Securing your Containers (Meetup at Docker HQ 4/7)
2 likes914 views
This document outlines steps for securing containers, including using official images, running Docker Bench for Security scans, enabling Docker Content Trust for signed images, scanning with Nautilus for CVEs, and configuring user namespaces, cgroups, capabilities, seccomp, and apparmor to restrict container access and resources. It discusses these security measures in the context of securing the "Build Ship Run" pipeline.
Securing your Containers (Meetup at Docker HQ 4/7)
- 1. Securing your Containers Steps to becoming Seaworthy Riyaz Faizullabhoy - @riyazdf Docker Security Team
- 2. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
- 4. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
- 5. Official Images • Vetted for best practices • Scanned for CVEs • Lobby upstream to fix security problems • Promptly updated
- 6. • Check for secure daemon + system configuration • Audit containers in context • Check for best practices Docker Bench for Security
- 7. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
- 8. Docker Content Trust • Sign images at point of authorship (using Notary) • Removes implicit trust of storage service and network • Guarantee integrity of your images when pulled
- 9. Nautilus • Scan images for CVEs • Detects vulns in libraries statically compiled into binaries
- 10. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
- 11. User Namespaces • Map users and groups to their own UID/GID range • TL;DR - Root in a container is not root outside a container Docker Host Container 1 Container 2 Container 3
- 12. Control Groups • a.k.a cgroups • Control resource usage of a container • Good for container multitenancy
- 13. Capabilities • No longer root vs. non-root • Finer grained control on what the process can do
- 14. Seccomp • SECure COMPuting mode. • Filter permitted system calls
- 15. AppArmor • Per process security profiles • Define once, apply many times • Finest grained control
- 16. Securing the pipeline Build Ship Run • Official Images • Docker Bench for Security • Docker Content Trust • Nautilus • User Namespaces • Cgroups • Capabilities • Seccomp • Apparmor
- 17. THANK YOU