container 1 Container 2 Container 3
  • 12. Control Groups • a.k.a cgroups • Control resource usage of a container • Good for container multitenancy
  • 13. Capabilities • No longer root vs. non-root • Finer grained control on what the process can do
  • 14. Seccomp • SECure COMPuting mode. • Filter permitted system calls
  • 15. AppArmor • Per process security profiles • Define once, apply many times • Finest grained control
  • 16. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor