Docker Docker - Docker Security - Docker
Download as PPTX, PDF4 likes2,749 views
The document discusses the significance of Docker technology, emphasizing its role in microservices, cost savings, and the importance of security in its adoption. It addresses common security concerns while promoting community participation and sharing insights on orchestrating Docker environments. The document also highlights the challenges and considerations of Docker's adoption, urging organizations to get involved and optimize their approach to security and implementation.
Docker Docker - Docker Security - Docker
- 1. @behemphi @stackengin e D O C K E R D O C K E R D O C K E R … S E C U R I T Y … D O C K E R B O Y D H E M P H I L L , D I R E C T O R O F E V A N G E L I S M
- 3. @behemphi @stackengin G O A L S • Understand Why Docker is Such a Big Deal Love to @petecheslock
- 4. @behemphi @stackengin G O A L S • Understand Why Docker is Such a Big Deal • Consider Docker Security Concerns Love to @petecheslock
- 5. @behemphi @stackengin G O A L S • Understand Why Docker is Such a Big Deal • Consider Docker Security Concerns • Ponder a Rational Docker Adoption Strategy Love to @petecheslock
- 6. @behemphi @stackengin – B O Y D H E M P H I L L “As and Ops director, I am personally guilty of pooping rainbows on security concerns.”
- 8. @behemphi @stackengin W H O A M I ? • Technologist
- 9. @behemphi @stackengin W H O A M I ? • Technologist • Community Builder
- 10. @behemphi @stackengin W H O A M I ? • Technologist • Community Builder • Extroverted Nerd
- 11. @behemphi @stackengin W H O A M I ? • Technologist • Community Builder • Extroverted Nerd • Evangelist
- 12. @behemphi @stackengin - T H E A U S T I N D E V O P S C O M M U N I T Y “Come to Docker Austin and Austin DevOps. Your participation will move the conversations towards your passion - security.”
- 14. @behemphi @stackengin T H I S T H I N G O F W H I C H Y O U S P E A K ? • Docker Docker Docker
- 15. @behemphi @stackengin T H I S T H I N G O F W H I C H Y O U S P E A K ? • Docker Docker Docker • Orchestration, Service Discovery, Community
- 16. @behemphi @stackengin T H I S T H I N G O F W H I C H Y O U S P E A K ? • Docker Docker Docker • Orchestration, Service Discovery, Community • Like what you hear? Come join the conversation: http://goo.gl/YyyJOx
- 17. @behemphi @stackengin - B O B Q U I L L I N - C E O “Buy copious amounts of StackEngine goodness.”
- 19. @behemphi @stackengin W H O A R E Y O U ? • Have heard of Docker
- 20. @behemphi @stackengin W H O A R E Y O U ? • Have heard of Docker? • Have experimented with Docker on the job?
- 21. @behemphi @stackengin W H O A R E Y O U ? • Have heard of Docker? • Have experimented with Docker on the job? • Are using Docker in a production environment?
- 22. @behemphi @stackengin - S E C U R I T Y H O B B I T S “Unicorns nothing, Balrogs is more like it!”
- 24. @behemphi @stackengin C O M M O N G R O U N D • Philosophy
- 25. @behemphi @stackengin C O M M O N G R O U N D • Philosophy • Model
- 26. @behemphi @stackengin C O M M O N G R O U N D • Philosophy • Model • Implementation
- 27. @behemphi @stackengin C O M M O N G R O U N D • Philosophy • Model • Implementation • Tooling
- 28. @behemphi @stackengin “Don’t be a tools”
- 29. H T T P S : / / G O O . G L / R T 2 S W F
- 30. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S • Docker makes micro- service philosophy available to mere mortals
- 31. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S • Docker makes micro- service philosophy available to mere mortals • Containers are infrastructure boundaries for services
- 32. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S • Docker makes micro- service philosophy available to mere mortals • Containers are infrastructure boundaries for services • Extraordinary business for early adopters.
- 33. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S • Docker makes micro- service philosophy available to mere mortals • Containers are infrastructure boundaries for services • Extraordinary business for early adopters. • Terrifying
- 34. @behemphi @stackengin - T H E U N E N L I G H T E N E D ? “Developer freedom is antithetical to practical security”
- 36. @behemphi @stackengin P R O C E S S D E N S I T Y • ~2.2% of US power is data centers. http://goo.gl/1TBdd7
- 37. @behemphi @stackengin P R O C E S S D E N S I T Y • ~2.2% of US power is data centers. • Docker adoptions are cutting infrastructure spend by 50% to 80% http://goo.gl/vB4UDF
- 38. @behemphi @stackengin P R O C E S S D E N S I T Y • ~2.2% of US power is data centers. • Docker adoptions are cutting infrastructure spend by 50% to 80% • Density comes with its own problems
- 39. @behemphi @stackengin – D E V O P S “Lessons learned from early Ops adoption will inform security efforts.”
- 41. @behemphi @stackengin Q U I C K S U M M A R Y • Significant business advantages • Cost Savings • linux.com - https://goo.gl/CJM6ZX • Increase feature velocity • Increase innovation • Reduce communication friction • Understand the pitfalls and plan for them • Don’t reject new, make it better
- 42. @behemphi @stackengin – D O C K E R A N D $ 1 , 0 0 0 , 0 0 0 , 0 0 0 “Docker is worthy of your consideration.”
- 44. @behemphi @stackengin I D E N T I T Y M A N A G E M E N T • You are root and so is anyone else who can `docker run`
- 45. @behemphi @stackengin I D E N T I T Y M A N A G E M E N T • You are root and so is anyone else who can `docker run` • Orchestration tools such a StackEngine address this.
- 46. @behemphi @stackengin I D E N T I T Y M A N A G E M E N T • You are root and so is anyone else who can `docker run` • Orchestration tools such a StackEngine address this. • Look for ACLs at the API, CLI and GUI levels.
- 47. @behemphi @stackengin – S O M E B A D A C T O R O R - S O M E D E V E L O P E R W I T H A G O O D I D E A `docker run --privileged --entrypoint "rm -rf /root" -v /root:/root:rw stackhub/haproxy`
- 48. H T T P : / / G O O . G L / U H I K P R
- 49. @behemphi @stackengin I M A G E V E R I F I C A T I O N • This is not a new problem
- 50. @behemphi @stackengin I M A G E V E R I F I C A T I O N • This is not a new problem • Docker Content Trust
- 51. @behemphi @stackengin I M A G E V E R I F I C A T I O N • This is not a new problem • Docker Content Trust • Caveats: • Not enabled by default • Image authors must make the effort
- 53. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R • Venom http://goo.gl/4VyTKv
- 54. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R • Venom • Battle Hardening Project Inception Date Docker 2013 Xen 2003 KVM 2005
- 55. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R • Venom • Battle Hardening • Complexity - Lines of Code Project Lines of Code Reference Docker 300k goo.gl/m8lIn0 Xen 500k goo.gl/xu2uVc KVM 13,500k goo.gl/9wSPM7
- 56. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R • Venom • Battle Hardening • Complexity - Lines of Code • Code Churn D O C K E R X E N D O C K E R L A N G K V M
- 57. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R • Venom • Battle Hardening • Complexity - Lines of Code • Code Churn • Rate of Change Project Commits per month - previous 12 months Docker 627 Xen 204 KVM 5894
- 58. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R • Venom • Battle Hardening • Complexity - Lines of Code • Code Churn • Rate of Change • Contributors Project Contributors - previous 12 months Docker 634 Xen 116 KVM 3580
- 59. Project Incep- tion Lines of Code churn Commits per month Contri- buters Docker 2013 300k 627 634 Xen 2003 500k 204 116 KVM 2005 13,500k 5894 3580
- 60. @behemphi @stackengin – B O Y D H E M P H I L L “If nothing else, running Docker in a Hypervisor as a security measure should be considered more closely. Thanks https://www.openhub.net/ !”
- 61. @behemphi @stackengin B L A C K B O X T E S T I N G
- 62. @behemphi @stackengin D E V O P S 2 . 0 • Ops is a bottleneck, then DevOps
- 63. @behemphi @stackengin D E V O P S 2 . 0 • Ops is a bottleneck, then DevOps • Sec is a bottleneck, now DevSec
- 64. @behemphi @stackengin D E V O P S 2 . 0 • Ops is a bottleneck, then DevOps • Sec is a bottleneck, now DevSec • Black Box testing with full cheats
- 65. @behemphi @stackengin D E V O P S 2 . 0 • Ops is a bottleneck, then DevOps • Sec is a bottleneck, now DevSec • Black Box testing with full cheats • Security is a form of Quailty. Move it as far to the front of the SDLC as possible.
- 66. @behemphi @stackengin D E V O P S 2 . 0 • Ops is a bottleneck, then DevOps • Sec is a bottleneck, now DevSec • Black Box testing with full cheats • Security is a form of Quailty. Move it as far to the front of the SDLC as possible. • Attack yourself, make it a game and build it in to daily workflows.
- 67. @behemphi @stackengin – P A R A P H R A S I N G A D R I A N C O C K C R O F T “Attack yourself, celebrate your breaches. ”
- 69. @behemphi @stackengin S T R A N G L E R P A T T E R N • http://goo.gl/YkrgqE • Replace one thing at a time and do it well
- 70. @behemphi @stackengin “Evolution, not revolution. Revolutions are bloody and never achieve the original goal. ”
- 71. @stackengin e @behemphi– J O H N N Y A P P L E S E E D “Questions, comments, tomatoes?”