docker security introduction-task-2016
TRANSCRIPT
DOCKERSECURITY
Fernando Montenegro, CISSP -
Ricardo Gerardi -
@fsmontenegro
@ricardogerardi
TASK Jan 27, 2016
WHY ARE WE HERE?Google Trends: "Microservices"
Google Trends: "Docker"
Google Trends: "Kubernetes"
MICROSERVICES?
(Source: F5)
MICROSERVICES"Many development teams have found the microservices
architectural style to be a superior approach to amonolithic architecture. But other teams have found them
to be a productivity-sapping burden. Like any architecturalstyle, microservices bring costs and bene�ts. To make asensible choice you have to understand these and apply
them to your speci�c context.""Martin Fowler ( )http://martinfowler.com/articles/microservice-trade-o�s.html
SIGNIFICANT BENEFITSSupport CI/CD practicesEasier to achieve scaleOperational bene�ts of "DevOps"
DATADOG CONTAINER SURVEY( )https://www.datadoghq.com/docker-adoption/
Two schools of thought:
Containers as up&down microservicesContainers as "lightweight servers" that stay up
WHAT WE FOUND
ABOUT US - FERNANDO@fsmontenegro
Sales EngineerOnline FraudNetwork Security
CompSci ’94Greying hair Curious
Finance (DIY)Economics (EMH, Behaviour)Data Science (Coursera)
ABOUT US - RICARDO@ricardogerardi
Senior IT ConsultantNetworkManagement/Monitoring
IBM Netcool Certi�edUncerti�ed father (2x)Interests
Linux/UNIXEmerging technologiesData Science
DOCKER INTRO
WHAT IS DOCKER?DOCKER, THE PLATFORM
Docker is a container based platform used to packageand run applications in a variety of systems
DOCKER, THE COMPANYDocker Inc. (https://www.docker.com/company)
SOFTWARE PACKAGE ANDDISTRIBUTION CHALLENGEOLD WAY - HOSTED APPLICATIONS
VIRTUAL MACHINES
ENTER THE CONTAINER
WHY DOCKER?Linux containers
Around for a long time (Open VZ, LXC, etc)Not very "friendly"
Docker streamlines the process and makes it very easyto create and use containers
Speed (Development/Scalability)PortabilityDriver to DevOps and Microservices
WHAT DO YOU NEED TO RUNDOCKER?
Recent Linux Kernel (3.8+)NamespacescGroups
Network connection
DOCKER ARCHITECTURE IN ANUTSHELL
Source: https://www.docker.com/what-docker
Source: https://docs.docker.com/engine/introduction/understanding-docker/
DOCKER DEMO
DOCKERSECURITY
FIRST THINGS FIRST...Containers vs. VMs?
Containers not as isolated as VMs.but much more isolated than processes...cgroups & namespaces
Containers are OS-dependant.
Containers for multi-tenancy? Not so fast...
Containers & VMs :-)
SECURITY FOR DOCKERHow to secure the Docker "pipeline"
How to secure Docker containers themselves
SECURITY FOR DOCKER IMAGESSecure Registry/Mirror AccessGetting trustworthy images
trusted sources - docker hub, private registrybuilding secureDocker Content Trust (1.8) [Notary]
"only signed content in production"Yubico Keys
DOCKER'S PROJECT NAUTILUSDocker securing images on DockerHubImage securityComponent inventory/license managementImage optimizationBasic functional testing
CLAIR BY COREOSSecurity scanning of images -
Available on QuaySecurity Scanning Beta -
https://coreos.com/blog/vulnerability-analysis-for-containers/
https://blog.quay.io/security-scanning-beta/
OTHER CONSIDERATIONSContainers are stateless
Can mount additional volumesHow to do Secrets Management?
ENV variables - not recommendedKey/Value Pair solutions
Embedded in orchestration ( )Vault & Keywhiz
KubernetesCustom solutions
SECURITY FROM DOCKERHow to contain Docker & containers?
NAMESPACES & CGROUPSPID – process isolationNetwork – NICs, IPs, routing tabes et al.UTS – hostnamesMount – �lesystem layouts/ propertiesIPC – interprocess communication
User – users ("root" != root)
Control groups: resource utilization (RAM, swap, CPU,IO, controls)
ADDITIONAL FEATUREScapabilities - add or drop capabilitiesseccomp - �ltering of system callsnetwork isolation via iptables
limit inter-container communication
SECURITY BY DOCKERLeveraging Docker features for security
LEVERAGING DOCKER FOR SECURITYmicroservice -> reduced attack surfaceenforce content trust to protect productionr/o FileSystemsdrop capabilities when possibleseccomp - �ltering system callsjournaled changes
OPERATIONSAND ECOSYSTEM
WHERE TO DEPLOY DOCKER?ON PREMISESBaremetal (on Linux)Virtual MachinesIaaS, OpenStack, etc
PUBLIC CLOUD PROVIDERS
PAAS PROVIDERS
ORCHESTRATION /SCHEDULING
NETWORKINGBASIC NETWORKING
OVERLAY NETWORKING
MONITORINGCHALLENGES
Scalability (100s of containers in a single host)Host Monitoring x Container MonitoringContainer instrumentation (1 process/containerphilosophy)API instability
CONTAINER MONITORING SOLUTIONS
Sysdig CloudWeaveworksNew relic
Google cAdvisor
CONTAINER LOG MANAGEMENTELK StackSplunk
WRAPPING UP
LOOKING AT THE FUTURE
Containers exist in a continuum of options.
Unikernels
one degree furthercompile kernel for application
Undebuggable?
Serverless Architecture?
AWS LambdaAzure Service Fabric
potentially bad idea?
WRAPPING UP
Docker Security "Anti-Patterns"
free-for-all (unrestricted containers in Prod)treating containers as servers
Recommendations for Security
Don't try to stop it!!!recognize massive potential for disruptionno agents on containerswatch for outbound tra�ckeep up to date (news!)rethink approach ("cattle, not pets")
DOCKER ALL OVERLast few weeks of news:
Docker buys UnikernelArista announces Container support in EOSCitrix supports NetScaler as ContainerAmazon announces Docker 1.9 support
RESOURCES!Twitterfolk:
- AWS architect, tons ofDocker links
- Docker Security - Tons of Container work
- Pluralsight course - KeepingItClassless,
TechFieldDay
- WebScale @ Shopify - DevOps
- Shmoocon 2016 preso and - Company &
Conference - Kubernetes confab
Websites:
- Checklist - portal of all things "modern" stacks
- Network-focused approach - Open Container Initiative
@mattnowina
@diogomonica@frazelledazzell@nigelpoulton@mierdin
@Sirupsen@blinken_lichten@jaybeale@docker @dockercon
@kubeconio
DockerBenchTheNewStackPacket PushersRunC