When you are designing a production environment security is essential. All the Docker ecosystem but in particular Docker Swarm allows us to ship our containers out of our laptop, how can we make this process safe? During my talk, I will share tips around production environment, immutability and how troubleshooting common attack as code injection with Docker. Static analysis of our images, content trust with Notary to make our journey secure.
How can we setup a cluster on the main cloud providers with VPN and node labeling to expose only a portion of our cluster? I will also show what Docker provides (Content Trust, Static Analysis) but also open source alternatives as Notary, centos/clair and Cilium.
In the end of this talk, we had a better idea around how manage Docker in production.
2. Hello!
I am Gianluca Arbezzano
Site Reliability Engineer at InfluxDB
oss maintainer and Docker Captain
You can find me:
@gianarb on Twitter and GitHub
3. Play Safe - a free ebook about Container Security.
What?
I wrote an ebook ~55 pages
about Docker and Container
Security. It comes from my
daily experience deploying and
making containers secure.
CoreOS Clair, Apparmor,
SwarmKit, Notary, Cilium and a
lot more...
Get it http://scaledocker.com
Leave your email and you will receive the ebook.
4. Make it
easy to do
the secure
things
Otherwise your colleagues
will be the perfect
vulnerability.
25. BPF - github.com/cilium/cilium
BPF is a highly flexible and efficient virtual
machine-like construct in the Linux kernel allowing to
execute bytecode at various hook points in a safe
manner. It is used in a number of Linux kernel
subsystems, most prominently networking, tracing and
security
http://cilium.readthedocs.io/en/latest/bpf/
37. COREOS Clair
1. In regular intervals, Clair ingests vulnerability
metadata from a configured set of sources and
stores it in the database.
2. Clients use the Clair API to index their container
images; this parses a list of installed source
packages and stores them in the database.
3. Clients use the Clair API to query the database;
correlating data is done in real time, rather than a
cached result that needs re-scanning.
4. When updates to vulnerability metadata occur, a
webhook containing the affected images can be
configured to page or block deployments.
42. SHA1 - First collision
https://security.googleblog.com/2017/02/
announcing-first-sha1-collision.html
43. GPG limitation
● Is it coming from the place
where I hope?
● Between the sender and the
receiver what happen?
● Are the signatures too old?
44. TUF - The update
framework
https://theupdateframework.github.io
45. The framework is inspired by
Thandy the Tor’s secure updating
system
46. Main principles:
◎ Responsibility Separation to decrease the
scope of a specific role.
◎ Survivable key compromise and scoped
keys.
◎ Multi-Signature thresholding
47. It doesn’t manage
your packages
It only manage identity and signatures in
a separate location.