Ricardo Gerardi and I had the privilege of delivering an introductory talk on Docker & Docker Security to the Toronto Area Security Klatch (TASK) this week. Here are the slides.
6. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 7/59
MICROSERVICES
"Many development teams have found the microservices
architectural style to be a superior approach to a monolithic
architecture. But other teams have found them to be a
productivitysapping burden. Like any architectural style,
microservices bring costs and benefits. To make a sensible choice
you have to understand these and apply them to your specific
context.""
Martin Fowler (
)
http://martinfowler.com/articles/microservicetrade
offs.html
7. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 8/59
SIGNIFICANTBENEFITS
Support CI/CD practices
Easier to achieve scale
Operational benefits of "DevOps"
8. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 9/59
DATADOGCONTAINERSURVEY
( )
Two schools of thought:
Containers as up&down microservices
Containers as "lightweight servers" that stay up
https://www.datadoghq.com/dockeradoption/
16. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 20/59
WHATISDOCKER?
DOCKER,THEPLATFORM
Docker is a container based platform used to package and run
applications in a variety of systems
DOCKER,THECOMPANY
Docker Inc. (https://www.docker.com/company)
20. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 24/59
WHYDOCKER?
Linux containers
Around for a long time (Open VZ, LXC, etc)
Not very "friendly"
Docker streamlines the process and makes it very easy to create
and use containers
Speed (Development/Scalability)
Portability
Driver to DevOps and Microservices
26. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 31/59
FIRSTTHINGSFIRST...
Containers vs. VMs?
Containers not as isolated as VMs.
but much more isolated than processes...
cgroups & namespaces
Containers are OS-dependant.
Containers for multi-tenancy? Not so fast...
Containers & VMs :-)
27. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 32/59
SECURITYFORDOCKER
How to secure the Docker "pipeline"
How to secure Docker containers themselves
30. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 35/59
CLAIRBYCOREOS
Security scanning of images -
Available on Quay
Security Scanning Beta -
https://coreos.com/blog/vulnerabilityanalysisfor
containers/
https://blog.quay.io/security
scanningbeta/
31. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 36/59
OTHERCONSIDERATIONS
Containers are stateless
Can mount additional volumes
How to do Secrets Management?
ENV variables - not recommended
Key/Value Pair solutions
Embedded in orchestration ( )
Vault & Keywhiz
Kubernetes
Custom solutions
32. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 37/59
SECURITYFROMDOCKER
How to contain Docker & containers?
33. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 38/59
NAMESPACES&CGROUPS
PID – process isolation
Network – NICs, IPs, routing tabes et al.
UTS – hostnames
Mount – filesystem layouts/ properties
IPC – interprocess communication
User – users ("root" != root)
Control groups: resource utilization (RAM, swap, CPU, IO,
controls)
34. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 39/59
ADDITIONALFEATURES
capabilities - add or drop capabilities
seccomp - filtering of system calls
network isolation via iptables
limit inter-container communication
35. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 40/59
SECURITYBYDOCKER
Leveraging Docker features for security
36. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 41/59
LEVERAGINGDOCKERFORSECURITY
microservice -> reduced attack surface
enforce content trust to protect production
r/o FileSystems
drop capabilities when possible
seccomp - filtering system calls
journaled changes
44. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 49/59
MONITORING
CHALLENGES
Scalability (100s of containers in a single host)
Host Monitoring x Container Monitoring
Container instrumentation (1 process/container philosophy)
API instability
45. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 50/59
CONTAINERMONITORINGSOLUTIONS
Sysdig Cloud
Weaveworks
New relic
Google cAdvisor
48. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 53/59
LOOKINGATTHEFUTURE
Containers exist in a continuum of options.
Unikernels
one degree further
compile kernel for application
Undebuggable?
Serverless Architecture?
AWS Lambda
Azure Service Fabric
potentially bad idea?
50. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 55/59
WRAPPINGUP
Docker Security "Anti-Patterns"
free-for-all (unrestricted containers in Prod)
treating containers as servers
Recommendations for Security
Don't try to stop it!!!
recognize massive potential for disruption
no agents on containers
watch for outbound traffic
keep up to date (news!)
rethink approach ("cattle, not pets")
51. 1/29/2016 Docker Security Introduction
http://159.203.15.183:8080/#/ 56/59
DOCKERALLOVER
Last few weeks of news:
Docker buys Unikernel
Arista announces Container support in EOS
Citrix supports NetScaler as Container
Amazon announces Docker 1.9 support