O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

DevSecOps Orchestration of Text Analytics with Containers

Carregando em…3

Confira estes a seguir

1 de 15 Anúncio

Mais Conteúdo rRelacionado

Semelhante a DevSecOps Orchestration of Text Analytics with Containers (20)

Mais de Gil Irizarry (17)


Mais recentes (20)

DevSecOps Orchestration of Text Analytics with Containers

  1. 1. DevSecOps Orchestration of Text Analytics with Containers Container Best Practices Gil Irizarry VP Engineering
  2. 2. Objectives ● What: Analysis of containers vs. VMs and how to run containers securely ● Why: Containers offer efficiencies in installing and running software, but those efficiencies come with risks ● How: Patches, settings and orchestration can help mitigate the risks of containerization
  3. 3. Containers are useful
  4. 4. Inspired by the cargo ship
  5. 5. Containers vs. VMs
  6. 6. VMs are more secure, right? ● Common Vulnerabilities and Exposures: https://cve.mitre.org/ ○ CVE-2018-8219: An elevation of privilege vulnerability exists when Windows Hyper-V instruction emulation fails to properly enforce privilege levels. ○ CVE-2018-18021: ... An attacker can arbitrarily redirect the hypervisor flow of control (with full register control) [in Linux]. An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return...
  7. 7. Vulnerabilities
  8. 8. Container Vulnerabilities ● Unpatched OSes ● Relative freedom of images ● Docker Hub ○ For example: https://hub.docker.com/u/rosetteapi/
  9. 9. Mitigation
  10. 10. Mitigation of Container Vulnerabilities ● Patch the OS ● Know the source of your image ● Scan your image, for example https://github.com/docker/docker-bench-security.git ● Do not run as root
  11. 11. Mitigation of Container Vulnerabilities ● Use namespaces in Docker to isolate containers somewhat ● Unset SUID flags on your container images ● Use Docker Container Trust ● Put limits on the system resources that individual containers can consume, either through Docker settings or Kubernetes
  12. 12. Kubernetes
  13. 13. Demo
  14. 14. Finally...
  15. 15. Questions https://www.linkedin.com/in/gilirizarry/ https://www.slideshare.net/conoagil

Notas do Editor

  • Layout of what this talk aims to achieve.
  • Containers are “smaller” than VMs. The picture of the cargo ship is not a bad analogy since all the containers take advantage of the same hull and engine.
  • The Docker logo echoes the design of the cargo ship.
  • VMs require an OS per container and a hypervisor to manage the VMs. VMs are separate and distinct from each other in that a process attacking its OS does not affect the other VMs or their OSs. Containers are more efficient, lightweight and quicker to start.
  • A partial list of hypervisor vulnerabilities. VMs are isolated from each others but the hypervisor represents an a vulnerability common to all VMs.
  • I wanted to find a feel-good aphorism about vulnerability, but there’s a truth here that can apply to containers -- or IT in general. We have to accept some risk to gain the advantage of functionality or features. We need to understand the vulnerabilities in order to mitigate their impact.
  • Examples of container vulnerabilities
  • This image is a bit too good. We can’t fully cover the risk with mitigation, but we can work to reduce it
  • SUID (Set owner User ID upon execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is a special file permission which allows ownership during execution. You should either unset these tags or complete delete those files.
  • Kubernetes is Greek for governor. It is a system for running and coordinating containerized applications across a cluster of machines. It is a platform designed to completely manage the life cycle of containerized applications and services using methods that provide predictability, scalability, and high availability. The master server talks to kubelets to control the nodes. The outside world talks to kube proxes, which communicate with the pods. They are managed entirely as a unit and share their environment, volumes, and IP space. When a change is seen, the controller manager reads the new information and implements the procedure that fulfills the desired state. This can involve scaling an application up or down, adjusting endpoints, etc.
  • docker image ls
    docker run hello-world
    docker container ls (won’t show stopped containers)
    docker container ls -all
    docker image ls (list the images)
    docker rmi 4ab4c602aa5e (try to remove image but can’t)
    docker rm fcab5d2638f2 (remove container)
    docker rmi 4ab4c602aa5e (now remove image)
    ROSAPI_LICENSE_PATH=/Users/gil/Downloads/rosette-license.xml docker-compose -p rosette-stack up

  • Don’t fear containers!