SlideShare una empresa de Scribd logo

Docker security

Janos Suto
Janos Suto

How to secure your docker installation

Software
1 de 57
Descargar para leer sin conexión
Docker security SOFTWARE FREEDOM DAY, 2019, SZEGED Janos SUTO, sj@acts.hu
Isn't docker secure? Ars Technica: Infected images mined digital coins "17 images posted by a single account over10 months may have generated $90,000." "For ordinary users, just pulling a Docker image from Docker Hub is like pulling arbitrary binary data from somewhere, executing it, and hoping for the best without really knowing what’s in it.” https://arstechnica.com/information- technology/2018/06/backdoored-images-downloaded-5-million-times- finally-removed-from-docker-hub/
CVE-2019-5736 "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveragingthe ability to execute a command as root within one of these types of containers: (1) a new container withan attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file- descriptor mishandling, related to /proc/self/exe.
Important stuff I won't talk this time Physical security Host security (patched OS, only necessary packages, OS hardening, ...) Networksecurity (open ports, firewalls, strict SSH access, …) Educating users ...
Securing images
Official images Essential base OS repositoriesas the starting point for users Lead examples of Dockerfile best practices Security updates are applied in a timely manner Scanned for vulnerabilities https://docs.docker.com/docker-hub/official_images/
Docker Content Trust (DCT) Use digital signatures for data sent to and receivedfrom remote Docker registries. These signatures allow client-sideor runtime verification of the integrity and publisher of specific image tags. Through DCT, image publishers can sign their images and image consumers can ensure that the images they use are signed.
DCT #2 export DOCKER_CONTENT_TRUST="1" docker pull user/someimage Error: remote trust data does not exist for docker.io/user/someimage: notary.docker.io does not have trust data for docker.io/user/someimage https://docs.docker.com/engine/security/trust/content_trust/
Runtime Enforcement with DCT Applies to Docker Enterprise only
Personal Access Tokens for Docker HUB
Use your own registry Docker registry Harbor Quay (automatic security scanning) JFrog Artifactory (PRO edition)
Don't use insecure registries By default it's not enabled
Build your own images Start from official images Use a reasonable distro (eg. alpine) Include only what's really required (eg. --no-install-recommends) USER someuser No sudo No sshd
Don't bake any secrets to the image ENV MYSQL_PASSWORD "aaaa"
Scan your images Microscanner: https://github.com/aquasecurity/microscanner FROM debian:jessie-slim RUN apt-get update && apt-get -y install ca-certificates ADD https://get.aquasec.com/microscanner / ARG token RUN chmod +x /microscanner && /microscanner ${token}
"vulnerabilities": [ { "name": "CVE-2017-8398", "description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary …". "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "nvd_severity": "medium", "nvd_url": https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE- 2017-8398, ….. },
Other image scanner products Clair Docker Trusted Registry JFrog Xray ...
Virus scanning $ docker create --name erlang_scan erlang # Create container from image $ docker export –output "live_system.tar" erlang_scan # Push the container fs to tar file $ clamscan live_system.tar live_system.tar: OK ----------- SCAN SUMMARY ----------- Known viruses: 6590083 Engine version: 0.100.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 1029.54 MB (ratio 0.00:1) Time: 9.586 sec (0 m 9 s) $ docker rm erlang_scan https://medium.com/@cwgem/thoughts-about-docker-security-8e0df4b43650
Docker bench security Checking for best practices: 1. Host configuration 2. Docker daemon configuration 3. Docker daemon configuration files 4. Container Images and Build File 5. Container Runtime 6. Docker Security Operations 7. Docker Swarm Configuration https://github.com/docker/docker-bench-security
[INFO] 2 - Docker daemon configuration [PASS] 2.1 - Ensure network traffic is restricted between containers on the default bridge [PASS] 2.2 - Ensure the logging level is set to 'info' [PASS] 2.3 - Ensure Docker is allowed to make changes to iptables [PASS] 2.4 - Ensure insecure registries are not used [PASS] 2.5 - Ensure aufs storage driver is not used [INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured [INFO] * Docker daemon not listening on TCP [INFO] 2.7 - Ensure the default ulimit is configured appropriately [INFO] * Default ulimit doesn't appear to be set
Securing the daemon
Protect the socket srw-rw----1 root docker 0 Sep 10 21:04 /var/run/docker.sock= Don't put just anyone to the docker group
Accessing docker over the network TLS encryption (don't enable port 2375) Certificate authentication Firewall the docker host DOCKER_HOST=tcp://docker.yourdomain.com:2376 DOCKER_TLS_VERIFY=1 https://docs.docker.com/engine/security/https/ https://docs.docker.com/engine/security/certificates/
Securing containers
Resource limits --memory 2G: The maximum amount of memory the container can use --memory-swap 2G: The amount of memory the container is allowed to swap to disk --shm-size 64M: Size of /dev/shm --cpus=1.5 how much of the available CPU resources a container can use. --cpuset-cpus=0,1,2: Limit the specific CPUs or cores a container can use --gpus device=0,2: nvidia gpu access --pids-limit: Limit number of processes started inside docker container --ulimit <options>, eg. --ulimit nproc=256:512 https://docs.docker.com/config/containers/resource_constraints/
Stopping a fork bomb $ docker run --rm --name aaa --pids-limit 30 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done" environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable ... bash: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable environment: fork: Resource temporarily unavailable bash: fork: Interrupted system call
Stopping a fork bomb #2 $ docker stats aaa NAME CPU % MEM USAGE / LIMIT MEM % PIDS aaa 0.14% 9.172MiB / 23.41GiB 0.04% 30
Make the root fs read-only $ docker run --rm -ti --read-only ubuntu bash root@4f8d760aa70b:/# touch /tmp/iii touch: cannot touch '/tmp/iii': Read-only file system root@4f8d760aa70b:/#
Use tmpfs to allow write access $ docker run --rm -ti --read-only --tmpfs /tmp ubuntu bash root@e28b09f46878:/# touch /tmp/akaka root@e28b09f46878:/#
Remove all capabilities ... $ docker run --rm --cap-drop=ALL nginx 2019/09/22 09:37:45 [emerg] 1#1: chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) nginx: [emerg] chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) man 7 capabilities
… add only what's required $ docker run --rm --cap-add=chown --cap-drop=ALL nginx 2019/09/22 09:39:28 [emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied) nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
… add only what's required #2 $ docker run --rm --cap-add=chown --cap-add=net_bind_service -- cap-drop=ALL nginx 2019/09/22 09:43:22 [emerg] 6#6: setgid(101)failed (1: Operation not permitted) 2019/09/22 09:43:22 [alert] 1#1: workerprocess 6 exitedwithfatal code 2 and cannot be respawned
… add only what's required #3 $ docker run --rm --cap-add=chown --cap-add=net_bind_service -- cap-add=setgid --cap-drop=ALL nginx 2019/09/22 09:43:54 [emerg] 6#6: setuid(101)failed (1: Operation not permitted) 2019/09/22 09:43:54 [alert] 1#1: workerprocess 6 exitedwithfatal code 2 and cannot be respawned
… add only what's required #4 $ docker run --rm --cap-add=chown --cap-add=net_bind_service --cap-add=setgid --cap-add=setuid --cap-drop=ALL nginx
User remapping $ docker run --rm -ti -v /etc:/etc ubuntu bash root@6ac62e5eb40c:/# touch /etc/hello-world root@6ac62e5eb40c:/# exit $ ls -la /etc/hello-world -rw-r--r-- 1 root root 0 Sep 22 11:53 /etc/hello-world
User remapping #2 $ whoami john $ id -u 1000 $id -g 100
User remapping #3 /etc/docker/daemon.json: { "userns-remap": "john" } /etc/subuid: john:1000:65536 /etc/subgid: john:100:65536
User remapping #4 $ docker run --rm -ti -v /etc:/etc ubuntu bash root@deb50f4847e6:/# touch /etc/hello-world2 touch: cannot touch '/etc/hello-world2': Permission denied
User remapping #5 $ docker run --rm -ti -v /tmp:/tmp ubuntu bash root@7b66cc086eb4:/# touch /tmp/aaa root@7b66cc086eb4:/# ls -la /tmp/aaa -rw-r--r--1 root root 0 Sep 22 10:13 /tmp/aaa root@7b66cc086eb4:/# exit $ ls -la /tmp/aaa -rw-r--r-- 1 john users 0 Sep 22 12:13 /tmp/aaa https://ilya-bystrov.github.io/posts/docker-daemon-remapping/
Don't use privileged mode "Privileged mode enables access to all deviceson the host as wellas set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host."
Don't use the host's namespaces $ docker run --userns=host -ti --rm -v /tmp:/tmpubuntu bash root@a78119823836:/# touch /tmp/hahaha root@a78119823836:/# ls -la /tmp/hahaha -rw-r--r--1 root root 0 Oct 3 10:08 /tmp/hahaha root@a78119823836:/# exit $ ls -la /tmp/hahaha -rw-r--r-- 1 root root 0 Oct 3 12:08 /tmp/hahaha
Authorization plugin dockerd --authorization-plugin=someplugin Could run locally on a Unix domain socket, or anywhere on http(s)
Authorization plugin #2 https://docs.docker.com/engine/extend/plugins_authorization/ PoC implementation: https://pastebin.com/SFUWdP08
Secrets in container $ docker run --rm –ti –e SOME_PASSWORD=aaaa ubuntu bash root@7b66cc086eb4:/#echo $SOME_PASSWORD aaaa root@7b66cc086eb4:/# Environments are often logged! #less /proc/29487/task/29487/environ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin^@HOSTN AME=7b66cc086eb4^@TERM=xterm^@SOME_PASSWORD=aaaa^@H OME=/root
Secrets in config files in container docker run –v /path/to/1.cfg:/etc/yourapp/1.cfg:royourimage
Docker secrets Container orchestrationsystems offer some basic secret management Kubernetes: secrets, configmaps (Namespaces, RBAC) Docker Swarm: secrets Not for a standalone docker installation :-( Setup a single node swarm or k8s deployment:-) https://www.hashicorp.com/resources/securing-container-secrets-vault
Elevating privileges FROM ubuntu:latest RUN apt-get update && apt-get install –y sudo && echo "sj ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sj && echo "sj:x:1000:100::/home/sj:/bin/bash" >> /etc/passwd USER 1000
Elevating privileges #2 $ docker run --rm -ti aaa bash sj@177cd44c70c0:/$ id uid=1000(sj) gid=100(users) groups=100(users) sj@177cd44c70c0:/$ sudo bash root@177cd44c70c0:/# id uid=0(root) gid=0(root) groups=0(root)
Elevating privileges #3 /etc/docker/daemon.json: { "no-new-privileges": true }
Elevating privileges #4 $ docker run --rm -ti aaa bash sj@177cd44c70c0:/$ id uid=1000(sj) gid=100(users) groups=100(users) sj@177cd44c70c0:/$ sudo bash sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
More daemon.json settings { "icc": false, // Disable inter container communication "userland-proxy": false, // Disable userland proxy for loopback traffic …. }
Activity monitoring with sysdig/falco Notify other systems or humans of abnormal behavior. https://sysdig.com/opensource/falco/
Activity monitoring with sysdig/falco #2 ***Actionchange_thread_namespace Calling setns() to change namespaces... ***Actioncreate_files_below_dev Creating /dev/created-by-event-generator-sh... ***Actiondb_program_spawn_process Becomingthe program "mysql" and then running ls ***Actionexec_ls bin dev etc … ***Actionexfiltration Reading /etc/shadow and sending to 10.5.2.6:8197...
Activity monitoring with sysdig/falco #3 2019-10-03T13:17:21.968443650+0000: Notice Namespace change (setns) by unexpected program (user=root command=event_generator parent=<NA> <NA> (id=2f5a7b42362a) container_id=2f5a7b42362a image=<NA>) 2019-10-03T13:17:22.968679872+0000: Error File created below /dev by untrusted program (user=root command=event_generator file=/dev/created-by-event-generator-sh container_id=2f5a7b42362a image=sysdig/falco-event-generator) 2019-10-03T13:17:23.971571824+0000: Notice Database-related program spawned process other than itself (user=root program=ls parent=mysqld container_id=2f5a7b42362a image=sysdig/falco-event-generator) 2019-10-03T13:17:24.972983032+0000: Warning Sensitive file opened for reading by non-trusted program (user=root program=event_generator command=event_generator file=/etc/shadow parent=<NA> gparent=<NA> ggparent=<NA> gggparent=<NA> container_id=2f5a7b42362a image=sysdig/falco-event-generator)
Host encryption Don't use fscrypt: no support for namespaces Use LUKS
Final words Apply what makes sense in your environment At the end of the day security must not kill productivity

Recomendados

Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsBen Hall
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersBen Hall
 
Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Ben Hall
 
Running .NET on Docker
Running .NET on DockerRunning .NET on Docker
Running .NET on DockerBen Hall
 
Real World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS ApplicationReal World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS ApplicationBen Hall
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionBen Hall
 
Lessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersLessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersBen Hall
 

Recomendados

Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsBen Hall
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersBen Hall
 
Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Ben Hall
 
Running .NET on Docker
Running .NET on DockerRunning .NET on Docker
Running .NET on DockerBen Hall
 
Real World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS ApplicationReal World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS ApplicationBen Hall
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionBen Hall
 
Lessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersLessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersBen Hall
 
DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains Docker, Inc.
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containersBen Hall
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guideRoberto Boccadoro
 
Docker practice
Docker practiceDocker practice
Docker practicewonyong hwang
 
DCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on KubernetesDCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on KubernetesDocker, Inc.
 
Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !Alexandre Salomé
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Composeraccoony
 
Continuous delivery with docker
Continuous delivery with dockerContinuous delivery with docker
Continuous delivery with dockerJohan Janssen
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practicewonyong hwang
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking KubernetesVincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
 
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)Ruoshi Ling
 
Lab docker
Lab dockerLab docker
Lab dockerBruno Cornec
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composerwonyong hwang
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime SecuritySysdig
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Docker, Inc.
 
DeveloperWeek 2015: A Practical Introduction to Docker
DeveloperWeek 2015: A Practical Introduction to DockerDeveloperWeek 2015: A Practical Introduction to Docker
DeveloperWeek 2015: A Practical Introduction to DockerSteve Smith
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017Paul Chao
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachPROIDEA
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Michele Orselli
 
Docker remote-api
Docker remote-apiDocker remote-api
Docker remote-apiEric Ahn
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveThe Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveDocker, Inc.
 

Más contenido relacionado

La actualidad más candente

DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains Docker, Inc.
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containersBen Hall
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guideRoberto Boccadoro
 
DCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on KubernetesDCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on KubernetesDocker, Inc.
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Composeraccoony
 
Continuous delivery with docker
Continuous delivery with dockerContinuous delivery with docker
Continuous delivery with dockerJohan Janssen
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking KubernetesVincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
 
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)Ruoshi Ling
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composerwonyong hwang
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime SecuritySysdig
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Docker, Inc.
 
DeveloperWeek 2015: A Practical Introduction to Docker
DeveloperWeek 2015: A Practical Introduction to DockerDeveloperWeek 2015: A Practical Introduction to Docker
DeveloperWeek 2015: A Practical Introduction to DockerSteve Smith
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017Paul Chao
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachPROIDEA
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Michele Orselli
 
Docker remote-api
Docker remote-apiDocker remote-api
Docker remote-apiEric Ahn
 

La actualidad más candente (20)

DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains DCSF19 Tips and Tricks of the Docker Captains
DCSF19 Tips and Tricks of the Docker Captains
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containers
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guide
 
Docker practice
Docker practiceDocker practice
Docker practice
 
DCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on KubernetesDCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on Kubernetes
 
Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
 
Continuous delivery with docker
Continuous delivery with dockerContinuous delivery with docker
Continuous delivery with docker
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practice
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking KubernetesVincent Ruijter - ~Securing~ Attacking Kubernetes
Vincent Ruijter - ~Securing~ Attacking Kubernetes
 
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
 
Lab docker
Lab dockerLab docker
Lab docker
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composer
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
 
DeveloperWeek 2015: A Practical Introduction to Docker
DeveloperWeek 2015: A Practical Introduction to DockerDeveloperWeek 2015: A Practical Introduction to Docker
DeveloperWeek 2015: A Practical Introduction to Docker
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)
 
Docker remote-api
Docker remote-apiDocker remote-api
Docker remote-api
 

Similar a Docker security

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveThe Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveDocker, Inc.
 
Docker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David LawrenceDocker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David LawrenceDocker, Inc.
 
Delivering Docker & K3s worloads to IoT Edge devices
Delivering Docker & K3s worloads to IoT Edge devicesDelivering Docker & K3s worloads to IoT Edge devices
Delivering Docker & K3s worloads to IoT Edge devicesAjeet Singh Raina
 
Docker workshop
Docker workshopDocker workshop
Docker workshopEvans Ye
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker皓鈞 張
 
Docker & FieldAware
Docker & FieldAwareDocker & FieldAware
Docker & FieldAwareJakub Jarosz
 
桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作Philip Zheng
 
How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environmentSumedt Jitpukdebodin
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Bo-Yi Wu
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Streamline your development environment with docker
Streamline your development environment with dockerStreamline your development environment with docker
Streamline your development environment with dockerGiacomo Bagnoli
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作NUTC, imac
 
Running the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerRunning the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerGuido Schmutz
 
Docker container management
Docker container managementDocker container management
Docker container managementKarol Kreft
 
Docker for Web Developers: A Sneak Peek
Docker for Web Developers: A Sneak PeekDocker for Web Developers: A Sneak Peek
Docker for Web Developers: A Sneak Peekmsyukor
 
Beyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with PuppetBeyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with Puppetlutter
 

Similar a Docker security (20)

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveThe Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
 
Docker
DockerDocker
Docker
 
Docker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David LawrenceDocker Security Deep Dive by Ying Li and David Lawrence
Docker Security Deep Dive by Ying Li and David Lawrence
 
Delivering Docker & K3s worloads to IoT Edge devices
Delivering Docker & K3s worloads to IoT Edge devicesDelivering Docker & K3s worloads to IoT Edge devices
Delivering Docker & K3s worloads to IoT Edge devices
 
Docker workshop
Docker workshopDocker workshop
Docker workshop
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Docker & FieldAware
Docker & FieldAwareDocker & FieldAware
Docker & FieldAware
 
桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作
 
How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Streamline your development environment with docker
Streamline your development environment with dockerStreamline your development environment with docker
Streamline your development environment with docker
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作
 
Running the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerRunning the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker Container
 
Docker container management
Docker container managementDocker container management
Docker container management
 
Docker for Web Developers: A Sneak Peek
Docker for Web Developers: A Sneak PeekDocker for Web Developers: A Sneak Peek
Docker for Web Developers: A Sneak Peek
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics
 
Beyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with PuppetBeyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with Puppet
 

Más de Janos Suto

Open source email archivalas
Open source email archivalasOpen source email archivalas
Open source email archivalasJanos Suto
 
Why email archiving is good for you
Why email archiving is good for youWhy email archiving is good for you
Why email archiving is good for youJanos Suto
 
Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)
Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)
Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)Janos Suto
 
Spam? Már szinte el is felejtettem, mi az
Spam? Már szinte el is felejtettem, mi azSpam? Már szinte el is felejtettem, mi az
Spam? Már szinte el is felejtettem, mi azJanos Suto
 
Clapf Egy Irto Jo Spamszuro
Clapf Egy Irto Jo SpamszuroClapf Egy Irto Jo Spamszuro
Clapf Egy Irto Jo SpamszuroJanos Suto
 
Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008Janos Suto
 

Más de Janos Suto (6)

Open source email archivalas
Open source email archivalasOpen source email archivalas
Open source email archivalas
 
Why email archiving is good for you
Why email archiving is good for youWhy email archiving is good for you
Why email archiving is good for you
 
Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)
Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)
Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)
 
Spam? Már szinte el is felejtettem, mi az
Spam? Már szinte el is felejtettem, mi azSpam? Már szinte el is felejtettem, mi az
Spam? Már szinte el is felejtettem, mi az
 
Clapf Egy Irto Jo Spamszuro
Clapf Egy Irto Jo SpamszuroClapf Egy Irto Jo Spamszuro
Clapf Egy Irto Jo Spamszuro
 
Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008Statisztikai Spamszurok 2008
Statisztikai Spamszurok 2008
 

Último

VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...software pro Development
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 

Último (20)

VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 

Docker security

  • 1. Docker security SOFTWARE FREEDOM DAY, 2019, SZEGED Janos SUTO, sj@acts.hu
  • 2. Isn't docker secure? Ars Technica: Infected images mined digital coins "17 images posted by a single account over10 months may have generated $90,000." "For ordinary users, just pulling a Docker image from Docker Hub is like pulling arbitrary binary data from somewhere, executing it, and hoping for the best without really knowing what’s in it.” https://arstechnica.com/information- technology/2018/06/backdoored-images-downloaded-5-million-times- finally-removed-from-docker-hub/
  • 3. CVE-2019-5736 "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveragingthe ability to execute a command as root within one of these types of containers: (1) a new container withan attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file- descriptor mishandling, related to /proc/self/exe.
  • 4. Important stuff I won't talk this time Physical security Host security (patched OS, only necessary packages, OS hardening, ...) Networksecurity (open ports, firewalls, strict SSH access, …) Educating users ...
  • 6. Official images Essential base OS repositoriesas the starting point for users Lead examples of Dockerfile best practices Security updates are applied in a timely manner Scanned for vulnerabilities https://docs.docker.com/docker-hub/official_images/
  • 7.
  • 8. Docker Content Trust (DCT) Use digital signatures for data sent to and receivedfrom remote Docker registries. These signatures allow client-sideor runtime verification of the integrity and publisher of specific image tags. Through DCT, image publishers can sign their images and image consumers can ensure that the images they use are signed.
  • 9. DCT #2 export DOCKER_CONTENT_TRUST="1" docker pull user/someimage Error: remote trust data does not exist for docker.io/user/someimage: notary.docker.io does not have trust data for docker.io/user/someimage https://docs.docker.com/engine/security/trust/content_trust/
  • 10. Runtime Enforcement with DCT Applies to Docker Enterprise only
  • 11. Personal Access Tokens for Docker HUB
  • 12. Use your own registry Docker registry Harbor Quay (automatic security scanning) JFrog Artifactory (PRO edition)
  • 13. Don't use insecure registries By default it's not enabled
  • 14. Build your own images Start from official images Use a reasonable distro (eg. alpine) Include only what's really required (eg. --no-install-recommends) USER someuser No sudo No sshd
  • 15. Don't bake any secrets to the image ENV MYSQL_PASSWORD "aaaa"
  • 16. Scan your images Microscanner: https://github.com/aquasecurity/microscanner FROM debian:jessie-slim RUN apt-get update && apt-get -y install ca-certificates ADD https://get.aquasec.com/microscanner / ARG token RUN chmod +x /microscanner && /microscanner ${token}
  • 17. "vulnerabilities": [ { "name": "CVE-2017-8398", "description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary …". "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "nvd_severity": "medium", "nvd_url": https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE- 2017-8398, ….. },
  • 18. Other image scanner products Clair Docker Trusted Registry JFrog Xray ...
  • 19. Virus scanning $ docker create --name erlang_scan erlang # Create container from image $ docker export –output "live_system.tar" erlang_scan # Push the container fs to tar file $ clamscan live_system.tar live_system.tar: OK ----------- SCAN SUMMARY ----------- Known viruses: 6590083 Engine version: 0.100.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 1029.54 MB (ratio 0.00:1) Time: 9.586 sec (0 m 9 s) $ docker rm erlang_scan https://medium.com/@cwgem/thoughts-about-docker-security-8e0df4b43650
  • 20. Docker bench security Checking for best practices: 1. Host configuration 2. Docker daemon configuration 3. Docker daemon configuration files 4. Container Images and Build File 5. Container Runtime 6. Docker Security Operations 7. Docker Swarm Configuration https://github.com/docker/docker-bench-security
  • 21. [INFO] 2 - Docker daemon configuration [PASS] 2.1 - Ensure network traffic is restricted between containers on the default bridge [PASS] 2.2 - Ensure the logging level is set to 'info' [PASS] 2.3 - Ensure Docker is allowed to make changes to iptables [PASS] 2.4 - Ensure insecure registries are not used [PASS] 2.5 - Ensure aufs storage driver is not used [INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured [INFO] * Docker daemon not listening on TCP [INFO] 2.7 - Ensure the default ulimit is configured appropriately [INFO] * Default ulimit doesn't appear to be set
  • 23. Protect the socket srw-rw----1 root docker 0 Sep 10 21:04 /var/run/docker.sock= Don't put just anyone to the docker group
  • 24. Accessing docker over the network TLS encryption (don't enable port 2375) Certificate authentication Firewall the docker host DOCKER_HOST=tcp://docker.yourdomain.com:2376 DOCKER_TLS_VERIFY=1 https://docs.docker.com/engine/security/https/ https://docs.docker.com/engine/security/certificates/
  • 26. Resource limits --memory 2G: The maximum amount of memory the container can use --memory-swap 2G: The amount of memory the container is allowed to swap to disk --shm-size 64M: Size of /dev/shm --cpus=1.5 how much of the available CPU resources a container can use. --cpuset-cpus=0,1,2: Limit the specific CPUs or cores a container can use --gpus device=0,2: nvidia gpu access --pids-limit: Limit number of processes started inside docker container --ulimit <options>, eg. --ulimit nproc=256:512 https://docs.docker.com/config/containers/resource_constraints/
  • 27. Stopping a fork bomb $ docker run --rm --name aaa --pids-limit 30 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done" environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable ... bash: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable environment: fork: Resource temporarily unavailable bash: fork: Interrupted system call
  • 28. Stopping a fork bomb #2 $ docker stats aaa NAME CPU % MEM USAGE / LIMIT MEM % PIDS aaa 0.14% 9.172MiB / 23.41GiB 0.04% 30
  • 29. Make the root fs read-only $ docker run --rm -ti --read-only ubuntu bash root@4f8d760aa70b:/# touch /tmp/iii touch: cannot touch '/tmp/iii': Read-only file system root@4f8d760aa70b:/#
  • 30. Use tmpfs to allow write access $ docker run --rm -ti --read-only --tmpfs /tmp ubuntu bash root@e28b09f46878:/# touch /tmp/akaka root@e28b09f46878:/#
  • 31. Remove all capabilities ... $ docker run --rm --cap-drop=ALL nginx 2019/09/22 09:37:45 [emerg] 1#1: chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) nginx: [emerg] chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) man 7 capabilities
  • 32. … add only what's required $ docker run --rm --cap-add=chown --cap-drop=ALL nginx 2019/09/22 09:39:28 [emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied) nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
  • 33. … add only what's required #2 $ docker run --rm --cap-add=chown --cap-add=net_bind_service -- cap-drop=ALL nginx 2019/09/22 09:43:22 [emerg] 6#6: setgid(101)failed (1: Operation not permitted) 2019/09/22 09:43:22 [alert] 1#1: workerprocess 6 exitedwithfatal code 2 and cannot be respawned
  • 34. … add only what's required #3 $ docker run --rm --cap-add=chown --cap-add=net_bind_service -- cap-add=setgid --cap-drop=ALL nginx 2019/09/22 09:43:54 [emerg] 6#6: setuid(101)failed (1: Operation not permitted) 2019/09/22 09:43:54 [alert] 1#1: workerprocess 6 exitedwithfatal code 2 and cannot be respawned
  • 35. … add only what's required #4 $ docker run --rm --cap-add=chown --cap-add=net_bind_service --cap-add=setgid --cap-add=setuid --cap-drop=ALL nginx
  • 36. User remapping $ docker run --rm -ti -v /etc:/etc ubuntu bash root@6ac62e5eb40c:/# touch /etc/hello-world root@6ac62e5eb40c:/# exit $ ls -la /etc/hello-world -rw-r--r-- 1 root root 0 Sep 22 11:53 /etc/hello-world
  • 37. User remapping #2 $ whoami john $ id -u 1000 $id -g 100
  • 38. User remapping #3 /etc/docker/daemon.json: { "userns-remap": "john" } /etc/subuid: john:1000:65536 /etc/subgid: john:100:65536
  • 39. User remapping #4 $ docker run --rm -ti -v /etc:/etc ubuntu bash root@deb50f4847e6:/# touch /etc/hello-world2 touch: cannot touch '/etc/hello-world2': Permission denied
  • 40. User remapping #5 $ docker run --rm -ti -v /tmp:/tmp ubuntu bash root@7b66cc086eb4:/# touch /tmp/aaa root@7b66cc086eb4:/# ls -la /tmp/aaa -rw-r--r--1 root root 0 Sep 22 10:13 /tmp/aaa root@7b66cc086eb4:/# exit $ ls -la /tmp/aaa -rw-r--r-- 1 john users 0 Sep 22 12:13 /tmp/aaa https://ilya-bystrov.github.io/posts/docker-daemon-remapping/
  • 41. Don't use privileged mode "Privileged mode enables access to all deviceson the host as wellas set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host."
  • 42. Don't use the host's namespaces $ docker run --userns=host -ti --rm -v /tmp:/tmpubuntu bash root@a78119823836:/# touch /tmp/hahaha root@a78119823836:/# ls -la /tmp/hahaha -rw-r--r--1 root root 0 Oct 3 10:08 /tmp/hahaha root@a78119823836:/# exit $ ls -la /tmp/hahaha -rw-r--r-- 1 root root 0 Oct 3 12:08 /tmp/hahaha
  • 43. Authorization plugin dockerd --authorization-plugin=someplugin Could run locally on a Unix domain socket, or anywhere on http(s)
  • 45. Secrets in container $ docker run --rm –ti –e SOME_PASSWORD=aaaa ubuntu bash root@7b66cc086eb4:/#echo $SOME_PASSWORD aaaa root@7b66cc086eb4:/# Environments are often logged! #less /proc/29487/task/29487/environ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin^@HOSTN AME=7b66cc086eb4^@TERM=xterm^@SOME_PASSWORD=aaaa^@H OME=/root
  • 46. Secrets in config files in container docker run –v /path/to/1.cfg:/etc/yourapp/1.cfg:royourimage
  • 47. Docker secrets Container orchestrationsystems offer some basic secret management Kubernetes: secrets, configmaps (Namespaces, RBAC) Docker Swarm: secrets Not for a standalone docker installation :-( Setup a single node swarm or k8s deployment:-) https://www.hashicorp.com/resources/securing-container-secrets-vault
  • 48. Elevating privileges FROM ubuntu:latest RUN apt-get update && apt-get install –y sudo && echo "sj ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sj && echo "sj:x:1000:100::/home/sj:/bin/bash" >> /etc/passwd USER 1000
  • 49. Elevating privileges #2 $ docker run --rm -ti aaa bash sj@177cd44c70c0:/$ id uid=1000(sj) gid=100(users) groups=100(users) sj@177cd44c70c0:/$ sudo bash root@177cd44c70c0:/# id uid=0(root) gid=0(root) groups=0(root)
  • 51. Elevating privileges #4 $ docker run --rm -ti aaa bash sj@177cd44c70c0:/$ id uid=1000(sj) gid=100(users) groups=100(users) sj@177cd44c70c0:/$ sudo bash sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
  • 52. More daemon.json settings { "icc": false, // Disable inter container communication "userland-proxy": false, // Disable userland proxy for loopback traffic …. }
  • 53. Activity monitoring with sysdig/falco Notify other systems or humans of abnormal behavior. https://sysdig.com/opensource/falco/
  • 54. Activity monitoring with sysdig/falco #2 ***Actionchange_thread_namespace Calling setns() to change namespaces... ***Actioncreate_files_below_dev Creating /dev/created-by-event-generator-sh... ***Actiondb_program_spawn_process Becomingthe program "mysql" and then running ls ***Actionexec_ls bin dev etc … ***Actionexfiltration Reading /etc/shadow and sending to 10.5.2.6:8197...
  • 55. Activity monitoring with sysdig/falco #3 2019-10-03T13:17:21.968443650+0000: Notice Namespace change (setns) by unexpected program (user=root command=event_generator parent=<NA> <NA> (id=2f5a7b42362a) container_id=2f5a7b42362a image=<NA>) 2019-10-03T13:17:22.968679872+0000: Error File created below /dev by untrusted program (user=root command=event_generator file=/dev/created-by-event-generator-sh container_id=2f5a7b42362a image=sysdig/falco-event-generator) 2019-10-03T13:17:23.971571824+0000: Notice Database-related program spawned process other than itself (user=root program=ls parent=mysqld container_id=2f5a7b42362a image=sysdig/falco-event-generator) 2019-10-03T13:17:24.972983032+0000: Warning Sensitive file opened for reading by non-trusted program (user=root program=event_generator command=event_generator file=/etc/shadow parent=<NA> gparent=<NA> ggparent=<NA> gggparent=<NA> container_id=2f5a7b42362a image=sysdig/falco-event-generator)
  • 56. Host encryption Don't use fscrypt: no support for namespaces Use LUKS
  • 57. Final words Apply what makes sense in your environment At the end of the day security must not kill productivity