SlideShare una empresa de Scribd logo

Docker security - TASK Jan 2016

Fernando Montenegro
Fernando Montenegro

Ricardo Gerardi and I had the privilege of delivering an introductory talk on Docker & Docker Security to the Toronto Area Security Klatch (TASK) this week. Here are the slides.

Tecnología
1 de 53
Descargar para leer sin conexión
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 1/59 DOCKERSECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - TASK Jan 27, 2016 @fsmontenegro @ricardogerardi
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 2/59 WHYAREWEHERE? Google Trends: "Microservices"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 3/59 Google Trends: "Docker"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 4/59 Google Trends: "Kubernetes"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 6/59 MICROSERVICES? (Source: F5)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 7/59 MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity­sapping burden. Like any architectural style, microservices bring costs and benefits. To make a sensible choice you have to understand these and apply them to your specific context."" Martin Fowler ( ) http://martinfowler.com/articles/microservice­trade­ offs.html
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 8/59 SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational benefits of "DevOps"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 9/59 DATADOGCONTAINERSURVEY ( ) Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up https://www.datadoghq.com/docker­adoption/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 10/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 11/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 12/59 WHATWEFOUND
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 14/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 16/59 ABOUTUS-FERNANDO Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera) @fsmontenegro
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 18/59 ABOUTUS-RICARDO Senior IT Consultant Network Management/Monitoring IBM Netcool Certified Uncertified father (2x) Interests Linux/UNIX Emerging technologies Data Science @ricardogerardi
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 19/59 DOCKERINTRO
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 20/59 WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 21/59 SOFTWAREPACKAGEANDDISTRIBUTIONCHALLENGE OLDWAY-HOSTEDAPPLICATIONS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 22/59 VIRTUALMACHINES
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 23/59 ENTERTHECONTAINER
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 24/59 WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 25/59 WHATDOYOUNEEDTORUNDOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 26/59 DOCKERARCHITECTUREINANUTSHELL Source: https://www.docker.com/what­docker
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 28/59 Source: https://docs.docker.com/engine/introduction/understanding­ docker/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 29/59 DOCKERDEMO
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 30/59 DOCKERSECURITY
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 31/59 FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 32/59 SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 33/59 SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 34/59 DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 35/59 CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability­analysis­for­ containers/ https://blog.quay.io/security­ scanning­beta/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 36/59 OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 37/59 SECURITYFROMDOCKER How to contain Docker & containers?
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 38/59 NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – filesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 39/59 ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - filtering of system calls network isolation via iptables limit inter-container communication
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 40/59 SECURITYBYDOCKER Leveraging Docker features for security
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 41/59 LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - filtering system calls journaled changes
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 42/59 OPERATIONSANDECOSYSTEM
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 43/59 WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 44/59 PUBLICCLOUDPROVIDERS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 45/59 PAASPROVIDERS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 46/59 ORCHESTRATION/SCHEDULING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 47/59 NETWORKING BASICNETWORKING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 48/59 OVERLAYNETWORKING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 49/59 MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 50/59 CONTAINERMONITORINGSOLUTIONS Sysdig Cloud Weaveworks New relic Google cAdvisor
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 51/59 CONTAINERLOGMANAGEMENT ELK Stack Splunk
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 52/59 WRAPPINGUP
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 53/59 LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 54/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 55/59 WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound traffic keep up to date (news!) rethink approach ("cattle, not pets")
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 56/59 DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 57/59 RESOURCES! Twitterfolk:
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 58/59 - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC

Recomendados

Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
Introduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsIntroduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsFlavio Percoco Premoli
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Using OpenEmbedded
Using OpenEmbeddedUsing OpenEmbedded
Using OpenEmbeddedTrevor Woerner
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotIntroduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotTeam Hypriot
 
Docker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoDocker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoGiulio De Donato
 
Conda and Bioconda
Conda and BiocondaConda and Bioconda
Conda and BiocondaHoffman Lab
 
The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189Mahmoud Samir Fayed
 

Recomendados

Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
Introduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsIntroduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsFlavio Percoco Premoli
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Using OpenEmbedded
Using OpenEmbeddedUsing OpenEmbedded
Using OpenEmbeddedTrevor Woerner
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotIntroduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotTeam Hypriot
 
Docker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoDocker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoGiulio De Donato
 
Conda and Bioconda
Conda and BiocondaConda and Bioconda
Conda and BiocondaHoffman Lab
 
The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189Mahmoud Samir Fayed
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Ron Munitz
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Ron Munitz
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?msyukor
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Ron Munitz
 
Creating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectCreating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectLeon Anavi
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containersGiuseppe Scrivano
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windowsAddweup
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Piotr Król
 
Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Wei Fu
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet FactoryNullbyte Security Conference
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like dockerGiulio De Donato
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerA smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerThe Incredible Automation Day
 
Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Leon Anavi
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from MicrosoftNaoki (Neo) SATO
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfkanedafromparis
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 RecapJochen Zehnder
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Docker for HPC in a Nutshell
Docker for HPC in a NutshellDocker for HPC in a Nutshell
Docker for HPC in a Nutshellinside-BigData.com
 

Más contenido relacionado

La actualidad más candente

Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Ron Munitz
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Ron Munitz
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?msyukor
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Ron Munitz
 
Creating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectCreating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectLeon Anavi
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windowsAddweup
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Piotr Król
 
Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Wei Fu
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like dockerGiulio De Donato
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerA smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerThe Incredible Automation Day
 
Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Leon Anavi
 

La actualidad más candente (15)

Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux Distro
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
 
Creating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectCreating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto Project
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devices
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windows
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0
 
Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like docker
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerA smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
 
Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5
 

Similar a Docker security - TASK Jan 2016

Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from MicrosoftNaoki (Neo) SATO
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfkanedafromparis
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesSreenivas Makam
 
Azure Container Services​
Azure Container Services​Azure Container Services​
Azure Container Services​Pedro Sousa
 
A Dive Into Containers and Docker
A Dive Into Containers and DockerA Dive Into Containers and Docker
A Dive Into Containers and DockerMatthew Farina
 
Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionYu-Lun Chen
 
Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Commit University
 
Docker and containerization
Docker and containerizationDocker and containerization
Docker and containerizationAmulya Saxena
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?ArangoDB Database
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 
CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023Anthony Dahanne
 
Docker for Java Developers
Docker for Java DevelopersDocker for Java Developers
Docker for Java DevelopersImesh Gunaratne
 
DevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and SeleniumhubDevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and Seleniumhubkloia
 
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on ContainersWSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on ContainersLakmal Warusawithana
 
Deploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersDeploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersImesh Gunaratne
 

Similar a Docker security - TASK Jan 2016 (20)

Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016
 
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdf
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recap
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Docker for HPC in a Nutshell
Docker for HPC in a NutshellDocker for HPC in a Nutshell
Docker for HPC in a Nutshell
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
 
Azure Container Services​
Azure Container Services​Azure Container Services​
Azure Container Services​
 
A Dive Into Containers and Docker
A Dive Into Containers and DockerA Dive Into Containers and Docker
A Dive Into Containers and Docker
 
Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event Inspection
 
Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!
 
Docker and containerization
Docker and containerizationDocker and containerization
Docker and containerization
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023
 
Docker for Java Developers
Docker for Java DevelopersDocker for Java Developers
Docker for Java Developers
 
DevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and SeleniumhubDevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and Seleniumhub
 
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on ContainersWSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
 
Deploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersDeploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on Containers
 

Más de Fernando Montenegro

The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019Fernando Montenegro
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Fernando Montenegro
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017Fernando Montenegro
 
Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Fernando Montenegro
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project ManagementFernando Montenegro
 

Más de Fernando Montenegro (6)

The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017
 
Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017
 
Economics of Cyber Security
Economics of Cyber SecurityEconomics of Cyber Security
Economics of Cyber Security
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project Management
 

Último

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Docker security - TASK Jan 2016

  • 1. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 1/59 DOCKERSECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - TASK Jan 27, 2016 @fsmontenegro @ricardogerardi
  • 2. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 2/59 WHYAREWEHERE? Google Trends: "Microservices"
  • 3. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 3/59 Google Trends: "Docker"
  • 4. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 4/59 Google Trends: "Kubernetes"
  • 5. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 6/59 MICROSERVICES? (Source: F5)
  • 6. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 7/59 MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity­sapping burden. Like any architectural style, microservices bring costs and benefits. To make a sensible choice you have to understand these and apply them to your specific context."" Martin Fowler ( ) http://martinfowler.com/articles/microservice­trade­ offs.html
  • 7. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 8/59 SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational benefits of "DevOps"
  • 8. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 9/59 DATADOGCONTAINERSURVEY ( ) Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up https://www.datadoghq.com/docker­adoption/
  • 9. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 10/59
  • 10. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 11/59
  • 11. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 12/59 WHATWEFOUND
  • 12. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 14/59
  • 13. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 16/59 ABOUTUS-FERNANDO Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera) @fsmontenegro
  • 14. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 18/59 ABOUTUS-RICARDO Senior IT Consultant Network Management/Monitoring IBM Netcool Certified Uncertified father (2x) Interests Linux/UNIX Emerging technologies Data Science @ricardogerardi
  • 15. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 19/59 DOCKERINTRO
  • 16. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 20/59 WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
  • 17. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 21/59 SOFTWAREPACKAGEANDDISTRIBUTIONCHALLENGE OLDWAY-HOSTEDAPPLICATIONS
  • 18. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 22/59 VIRTUALMACHINES
  • 19. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 23/59 ENTERTHECONTAINER
  • 20. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 24/59 WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
  • 21. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 25/59 WHATDOYOUNEEDTORUNDOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
  • 22. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 26/59 DOCKERARCHITECTUREINANUTSHELL Source: https://www.docker.com/what­docker
  • 23. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 28/59 Source: https://docs.docker.com/engine/introduction/understanding­ docker/
  • 24. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 29/59 DOCKERDEMO
  • 25. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 30/59 DOCKERSECURITY
  • 26. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 31/59 FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
  • 27. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 32/59 SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
  • 28. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 33/59 SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
  • 29. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 34/59 DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
  • 30. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 35/59 CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability­analysis­for­ containers/ https://blog.quay.io/security­ scanning­beta/
  • 31. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 36/59 OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
  • 32. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 37/59 SECURITYFROMDOCKER How to contain Docker & containers?
  • 33. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 38/59 NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – filesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
  • 34. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 39/59 ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - filtering of system calls network isolation via iptables limit inter-container communication
  • 35. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 40/59 SECURITYBYDOCKER Leveraging Docker features for security
  • 36. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 41/59 LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - filtering system calls journaled changes
  • 37. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 42/59 OPERATIONSANDECOSYSTEM
  • 38. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 43/59 WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
  • 39. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 44/59 PUBLICCLOUDPROVIDERS
  • 40. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 45/59 PAASPROVIDERS
  • 41. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 46/59 ORCHESTRATION/SCHEDULING
  • 42. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 47/59 NETWORKING BASICNETWORKING
  • 43. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 48/59 OVERLAYNETWORKING
  • 44. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 49/59 MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
  • 45. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 50/59 CONTAINERMONITORINGSOLUTIONS Sysdig Cloud Weaveworks New relic Google cAdvisor
  • 46. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 51/59 CONTAINERLOGMANAGEMENT ELK Stack Splunk
  • 47. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 52/59 WRAPPINGUP
  • 48. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 53/59 LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
  • 49. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 54/59
  • 50. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 55/59 WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound traffic keep up to date (news!) rethink approach ("cattle, not pets")
  • 51. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 56/59 DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
  • 52. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 57/59 RESOURCES! Twitterfolk:
  • 53. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 58/59 - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC