Docker containers are a fast-growing technology that has become hugely popular in the software industry nowadays. It offers amazing benefits but also presents the developer with lots of security challenges. This talk will give you an introduction to Docker as well basic security best practices. But don’t worry, we will also do some live hacking :).
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam
1. München Aachen Bamberg Berlin Boswil Đà Nẵng Dresden Grenoble Hamburg Köln Leipzig Nürnberg Prag Stuttgart Washington Zug
Docker Security
Phạm Hồng Khánh
Are your
containers safe?
Do you dockerize?
2. 08.04.2019 2
Graduated from DUT
Web Application Security Engineer at mgm
security partners
5 years IP Networking
3 years Infrastructure Operations
whoami
Phạm Hồng Khánh
khanh.hong.pham@mgm-sp.com
3. 08.04.2019 3
Slow deployment times
Huge costs
Wasted resources
Difficult to scale
Difficult to migrate
Dark Ages - One Application - One Server
4. 08.04.2019 4
Benefits
One physical machine divided
into multiple virtual machines
Limitations
Resources
An entire Guest OS
Hypervisor-based Virtualization
5. 08.04.2019 5
Containers vs. Virtualization
lightweight & flexible
A docker container is
minimal
task specific
isolated
reproducible
Docker Overview
16. 08.04.2019 16
17 cryptomining containers on Docker Hub
Active for almost a year
Made around $90,000 = 2 Billion VND in Bitcoins
Docker Image Security
17. 08.04.2019 17
Use official repositories as parent images
Scan images! Micro Badger
Sign images / verify signatures
Do not put secrets in images!
What can we do to have a safe image?
18. 08.04.2019 18
Private Registry Security
Cheap, under your control
You have to think about everything yourself!
Hosted
AWS or Google or DockerHub
More features
Privacy! Costs!
A secure Docker Registry
REGISTRY
21. 08.04.2019 21
Best Practices
Least Privilege!
Do not use --privileged
Docker runs as root by default! docker run --user 1001 <img>
Use security policies!
Seccomp (default profile)
AppArmour, SELinux
Limit resources!
What can we do to have a safe container?
docker run -it --memory=2G --memory-swap=1G ubuntu bash
22. 08.04.2019 22
Docker is only as secure as the underlying host!
Best Practices
Make sure your system is patched and monitored!
Use minimal systems designed for this purpose as base system
Docker itself should be configured securely
Docker Host Security HOST
24. 08.04.2019 24
Know your attack surface!
Docker: okay by default
Solution:
Harden your Containers!
Test and audit regularly
Keep everything up to date
Tips: “How to be safe“!
HOST
CONTAINERS REGISTRY
IMAGES
The more VMs you run, the more resources you need
Guest OS means wasted resources
Application portability not guaranteed
Explain again
Containers virtualize at the operating system level, Hypervisors virtualize at the hardware level.
Hypervisors abstract the operating system from hardware, containers abstract the application from the operation system.
Hypervisors consumes storage space for each instance. Containers use a single storage space plus smaller deltas for each layer and thus are much more efficient.
Containers can boot and be application-ready in less than 500ms and creates new designs opportunities for rapid scaling. Hypervisors boot according to the OS typically 20 seconds, depending on storage speed.
Interact with audience: questions? Do you dockerize How many of you know docker
Image
The basis of a Docker container. The content at rest.
Container
The image when it is ‘running.’ The standard unit for app service
Engine
The software that executes commands for containers. Networking and volumes are part of Engine. Can be clustered together.
Registry
Stores, distributes and manages Docker images