SlideShare a Scribd company logo

Docker Security Overview

Download as PPTX, PDF
Sreenivas Makam
Sreenivas Makam

Overview of Docker Security features(till release 1.12)

Technology
1 of 18
DOCKER SECURITY OVERVIEW (AS OF RELEASE 1.12) Presenter Name: Sreenivas Makam Presented at: Docker Meetup Bangalore Presentation Date: July 9, 2016
About me • Senior Engineering Manager at Cisco Systems Data Center group • Author of “Mastering CoreOS” https://www.packtpub.com/networki ng-and-servers/mastering-coreos/ ) • Docker Captain(https://www.docker.com/co mmunity/docker-captains ) • Blog: https://sreeninet.wordpress.com/ • Code: https://github.com/smakam • Linkedin: https://in.linkedin.com/in/sreenivas makam • Twitter: @srmakam
Docker Security modules Docker Engine Docker Client Authorization Registry SELinux AppArmor Seccomp Capabilities Namespaces Cgroups Multitenant Security Scan Image Signing TLS Request/ Response Container image TLS RBAC
Linux kernel - Container Security support • Namespaces – PID, Mount, Network, IPC, UTC, User. • Cgroups – Limit CPU, Memory, IO • Capabilities – Reduced root access. 36 capabilities to control as of kernel 3.19.0.21. • Seccomp profiles – Control kernel system calls. 300+ system calls available that can be controlled using these profiles. • Special kernel modules like AppArmor, SELinux – Provides granular control over Kernel resources.
Namespaces – PID, Mount docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash docker run -ti --name ubuntu2 -v /usr:/ubuntu2 ubuntu bash PID namespace: Ubuntu1 Container: root@3a1bf12161c9:/# ps PID TTY TIME CMD 1 ? 00:00:00 bash 15 ? 00:00:00 ps Ubuntu2 Container: root@8beb85abe6a5:/# ps PID TTY TIME CMD 1 ? 00:00:00 bash 14 ? 00:00:00 ps Host: $ ps -eaf|grep root | grep bash root 5413 1697 0 05:54 pts/28 00:00:00 bash root 5516 1697 0 05:54 pts/31 00:00:00 bash Mount namespace: Ubuntu1 Container: root@3a1bf12161c9:/# ls / bin dev home lib64 mnt proc run srv tmp usr boot etc lib media opt root sbin sys ubuntu1 var Ubuntu2 Container: root@8beb85abe6a5:/# ls / bin dev home lib64 mnt proc run srv tmp usr boot etc lib media opt root sbin sys ubuntu2 var • With PID namespace, each Container gets its own process ID namespace. • With Mount namespace, each Container gets its own copy of filesystem.
Namespaces – Network, UTS • With Network namespace, each Container gets its own interfaces along with IP address. Ubuntu1 Container: root@3a1bf12161c9:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:ac:15:00:02 inet addr:172.21.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe15:2/64 Ubuntu2 Container: root@8beb85abe6a5:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:ac:15:00:03 inet addr:172.21.0.3 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe15:3/64 • With UTS namespace, each Container gets its own hostname and domainname. Ubuntu1 Container: root@3a1bf12161c9:/# hostname 3a1bf12161c9 Ubuntu2 Container: root@8beb85abe6a5:/# hostname 8beb85abe6a5
Namespaces - IPC • IPC namespace isolates Message queues, Semaphores, Shared memory Ubuntu 1 Container: Create shared memory: root@3a1bf12161c9:/# ipcmk -M 100 Shared memory id: 0 Display shared memory: root@3a1bf12161c9:/# ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x2fba9021 0 root 644 100 0 Ubuntu 2 Container: Create shared memory: root@8beb85abe6a5:/# ipcmk -M 100 Shared memory id: 0 Display shared memory: root@8beb85abe6a5:/# ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x1f91e62c 0 root 644 100 0
Namespaces - User • With User namespace, userid and groupid in a namespace is different from host machine’s userid and groupid for the same user and group. • User namespaces are available from Linux kernel versions > 3.8. • For example, root user inside Container is not root inside host machine. This provides greater security. • Docker introduced support for user namespace in version 1.10. • To use user namespace, Docker daemon needs to be started with “–userns-remap=username/uid:groupname/gid”. Using “default” for username will create “dockremap” user. Ubuntu1 Container: root@3a1bf12161c9:/# id uid=0(root) gid=0(root) groups=0(root) Host: $ ps -eaf|grep bash 231072 4080 4040 0 22:45 pts/13 00:00:00 bash $ cat /proc/4080/uid_map 0 231072 65536 (userid 0 in Container is mapped to 231072 in host)
cgroups • cgroups is a Linux kernel feature that provides capability to restrict resources like cpu, memory, io, network bandwidth among a set of processes. • Docker allows to create Containers using cgroup feature which allows for resource control for the specific Container. • Following is a Container created with user space memory limited to 500m, kernel memory limited to 50m, cpu share to 512, blkioweight to 400. (cpu share and blkioweight are ratios) docker run -it -m 500M --kernel-memory 50M --cpu-shares 512 --blkio-weight 400 -- name ubuntu1 ubuntu bash
Capabilities • In Linux, root user typically has all privileges enabled. Capabilities allow finer control for the capabilities that can be allowed for root user. • In Linux 3.19.0.21, there are 36 capabilities. All capabilities can be seen in “/usr/include/linux/capability.h”. • Examples of capabilities are setuid, setgid, socket access, set time. • Docker turns on only 14 capabilities by default for Containers started with default options. • Capabilities like insert/remove kernel modules, system clock manipulation are blocked. Container with raw net capability turned off: docker run -ti --name ubuntu1 --cap- drop=net_raw ubuntu bash Network access blocked: # ping google.com ping: icmp open socket: Operation not permitted
Seccomp • Linux kernel feature that limits the system calls that a process can make based on the specified profile. • Docker uses Seccomp to control the system calls that Container can make. • Examples of system calls – bind, accept, fork. • Docker disables around 44 of 300+ system calls for Containers started with default options. Example of disabled system calls include mount, settimeofday. • Default Docker Seccomp profile is available here. Profile disabling chmod system call: { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ] } Seccomp illustration: $ docker run --rm -it --security-opt seccomp:/home/smakam14/seccomp/profil e.json busybox chmod 400 /etc/hosts chmod: /etc/hosts: Operation not permitted
Linux kernel Security modules – AppArmor, SELinux • Both AppArmor and SELinux are kernel modules that gives fine grained control to restrict access to system resources. • When AppArmor is active for an application, the operating system allows the application to access only those files and folders that are mentioned in its security profile. • SElinux is a labeling system. Every process, file, directory, network ports, devices has a label assigned to it. We write rules to control the access of a process label to an a object label like a file. The kernel enforces the rules specified in the policy. • In Redhat distributions, SELinux is supported. Ubuntu distributions supports AppArmor. • AppArmor profiles are easy to create, SELinux is difficult. SELinux profiles are more comprehensive compared to AppArmor.
Docker Engine Secure access • Docker engine runs as a daemon and by default listens on the Unix socket, “unix:///var/run/docker.sock”. • For accessing Docker engine remotely, “http” or “https” using TLS can be used. • “http” is not advised to be used for security reasons. • “https” with TLS provides confidentiality, authentication as well as integrity. • Certificates can be used to establish identity of client and server. • For testing purposes, Certificates can be generated using Openssl. For commercial purposes, certificates can be purchased from sources like CA.
Authorization plugin • Authorization plugin can provide granular access to the Docker daemon based on userid, groupid, command executed, command arguments, time of day etc. • Authorization plugin informs Docker daemon if the specific command can be allowed or not based on the policy and the command executed. • Twistlock authz broker is one of the first plugins that is currently available. • In Twistlock case, policy is created as a JSON file and is given as argument to Docker daemon. • User identity support is not yet available in Docker engine. • Docker Data Center and Docker cloud provides RBAC and Multi-tenant support. Policy.json: {"name":"policy_1","users":[""],"actions":["contain er"] , "readonly":true} – Read-only Container policy Starting Docker daemon with auth policy.json: docker run -d --restart=always -v /var/lib/authz- broker/policy.json:/var/lib/authz-broker/policy.json -v /run/docker/plugins/:/run/docker/plugins twistlock/authz-broker
Container image signing • Container images needs to be signed so that the client knows that image is coming from a trusted source and that it is not tampered with. • Content publisher takes care of signing Container image and pushing it into the registry. • The Docker content trust is an implementation of the Notary open source project. The Notary open source project is based on The Update Framework (TUF) project. • When content trust is enabled, we can pull only signed images. • When content trust is not enabled, both signed and unsigned images can be pulled. • Docker content trust is enabled with “export DOCKER_CONTENT_TRUST=1”. • When the publisher pushes the image for the first time using docker push, there is a need to enter a passphrase for the root key . • When pushing new image or new image version, publisher needs to enter passphrase for repository key. • Docker has also added support for hardware keys using Yubikey • Keys should be saved safely and backups should be taken.
Container Image scanning • Docker Security Scan scans Container images and reports vulnerabilities. • Scanning is done by comparing each Container layer component with CVE databases. • Additional binary scan is done to make sure that the package is not tampered with. • Pro-active notification is given to both the publisher and user of Container images. • Available currently in Docker hub and Docker cloud. Will be added soon to Docker data center.
Docker Security - Best Practices Docker enables Security by default and the default options suffice most of the needs. Following are few best practices: • Have separate containers for each micro-service keeping Container image size small. • Don’t put ssh inside container, “docker exec” can be used to ssh to Container. • Use only signed Container images. • Mount devices and volumes as read-only. • Run application as non-root. If root access is needed, run as root only for limited operations using features like Capabilities, Seccomp, SELinux/AppArmor. • Keep OS secure with regular updates. Using Container optimized OS is an option here since they provide automatic pushed update. • Store root keys, passphrase in a safe place and not expose in Dockerfile. Docker has plans to manage keys with Docker datacenter. • Use Docker official images. These images are curated by Docker so that the highest quality and security is maintained for the official images. • Use Container security scanning to check for vulnerabilities. • Use TLS for remote Docker daemon access.
References • Docker Security documentation(https://docs.docker.com/engine/security/security/ ) • Container namespaces (http://crosbymichael.com/creating- containers-part-1.html) • Docker Security article series (https://opensource.com/business/15/3/docker-security-tuning) • Docker Security blog series (https://sreeninet.wordpress.com/2016/03/06/docker-security- part-1overview/) • Docker Security scan(https://blog.docker.com/2016/05/docker- security-scanning/) • Authorization plugin (https://www.twistlock.com/2016/02/18/docker-authz-plugins- twistlocks-contribution-to-the-docker-community/)

Recommended

Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Docker Basics
Docker BasicsDocker Basics
Docker BasicsDuckDuckGo
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersYajushi Srivastava
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with DockerRavindu Fernando
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerInstruqt
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Herofazalraja
 
Docker introduction for the beginners
Docker introduction for the beginnersDocker introduction for the beginners
Docker introduction for the beginnersJuneyoung Oh
 

Recommended

Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Docker Basics
Docker BasicsDocker Basics
Docker BasicsDuckDuckGo
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersYajushi Srivastava
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with DockerRavindu Fernando
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerInstruqt
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Herofazalraja
 
Docker introduction for the beginners
Docker introduction for the beginnersDocker introduction for the beginners
Docker introduction for the beginnersJuneyoung Oh
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in DockerDocker, Inc.
 
Docker Swarm for Beginner
Docker Swarm for BeginnerDocker Swarm for Beginner
Docker Swarm for BeginnerShahzad Masud
 
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...Edureka!
 
Docker introduction
Docker introductionDocker introduction
Docker introductiondotCloud
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionPeng Xiao
 
Vault
VaultVault
Vaultdawnlua
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefitsAmit Manwade
 
From Zero to Docker
From Zero to DockerFrom Zero to Docker
From Zero to DockerAbhishek Verma
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Docker swarm
Docker swarmDocker swarm
Docker swarmAlberto Guimarães Viana
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker ComposeAjeet Singh Raina
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT CampusAjeet Singh Raina
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)Gourav Varma
 
Introduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainIntroduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainAjeet Singh Raina
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerPubudu Jayawardana
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumSreenivas Makam
 

More Related Content

What's hot

Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in DockerDocker, Inc.
 
Docker Swarm for Beginner
Docker Swarm for BeginnerDocker Swarm for Beginner
Docker Swarm for BeginnerShahzad Masud
 
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...Edureka!
 
Docker introduction
Docker introductionDocker introduction
Docker introductiondotCloud
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionPeng Xiao
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefitsAmit Manwade
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker ComposeAjeet Singh Raina
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT CampusAjeet Singh Raina
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)Gourav Varma
 
Introduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainIntroduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainAjeet Singh Raina
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 

What's hot (20)

Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
 
Docker Swarm for Beginner
Docker Swarm for BeginnerDocker Swarm for Beginner
Docker Swarm for Beginner
 
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Vault
VaultVault
Vault
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefits
 
From Zero to Docker
From Zero to DockerFrom Zero to Docker
From Zero to Docker
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Docker swarm
Docker swarmDocker swarm
Docker swarm
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker Compose
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT Campus
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)
 
Introduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainIntroduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker Captain
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 

Viewers also liked

Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumSreenivas Makam
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 PresentationSreenivas Makam
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current StatusSreenivas Makam
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking OverviewSreenivas Makam
 
Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverDocker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverSreenivas Makam
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 
Compare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudCompare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudSreenivas Makam
 
Docker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsDocker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsSreenivas Makam
 
Monetising Your Skill
Monetising Your SkillMonetising Your Skill
Monetising Your Skill'Detola Amure
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Why You Need to Rethink Container Security
Why You Need to Rethink Container SecurityWhy You Need to Rethink Container Security
Why You Need to Rethink Container SecurityFlawCheck
 

Viewers also liked (20)

Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and Tutum
 
Devops in Networking
Devops in NetworkingDevops in Networking
Devops in Networking
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverDocker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driver
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
Compare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudCompare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloud
 
Docker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsDocker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing options
 
Monetising Your Skill
Monetising Your SkillMonetising Your Skill
Monetising Your Skill
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Why You Need to Rethink Container Security
Why You Need to Rethink Container SecurityWhy You Need to Rethink Container Security
Why You Need to Rethink Container Security
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
 

Similar to Docker Security Overview

Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPivotalOpenSourceHub
 
PostgreSQL and Linux Containers
PostgreSQL and Linux ContainersPostgreSQL and Linux Containers
PostgreSQL and Linux ContainersJignesh Shah
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariMetosin Oy
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Patrick Chanezon
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
What You Should Know About Container Security
What You Should Know About Container SecurityWhat You Should Know About Container Security
What You Should Know About Container SecurityAll Things Open
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionBen Hall
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatDocker, Inc.
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetesDongwon Kim
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesYigal Elefant
 
Dockercon 2015 Recap
Dockercon 2015 RecapDockercon 2015 Recap
Dockercon 2015 Recapehazlett
 

Similar to Docker Security Overview (20)

Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh Shah
 
PostgreSQL and Linux Containers
PostgreSQL and Linux ContainersPostgreSQL and Linux Containers
PostgreSQL and Linux Containers
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas Saari
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
 
Container security
Container securityContainer security
Container security
 
What You Should Know About Container Security
What You Should Know About Container SecurityWhat You Should Know About Container Security
What You Should Know About Container Security
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
 
Dockercon 2015 Recap
Dockercon 2015 RecapDockercon 2015 Recap
Dockercon 2015 Recap
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 

More from Sreenivas Makam

GKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringGKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringSreenivas Makam
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run Sreenivas Makam
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemSreenivas Makam
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
How Kubernetes helps Devops
How Kubernetes helps DevopsHow Kubernetes helps Devops
How Kubernetes helps DevopsSreenivas Makam
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingSreenivas Makam
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesSreenivas Makam
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 
Docker 1.9 Feature Overview
Docker 1.9 Feature OverviewDocker 1.9 Feature Overview
Docker 1.9 Feature OverviewSreenivas Makam
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingSreenivas Makam
 

More from Sreenivas Makam (11)

GKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringGKE Tip Series - Usage Metering
GKE Tip Series - Usage Metering
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystem
 
My kubernetes toolkit
My kubernetes toolkitMy kubernetes toolkit
My kubernetes toolkit
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
How Kubernetes helps Devops
How Kubernetes helps DevopsHow Kubernetes helps Devops
How Kubernetes helps Devops
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
 
Docker 1.9 Feature Overview
Docker 1.9 Feature OverviewDocker 1.9 Feature Overview
Docker 1.9 Feature Overview
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental Networking
 

Recently uploaded

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Docker Security Overview

  • 1. DOCKER SECURITY OVERVIEW (AS OF RELEASE 1.12) Presenter Name: Sreenivas Makam Presented at: Docker Meetup Bangalore Presentation Date: July 9, 2016
  • 2. About me • Senior Engineering Manager at Cisco Systems Data Center group • Author of “Mastering CoreOS” https://www.packtpub.com/networki ng-and-servers/mastering-coreos/ ) • Docker Captain(https://www.docker.com/co mmunity/docker-captains ) • Blog: https://sreeninet.wordpress.com/ • Code: https://github.com/smakam • Linkedin: https://in.linkedin.com/in/sreenivas makam • Twitter: @srmakam
  • 3. Docker Security modules Docker Engine Docker Client Authorization Registry SELinux AppArmor Seccomp Capabilities Namespaces Cgroups Multitenant Security Scan Image Signing TLS Request/ Response Container image TLS RBAC
  • 4. Linux kernel - Container Security support • Namespaces – PID, Mount, Network, IPC, UTC, User. • Cgroups – Limit CPU, Memory, IO • Capabilities – Reduced root access. 36 capabilities to control as of kernel 3.19.0.21. • Seccomp profiles – Control kernel system calls. 300+ system calls available that can be controlled using these profiles. • Special kernel modules like AppArmor, SELinux – Provides granular control over Kernel resources.
  • 5. Namespaces – PID, Mount docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash docker run -ti --name ubuntu2 -v /usr:/ubuntu2 ubuntu bash PID namespace: Ubuntu1 Container: root@3a1bf12161c9:/# ps PID TTY TIME CMD 1 ? 00:00:00 bash 15 ? 00:00:00 ps Ubuntu2 Container: root@8beb85abe6a5:/# ps PID TTY TIME CMD 1 ? 00:00:00 bash 14 ? 00:00:00 ps Host: $ ps -eaf|grep root | grep bash root 5413 1697 0 05:54 pts/28 00:00:00 bash root 5516 1697 0 05:54 pts/31 00:00:00 bash Mount namespace: Ubuntu1 Container: root@3a1bf12161c9:/# ls / bin dev home lib64 mnt proc run srv tmp usr boot etc lib media opt root sbin sys ubuntu1 var Ubuntu2 Container: root@8beb85abe6a5:/# ls / bin dev home lib64 mnt proc run srv tmp usr boot etc lib media opt root sbin sys ubuntu2 var • With PID namespace, each Container gets its own process ID namespace. • With Mount namespace, each Container gets its own copy of filesystem.
  • 6. Namespaces – Network, UTS • With Network namespace, each Container gets its own interfaces along with IP address. Ubuntu1 Container: root@3a1bf12161c9:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:ac:15:00:02 inet addr:172.21.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe15:2/64 Ubuntu2 Container: root@8beb85abe6a5:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:ac:15:00:03 inet addr:172.21.0.3 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe15:3/64 • With UTS namespace, each Container gets its own hostname and domainname. Ubuntu1 Container: root@3a1bf12161c9:/# hostname 3a1bf12161c9 Ubuntu2 Container: root@8beb85abe6a5:/# hostname 8beb85abe6a5
  • 7. Namespaces - IPC • IPC namespace isolates Message queues, Semaphores, Shared memory Ubuntu 1 Container: Create shared memory: root@3a1bf12161c9:/# ipcmk -M 100 Shared memory id: 0 Display shared memory: root@3a1bf12161c9:/# ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x2fba9021 0 root 644 100 0 Ubuntu 2 Container: Create shared memory: root@8beb85abe6a5:/# ipcmk -M 100 Shared memory id: 0 Display shared memory: root@8beb85abe6a5:/# ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x1f91e62c 0 root 644 100 0
  • 8. Namespaces - User • With User namespace, userid and groupid in a namespace is different from host machine’s userid and groupid for the same user and group. • User namespaces are available from Linux kernel versions > 3.8. • For example, root user inside Container is not root inside host machine. This provides greater security. • Docker introduced support for user namespace in version 1.10. • To use user namespace, Docker daemon needs to be started with “–userns-remap=username/uid:groupname/gid”. Using “default” for username will create “dockremap” user. Ubuntu1 Container: root@3a1bf12161c9:/# id uid=0(root) gid=0(root) groups=0(root) Host: $ ps -eaf|grep bash 231072 4080 4040 0 22:45 pts/13 00:00:00 bash $ cat /proc/4080/uid_map 0 231072 65536 (userid 0 in Container is mapped to 231072 in host)
  • 9. cgroups • cgroups is a Linux kernel feature that provides capability to restrict resources like cpu, memory, io, network bandwidth among a set of processes. • Docker allows to create Containers using cgroup feature which allows for resource control for the specific Container. • Following is a Container created with user space memory limited to 500m, kernel memory limited to 50m, cpu share to 512, blkioweight to 400. (cpu share and blkioweight are ratios) docker run -it -m 500M --kernel-memory 50M --cpu-shares 512 --blkio-weight 400 -- name ubuntu1 ubuntu bash
  • 10. Capabilities • In Linux, root user typically has all privileges enabled. Capabilities allow finer control for the capabilities that can be allowed for root user. • In Linux 3.19.0.21, there are 36 capabilities. All capabilities can be seen in “/usr/include/linux/capability.h”. • Examples of capabilities are setuid, setgid, socket access, set time. • Docker turns on only 14 capabilities by default for Containers started with default options. • Capabilities like insert/remove kernel modules, system clock manipulation are blocked. Container with raw net capability turned off: docker run -ti --name ubuntu1 --cap- drop=net_raw ubuntu bash Network access blocked: # ping google.com ping: icmp open socket: Operation not permitted
  • 11. Seccomp • Linux kernel feature that limits the system calls that a process can make based on the specified profile. • Docker uses Seccomp to control the system calls that Container can make. • Examples of system calls – bind, accept, fork. • Docker disables around 44 of 300+ system calls for Containers started with default options. Example of disabled system calls include mount, settimeofday. • Default Docker Seccomp profile is available here. Profile disabling chmod system call: { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ] } Seccomp illustration: $ docker run --rm -it --security-opt seccomp:/home/smakam14/seccomp/profil e.json busybox chmod 400 /etc/hosts chmod: /etc/hosts: Operation not permitted
  • 12. Linux kernel Security modules – AppArmor, SELinux • Both AppArmor and SELinux are kernel modules that gives fine grained control to restrict access to system resources. • When AppArmor is active for an application, the operating system allows the application to access only those files and folders that are mentioned in its security profile. • SElinux is a labeling system. Every process, file, directory, network ports, devices has a label assigned to it. We write rules to control the access of a process label to an a object label like a file. The kernel enforces the rules specified in the policy. • In Redhat distributions, SELinux is supported. Ubuntu distributions supports AppArmor. • AppArmor profiles are easy to create, SELinux is difficult. SELinux profiles are more comprehensive compared to AppArmor.
  • 13. Docker Engine Secure access • Docker engine runs as a daemon and by default listens on the Unix socket, “unix:///var/run/docker.sock”. • For accessing Docker engine remotely, “http” or “https” using TLS can be used. • “http” is not advised to be used for security reasons. • “https” with TLS provides confidentiality, authentication as well as integrity. • Certificates can be used to establish identity of client and server. • For testing purposes, Certificates can be generated using Openssl. For commercial purposes, certificates can be purchased from sources like CA.
  • 14. Authorization plugin • Authorization plugin can provide granular access to the Docker daemon based on userid, groupid, command executed, command arguments, time of day etc. • Authorization plugin informs Docker daemon if the specific command can be allowed or not based on the policy and the command executed. • Twistlock authz broker is one of the first plugins that is currently available. • In Twistlock case, policy is created as a JSON file and is given as argument to Docker daemon. • User identity support is not yet available in Docker engine. • Docker Data Center and Docker cloud provides RBAC and Multi-tenant support. Policy.json: {"name":"policy_1","users":[""],"actions":["contain er"] , "readonly":true} – Read-only Container policy Starting Docker daemon with auth policy.json: docker run -d --restart=always -v /var/lib/authz- broker/policy.json:/var/lib/authz-broker/policy.json -v /run/docker/plugins/:/run/docker/plugins twistlock/authz-broker
  • 15. Container image signing • Container images needs to be signed so that the client knows that image is coming from a trusted source and that it is not tampered with. • Content publisher takes care of signing Container image and pushing it into the registry. • The Docker content trust is an implementation of the Notary open source project. The Notary open source project is based on The Update Framework (TUF) project. • When content trust is enabled, we can pull only signed images. • When content trust is not enabled, both signed and unsigned images can be pulled. • Docker content trust is enabled with “export DOCKER_CONTENT_TRUST=1”. • When the publisher pushes the image for the first time using docker push, there is a need to enter a passphrase for the root key . • When pushing new image or new image version, publisher needs to enter passphrase for repository key. • Docker has also added support for hardware keys using Yubikey • Keys should be saved safely and backups should be taken.
  • 16. Container Image scanning • Docker Security Scan scans Container images and reports vulnerabilities. • Scanning is done by comparing each Container layer component with CVE databases. • Additional binary scan is done to make sure that the package is not tampered with. • Pro-active notification is given to both the publisher and user of Container images. • Available currently in Docker hub and Docker cloud. Will be added soon to Docker data center.
  • 17. Docker Security - Best Practices Docker enables Security by default and the default options suffice most of the needs. Following are few best practices: • Have separate containers for each micro-service keeping Container image size small. • Don’t put ssh inside container, “docker exec” can be used to ssh to Container. • Use only signed Container images. • Mount devices and volumes as read-only. • Run application as non-root. If root access is needed, run as root only for limited operations using features like Capabilities, Seccomp, SELinux/AppArmor. • Keep OS secure with regular updates. Using Container optimized OS is an option here since they provide automatic pushed update. • Store root keys, passphrase in a safe place and not expose in Dockerfile. Docker has plans to manage keys with Docker datacenter. • Use Docker official images. These images are curated by Docker so that the highest quality and security is maintained for the official images. • Use Container security scanning to check for vulnerabilities. • Use TLS for remote Docker daemon access.
  • 18. References • Docker Security documentation(https://docs.docker.com/engine/security/security/ ) • Container namespaces (http://crosbymichael.com/creating- containers-part-1.html) • Docker Security article series (https://opensource.com/business/15/3/docker-security-tuning) • Docker Security blog series (https://sreeninet.wordpress.com/2016/03/06/docker-security- part-1overview/) • Docker Security scan(https://blog.docker.com/2016/05/docker- security-scanning/) • Authorization plugin (https://www.twistlock.com/2016/02/18/docker-authz-plugins- twistlocks-contribution-to-the-docker-community/)

Editor's Notes

  1. Microsoft Confidential