SlideShare uma empresa Scribd logo

Securing your Containers

R
Riyaz Faizullabhoy

Learn best practices in container security to make your containers seaworthy through the build, ship, and run lifecycle. Demos temporarily living at github.com/endophage/apps (look under wordpress dir)

Tecnologia
1 de 17
Baixar para ler offline
Securing your Containers Steps to becoming Seaworthy Riyaz Faizullabhoy - @riyazdf Docker Security Team
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
Official Images • Vetted for best practices • Scanned for CVEs • Lobby upstream to fix security problems • Promptly updated
• Check for secure daemon + system configuration • Audit containers in context • Check for best practices Docker Bench for Security
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
Docker Content Trust • Sign images at point of authorship (using Notary) • Removes implicit trust of storage service and network • Guarantee integrity of your images when pulled
Nautilus • Scan images for CVEs • Detects vulns in libraries statically compiled into binaries
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
User Namespaces • Map users and groups to their own UID/GID range • TL;DR - Root in a container is not root outside a container Docker Host Container 1 Container 2 Container 3
Control Groups • a.k.a cgroups • Control resource usage of a container • Good for container multitenancy
Capabilities • No longer root vs. non-root • Finer grained control on what the process can do
Seccomp • SECure COMPuting mode. • Filter permitted system calls
AppArmor • Per process security profiles • Define once, apply many times • Finest grained control
Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
THANK YOU

Recomendados

Owning aws infrastructure services
Owning aws infrastructure servicesOwning aws infrastructure services
Owning aws infrastructure servicesSuraj Khetani
 
Docker Basics
Docker BasicsDocker Basics
Docker BasicsPeter Perger
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dwCloud Security Alliance, UK chapter
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsSalman Baset
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 

Recomendados

Owning aws infrastructure services
Owning aws infrastructure servicesOwning aws infrastructure services
Owning aws infrastructure servicesSuraj Khetani
 
Docker Basics
Docker BasicsDocker Basics
Docker BasicsPeter Perger
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dwCloud Security Alliance, UK chapter
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsSalman Baset
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
Networking Overview for Docker Platform
Networking Overview for Docker PlatformNetworking Overview for Docker Platform
Networking Overview for Docker PlatformAditya Patawari
 
Docker Advanced registry usage
Docker Advanced registry usageDocker Advanced registry usage
Docker Advanced registry usageDocker, Inc.
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatDocker, Inc.
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
RBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKSRBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKSEmad Alashi
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Docker, Inc.
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security EssentialsDNIF
 
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrogDocker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrogDocker, Inc.
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDieter Reuter
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securitySaiyam Pathak
 
Jenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way downJenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way downSteve Mactaggart
 
Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Hussain Mansoor
 
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)Michelle Antebi
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in ProductionDocker, Inc.
 
Oracle database on Docker Container
Oracle database on Docker ContainerOracle database on Docker Container
Oracle database on Docker ContainerJesus Guzman
 
Syirkah dan Ji'alah
Syirkah dan Ji'alahSyirkah dan Ji'alah
Syirkah dan Ji'alahayusl268
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101Amit Ranjan
 

Mais conteúdo relacionado

Mais procurados

Networking Overview for Docker Platform
Networking Overview for Docker PlatformNetworking Overview for Docker Platform
Networking Overview for Docker PlatformAditya Patawari
 
Docker Advanced registry usage
Docker Advanced registry usageDocker Advanced registry usage
Docker Advanced registry usageDocker, Inc.
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatDocker, Inc.
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
RBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKSRBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKSEmad Alashi
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Docker, Inc.
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security EssentialsDNIF
 
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrogDocker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrogDocker, Inc.
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDieter Reuter
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Jenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way downJenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way downSteve Mactaggart
 
Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Hussain Mansoor
 
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)Michelle Antebi
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in ProductionDocker, Inc.
 
Oracle database on Docker Container
Oracle database on Docker ContainerOracle database on Docker Container
Oracle database on Docker ContainerJesus Guzman
 

Mais procurados (20)

Networking Overview for Docker Platform
Networking Overview for Docker PlatformNetworking Overview for Docker Platform
Networking Overview for Docker Platform
 
Docker Advanced registry usage
Docker Advanced registry usageDocker Advanced registry usage
Docker Advanced registry usage
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
RBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKSRBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKS
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
 
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrogDocker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Jenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way downJenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way down
 
Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022
 
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)
Docker swarm-mike-goelzer-mv-meetup-45min-workshop 02242016 (1)
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in Production
 
Oracle database on Docker Container
Oracle database on Docker ContainerOracle database on Docker Container
Oracle database on Docker Container
 

Destaque

Syirkah dan Ji'alah
Syirkah dan Ji'alahSyirkah dan Ji'alah
Syirkah dan Ji'alahayusl268
 
Habits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit Summit
Habits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit SummitHabits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit Summit
Habits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit SummitHabit Summit
 
Camping On The Water
Camping On The WaterCamping On The Water
Camping On The Waterrory444
 
Visit Orlando Case Study Competition
Visit Orlando Case Study CompetitionVisit Orlando Case Study Competition
Visit Orlando Case Study CompetitionStefanie Zambelli CMP
 
Young_Huang_Resume
Young_Huang_ResumeYoung_Huang_Resume
Young_Huang_ResumeYoung Huang
 
DockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker EngineDockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker EngineDocker, Inc.
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 

Destaque (13)

Syirkah dan Ji'alah
Syirkah dan Ji'alahSyirkah dan Ji'alah
Syirkah dan Ji'alah
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101
 
Habits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit Summit
Habits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit SummitHabits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit Summit
Habits at Work - Merci Victoria Grace, Growth, Slack - 2016 Habit Summit
 
TheFinalOdyssey.docx
TheFinalOdyssey.docxTheFinalOdyssey.docx
TheFinalOdyssey.docx
 
VMET_Document
VMET_DocumentVMET_Document
VMET_Document
 
Camping On The Water
Camping On The WaterCamping On The Water
Camping On The Water
 
Gomyfrut
GomyfrutGomyfrut
Gomyfrut
 
FP Brochure Rev 7
FP Brochure Rev 7FP Brochure Rev 7
FP Brochure Rev 7
 
Interview In Suedtirol 2013
Interview In Suedtirol 2013Interview In Suedtirol 2013
Interview In Suedtirol 2013
 
Visit Orlando Case Study Competition
Visit Orlando Case Study CompetitionVisit Orlando Case Study Competition
Visit Orlando Case Study Competition
 
Young_Huang_Resume
Young_Huang_ResumeYoung_Huang_Resume
Young_Huang_Resume
 
DockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker EngineDockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker Engine
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
 

Semelhante a Securing your Containers

IBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerIBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerDavid Currie
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsRamit Surana
 
DockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ DockerDockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ DockerDocker, Inc.
 
GlobalAzureBootCamp 2018
GlobalAzureBootCamp 2018GlobalAzureBootCamp 2018
GlobalAzureBootCamp 2018girish goudar
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
DockerCon SF 2015: A New Model for Image Distribution
DockerCon SF 2015: A New Model for Image DistributionDockerCon SF 2015: A New Model for Image Distribution
DockerCon SF 2015: A New Model for Image DistributionDocker, Inc.
 
Docker Registry V2
Docker Registry V2Docker Registry V2
Docker Registry V2Docker, Inc.
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciRajesh Kolla
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesabhishek chawla
 
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18CodeOps Technologies LLP
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerJohn Willis
 
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...Docker, Inc.
 
Containers and security
Containers and securityContainers and security
Containers and securitysriram_rajan
 

Semelhante a Securing your Containers (20)

IBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerIBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and Docker
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
 
DockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ DockerDockerCon SF 2015: Getting Started w/ Docker
DockerCon SF 2015: Getting Started w/ Docker
 
GlobalAzureBootCamp 2018
GlobalAzureBootCamp 2018GlobalAzureBootCamp 2018
GlobalAzureBootCamp 2018
 
Containers 101
Containers 101Containers 101
Containers 101
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
 
DockerCon SF 2015: A New Model for Image Distribution
DockerCon SF 2015: A New Model for Image DistributionDockerCon SF 2015: A New Model for Image Distribution
DockerCon SF 2015: A New Model for Image Distribution
 
Docker Registry V2
Docker Registry V2Docker Registry V2
Docker Registry V2
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
 
Docker lxc win
Docker lxc winDocker lxc win
Docker lxc win
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
 
Virtualized containers
Virtualized containersVirtualized containers
Virtualized containers
 
ExpoQA 2017 Docker and CI
ExpoQA 2017 Docker and CIExpoQA 2017 Docker and CI
ExpoQA 2017 Docker and CI
 
Docker & ci
Docker & ciDocker & ci
Docker & ci
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
 
Containers and security
Containers and securityContainers and security
Containers and security
 

Último

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Último (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

Securing your Containers

  • 1. Securing your Containers Steps to becoming Seaworthy Riyaz Faizullabhoy - @riyazdf Docker Security Team
  • 2. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 3.
  • 4. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 5. Official Images • Vetted for best practices • Scanned for CVEs • Lobby upstream to fix security problems • Promptly updated
  • 6. • Check for secure daemon + system configuration • Audit containers in context • Check for best practices Docker Bench for Security
  • 7. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 8. Docker Content Trust • Sign images at point of authorship (using Notary) • Removes implicit trust of storage service and network • Guarantee integrity of your images when pulled
  • 9. Nautilus • Scan images for CVEs • Detects vulns in libraries statically compiled into binaries
  • 10. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
  • 11. User Namespaces • Map users and groups to their own UID/GID range • TL;DR - Root in a container is not root outside a container Docker Host Container 1 Container 2 Container 3
  • 12. Control Groups • a.k.a cgroups • Control resource usage of a container • Good for container multitenancy
  • 13. Capabilities • No longer root vs. non-root • Finer grained control on what the process can do
  • 14. Seccomp • SECure COMPuting mode. • Filter permitted system calls
  • 15. AppArmor • Per process security profiles • Define once, apply many times • Finest grained control
  • 16. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor