SlideShare uma empresa Scribd logo

Docker security - TASK Jan 2016

Fernando Montenegro
Fernando Montenegro

Ricardo Gerardi and I had the privilege of delivering an introductory talk on Docker & Docker Security to the Toronto Area Security Klatch (TASK) this week. Here are the slides.

Tecnologia
1 de 53
Baixar para ler offline
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 1/59 DOCKERSECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - TASK Jan 27, 2016 @fsmontenegro @ricardogerardi
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 2/59 WHYAREWEHERE? Google Trends: "Microservices"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 3/59 Google Trends: "Docker"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 4/59 Google Trends: "Kubernetes"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 6/59 MICROSERVICES? (Source: F5)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 7/59 MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity­sapping burden. Like any architectural style, microservices bring costs and benefits. To make a sensible choice you have to understand these and apply them to your specific context."" Martin Fowler ( ) http://martinfowler.com/articles/microservice­trade­ offs.html
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 8/59 SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational benefits of "DevOps"
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 9/59 DATADOGCONTAINERSURVEY ( ) Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up https://www.datadoghq.com/docker­adoption/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 10/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 11/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 12/59 WHATWEFOUND
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 14/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 16/59 ABOUTUS-FERNANDO Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera) @fsmontenegro
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 18/59 ABOUTUS-RICARDO Senior IT Consultant Network Management/Monitoring IBM Netcool Certified Uncertified father (2x) Interests Linux/UNIX Emerging technologies Data Science @ricardogerardi
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 19/59 DOCKERINTRO
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 20/59 WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 21/59 SOFTWAREPACKAGEANDDISTRIBUTIONCHALLENGE OLDWAY-HOSTEDAPPLICATIONS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 22/59 VIRTUALMACHINES
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 23/59 ENTERTHECONTAINER
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 24/59 WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 25/59 WHATDOYOUNEEDTORUNDOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 26/59 DOCKERARCHITECTUREINANUTSHELL Source: https://www.docker.com/what­docker
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 28/59 Source: https://docs.docker.com/engine/introduction/understanding­ docker/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 29/59 DOCKERDEMO
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 30/59 DOCKERSECURITY
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 31/59 FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 32/59 SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 33/59 SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 34/59 DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 35/59 CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability­analysis­for­ containers/ https://blog.quay.io/security­ scanning­beta/
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 36/59 OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 37/59 SECURITYFROMDOCKER How to contain Docker & containers?
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 38/59 NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – filesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 39/59 ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - filtering of system calls network isolation via iptables limit inter-container communication
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 40/59 SECURITYBYDOCKER Leveraging Docker features for security
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 41/59 LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - filtering system calls journaled changes
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 42/59 OPERATIONSANDECOSYSTEM
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 43/59 WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 44/59 PUBLICCLOUDPROVIDERS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 45/59 PAASPROVIDERS
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 46/59 ORCHESTRATION/SCHEDULING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 47/59 NETWORKING BASICNETWORKING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 48/59 OVERLAYNETWORKING
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 49/59 MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 50/59 CONTAINERMONITORINGSOLUTIONS Sysdig Cloud Weaveworks New relic Google cAdvisor
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 51/59 CONTAINERLOGMANAGEMENT ELK Stack Splunk
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 52/59 WRAPPINGUP
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 53/59 LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 54/59
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 55/59 WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound traffic keep up to date (news!) rethink approach ("cattle, not pets")
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 56/59 DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 57/59 RESOURCES! Twitterfolk:
1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 58/59 - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC

Recomendados

Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
Introduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsIntroduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsFlavio Percoco Premoli
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Using OpenEmbedded
Using OpenEmbeddedUsing OpenEmbedded
Using OpenEmbeddedTrevor Woerner
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotIntroduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotTeam Hypriot
 
Docker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoDocker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoGiulio De Donato
 
Conda and Bioconda
Conda and BiocondaConda and Bioconda
Conda and BiocondaHoffman Lab
 
The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189Mahmoud Samir Fayed
 

Recomendados

Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
Introduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsIntroduction, deployment and hybrid clouds
Introduction, deployment and hybrid cloudsFlavio Percoco Premoli
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Using OpenEmbedded
Using OpenEmbeddedUsing OpenEmbedded
Using OpenEmbeddedTrevor Woerner
 
Introduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotIntroduction to Docker, Meetup at University of Bamberg by Hypriot
Introduction to Docker, Meetup at University of Bamberg by HypriotTeam Hypriot
 
Docker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoDocker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoGiulio De Donato
 
Conda and Bioconda
Conda and BiocondaConda and Bioconda
Conda and BiocondaHoffman Lab
 
The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189The Ring programming language version 1.6 book - Part 17 of 189
The Ring programming language version 1.6 book - Part 17 of 189Mahmoud Samir Fayed
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Ron Munitz
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Ron Munitz
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?msyukor
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Ron Munitz
 
Creating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectCreating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectLeon Anavi
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containersGiuseppe Scrivano
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windowsAddweup
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Piotr Król
 
Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Wei Fu
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet FactoryNullbyte Security Conference
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like dockerGiulio De Donato
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerA smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerThe Incredible Automation Day
 
Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Leon Anavi
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from MicrosoftNaoki (Neo) SATO
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfkanedafromparis
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 RecapJochen Zehnder
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Docker for HPC in a Nutshell
Docker for HPC in a NutshellDocker for HPC in a Nutshell
Docker for HPC in a Nutshellinside-BigData.com
 

Mais conteúdo relacionado

Mais procurados

Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Ron Munitz
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Ron Munitz
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistroAll Things Open
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?msyukor
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Ron Munitz
 
Creating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectCreating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectLeon Anavi
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesPiotr Król
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windowsAddweup
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Piotr Król
 
Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Wei Fu
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like dockerGiulio De Donato
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerA smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerThe Incredible Automation Day
 
Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Leon Anavi
 

Mais procurados (15)

Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
 
libreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux DistrolibreCMC : The Libre Embedded GNU/Linux Distro
libreCMC : The Libre Embedded GNU/Linux Distro
 
Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?Programming IoT with Docker: How to Start?
Programming IoT with Docker: How to Start?
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
 
Creating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto ProjectCreating new Tizen profiles using the Yocto Project
Creating new Tizen profiles using the Yocto Project
 
Enabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devicesEnabling TPM 2.0 on coreboot based devices
Enabling TPM 2.0 on coreboot based devices
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
Android build on windows
Android build on windowsAndroid build on windows
Android build on windows
 
Qubes OS and TPM 2.0
Qubes OS and TPM 2.0Qubes OS and TPM 2.0
Qubes OS and TPM 2.0
 
Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4Fedora on risc-v_tokyo_30_sep_2019_v4
Fedora on risc-v_tokyo_30_sep_2019_v4
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like docker
 
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp DockerA smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
A smooth migration to Docker focusing on build pipelines - TIAD Camp Docker
 
Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5Create IoT with Open Source Hardware, Tizen and HTML5
Create IoT with Open Source Hardware, Tizen and HTML5
 

Semelhante a Docker security - TASK Jan 2016

Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from MicrosoftNaoki (Neo) SATO
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfkanedafromparis
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesSreenivas Makam
 
Azure Container Services​
Azure Container Services​Azure Container Services​
Azure Container Services​Pedro Sousa
 
A Dive Into Containers and Docker
A Dive Into Containers and DockerA Dive Into Containers and Docker
A Dive Into Containers and DockerMatthew Farina
 
Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionYu-Lun Chen
 
Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Commit University
 
Docker and containerization
Docker and containerizationDocker and containerization
Docker and containerizationAmulya Saxena
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?ArangoDB Database
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 
CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023Anthony Dahanne
 
Docker for Java Developers
Docker for Java DevelopersDocker for Java Developers
Docker for Java DevelopersImesh Gunaratne
 
DevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and SeleniumhubDevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and Seleniumhubkloia
 
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on ContainersWSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on ContainersLakmal Warusawithana
 
Deploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersDeploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersImesh Gunaratne
 

Semelhante a Docker security - TASK Jan 2016 (20)

Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016
 
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft[Docker Tokyo - DockerCon Recap] Updates from Microsoft
[Docker Tokyo - DockerCon Recap] Updates from Microsoft
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdf
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recap
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Docker for HPC in a Nutshell
Docker for HPC in a NutshellDocker for HPC in a Nutshell
Docker for HPC in a Nutshell
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
 
Azure Container Services​
Azure Container Services​Azure Container Services​
Azure Container Services​
 
A Dive Into Containers and Docker
A Dive Into Containers and DockerA Dive Into Containers and Docker
A Dive Into Containers and Docker
 
Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event Inspection
 
Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!Microservices, la risposta che (forse) cercavi!
Microservices, la risposta che (forse) cercavi!
 
Docker and containerization
Docker and containerizationDocker and containerization
Docker and containerization
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023
 
Docker for Java Developers
Docker for Java DevelopersDocker for Java Developers
Docker for Java Developers
 
DevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and SeleniumhubDevOps Turkey Test Automation with Docker and Seleniumhub
DevOps Turkey Test Automation with Docker and Seleniumhub
 
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on ContainersWSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
WSO2ConEU 2016 Tutorial - Deploying WSO2 Middleware on Containers
 
Deploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersDeploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on Containers
 

Mais de Fernando Montenegro

The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019Fernando Montenegro
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Fernando Montenegro
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017Fernando Montenegro
 
Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Fernando Montenegro
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project ManagementFernando Montenegro
 

Mais de Fernando Montenegro (6)

The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019The 4 Eyes of Information Security - AiS 2019
The 4 Eyes of Information Security - AiS 2019
 
Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?Evolution of Container Security - What's Next?
Evolution of Container Security - What's Next?
 
4 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 20174 Eyes of Information Security - Converge Detroit 2017
4 Eyes of Information Security - Converge Detroit 2017
 
Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017Navigating Career Choices in InfoSec - BSides Detroit 2017
Navigating Career Choices in InfoSec - BSides Detroit 2017
 
Economics of Cyber Security
Economics of Cyber SecurityEconomics of Cyber Security
Economics of Cyber Security
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project Management
 

Último

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Último (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Docker security - TASK Jan 2016

  • 1. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 1/59 DOCKERSECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - TASK Jan 27, 2016 @fsmontenegro @ricardogerardi
  • 2. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 2/59 WHYAREWEHERE? Google Trends: "Microservices"
  • 3. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 3/59 Google Trends: "Docker"
  • 4. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 4/59 Google Trends: "Kubernetes"
  • 5. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 6/59 MICROSERVICES? (Source: F5)
  • 6. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 7/59 MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity­sapping burden. Like any architectural style, microservices bring costs and benefits. To make a sensible choice you have to understand these and apply them to your specific context."" Martin Fowler ( ) http://martinfowler.com/articles/microservice­trade­ offs.html
  • 7. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 8/59 SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational benefits of "DevOps"
  • 8. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 9/59 DATADOGCONTAINERSURVEY ( ) Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up https://www.datadoghq.com/docker­adoption/
  • 9. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 10/59
  • 10. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 11/59
  • 11. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 12/59 WHATWEFOUND
  • 12. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 14/59
  • 13. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 16/59 ABOUTUS-FERNANDO Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera) @fsmontenegro
  • 14. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 18/59 ABOUTUS-RICARDO Senior IT Consultant Network Management/Monitoring IBM Netcool Certified Uncertified father (2x) Interests Linux/UNIX Emerging technologies Data Science @ricardogerardi
  • 15. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 19/59 DOCKERINTRO
  • 16. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 20/59 WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
  • 17. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 21/59 SOFTWAREPACKAGEANDDISTRIBUTIONCHALLENGE OLDWAY-HOSTEDAPPLICATIONS
  • 18. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 22/59 VIRTUALMACHINES
  • 19. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 23/59 ENTERTHECONTAINER
  • 20. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 24/59 WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
  • 21. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 25/59 WHATDOYOUNEEDTORUNDOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
  • 22. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 26/59 DOCKERARCHITECTUREINANUTSHELL Source: https://www.docker.com/what­docker
  • 23. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 28/59 Source: https://docs.docker.com/engine/introduction/understanding­ docker/
  • 24. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 29/59 DOCKERDEMO
  • 25. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 30/59 DOCKERSECURITY
  • 26. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 31/59 FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
  • 27. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 32/59 SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
  • 28. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 33/59 SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
  • 29. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 34/59 DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
  • 30. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 35/59 CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability­analysis­for­ containers/ https://blog.quay.io/security­ scanning­beta/
  • 31. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 36/59 OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
  • 32. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 37/59 SECURITYFROMDOCKER How to contain Docker & containers?
  • 33. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 38/59 NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – filesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
  • 34. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 39/59 ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - filtering of system calls network isolation via iptables limit inter-container communication
  • 35. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 40/59 SECURITYBYDOCKER Leveraging Docker features for security
  • 36. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 41/59 LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - filtering system calls journaled changes
  • 37. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 42/59 OPERATIONSANDECOSYSTEM
  • 38. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 43/59 WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
  • 39. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 44/59 PUBLICCLOUDPROVIDERS
  • 40. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 45/59 PAASPROVIDERS
  • 41. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 46/59 ORCHESTRATION/SCHEDULING
  • 42. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 47/59 NETWORKING BASICNETWORKING
  • 43. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 48/59 OVERLAYNETWORKING
  • 44. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 49/59 MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
  • 45. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 50/59 CONTAINERMONITORINGSOLUTIONS Sysdig Cloud Weaveworks New relic Google cAdvisor
  • 46. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 51/59 CONTAINERLOGMANAGEMENT ELK Stack Splunk
  • 47. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 52/59 WRAPPINGUP
  • 48. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 53/59 LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
  • 49. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 54/59
  • 50. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 55/59 WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound traffic keep up to date (news!) rethink approach ("cattle, not pets")
  • 51. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 56/59 DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
  • 52. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 57/59 RESOURCES! Twitterfolk:
  • 53. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 58/59 - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC