docker docker - docker security - docker

@behemphi@stackengin

e

D O C K E R D O C K E R

D O C K E R … S E C U R I T Y … D O C K

E R

B O Y D H E M P H I L L , D I R E C T O R O F E V A N G E L I S M


e

G O A L S

• Understand Why Docker is

Such a Big Deal

Love to @petecheslock


e

G O A L S


Such a Big Deal

• Consider Docker Security

Concerns

Love to @petecheslock


e

G O A L S


Such a Big Deal

• Consider Docker Security

Concerns

• Ponder a Rational Docker

Adoption Strategy Love to @petecheslock


e

– B O Y D H E M P H I L L

“As and Ops director, I am personally guilty of

pooping rainbows on security concerns.”


e

W H O A M I ?

• Technologist


e

W H O A M I ?

• Technologist

• Community Builder


e

W H O A M I ?

• Technologist


• Extroverted Nerd


e

W H O A M I ?

• Technologist


• Extroverted Nerd

• Evangelist


e

- T H E A U S T I N D E V O P S C O M M U N I T Y

“Come to Docker Austin and Austin DevOps. Your

participation will move the conversations towards

your passion - security.”


e

T H I S T H I N G O F

W H I C H Y O U

S P E A K ?

• Docker Docker Docker


e


W H I C H Y O U

S P E A K ?


• Orchestration, Service

Discovery, Community


e


W H I C H Y O U

S P E A K ?


• Orchestration, Service

Discovery, Community

• Like what you hear? Come

join the conversation:

http://goo.gl/YyyJOx

http://goo.gl/YyyJOx


e

- B O B Q U I L L I N - C E O

“Buy copious amounts of StackEngine goodness.”


e

W H O A R E

Y O U ?

• Have heard of Docker


e

W H O A R E

Y O U ?

• Have heard of Docker?

• Have experimented with

Docker on the job?


e

W H O A R E

Y O U ?

• Have heard of Docker?

• Have experimented with

Docker on the job?

• Are using Docker in a

production environment?


e

- S E C U R I T Y H O B B I T S

“Unicorns nothing, Balrogs is more like it!”


e

C O M M O N

G R O U N D

• Philosophy


e

C O M M O N

G R O U N D

• Philosophy

• Model


e

C O M M O N

G R O U N D

• Philosophy

• Model

• Implementation


e

C O M M O N

G R O U N D

• Philosophy

• Model

• Implementation

• Tooling


e

“Don’t be a tools”

H T T P S : / / G O O . G L / R T 2 S W F

https://goo.gl/RT2Swf


e

M I C R O -

S E R V I C E S

M I C R O - T E A M S

• Docker makes micro-

service philosophy

available to mere mortals


e

M I C R O -

S E R V I C E S



service philosophy


• Containers are

infrastructure boundaries

for services


e

M I C R O -

S E R V I C E S



service philosophy


• Containers are


for services

• Extraordinary business for

early adopters.


e

M I C R O -

S E R V I C E S



service philosophy


• Containers are


for services

• Extraordinary business for

early adopters.

• Terrifying


e

- T H E U N E N L I G H T E N E D ?

“Developer freedom is antithetical to practical

security”


e

P R O C E S S

D E N S I T Y

• ~2.2% of US power is data

centers.

http://goo.gl/1TBdd7

http://goo.gl/1TBdd7


e

P R O C E S S

D E N S I T Y


centers.

• Docker adoptions are

cutting infrastructure

spend by 50% to 80%

http://goo.gl/vB4UDF

http://goo.gl/vB4UDF


e

P R O C E S S

D E N S I T Y


centers.

• Docker adoptions are

cutting infrastructure

spend by 50% to 80%

• Density comes with its own

problems


e

– D E V O P S

“Lessons learned from early Ops adoption will

inform security efforts.”


e

Q U I C K S U M M A R Y

• Significant business advantages

• Cost Savings

• linux.com - https://goo.gl/CJM6ZX

• Increase feature velocity

• Increase innovation

• Reduce communication friction

• Understand the pitfalls and plan for them

• Don’t reject new, make it better

http://linux.com

https://goo.gl/CJM6ZX


e

– D O C K E R A N D $ 1 , 0 0 0 , 0 0 0 , 0 0 0

“Docker is worthy of your consideration.”


e

I D E N T I T Y

M A N A G E M E N

T

• You are root and so is

anyone else who can

`docker run`


e

I D E N T I T Y

M A N A G E M E N

T


anyone else who can

`docker run`

• Orchestration tools such a

StackEngine address this.


e

I D E N T I T Y

M A N A G E M E N

T


anyone else who can

`docker run`

• Orchestration tools such a

StackEngine address this.

• Look for ACLs at the API,

CLI and GUI levels.


e

– S O M E B A D A C T O R

O R

- S O M E D E V E L O P E R W I T H A G O O D I D E A

`docker run --privileged --entrypoint "rm -rf /root" -v

/root:/root:rw stackhub/haproxy`

H T T P : / / G O O . G L / U H I K P R

http://goo.gl/uHIkpr


e

I M A G E

V E R I F I C A T I O

N

• This is not a new problem


e

I M A G E


N


• Docker Content Trust


e

I M A G E


N


• Docker Content Trust

• Caveats:

• Not enabled by default

• Image authors must

make the effort

http://goo.gl/lU7zLk

http://goo.gl/lU7zLk


e

D O C K E R A S A

H Y P E R V I S O R

• Venom

http://goo.gl/4VyTKv

http://goo.gl/4VyTKv


e

D O C K E R A S A

H Y P E R V I S O R

• Venom

• Battle Hardening

Project Inception Date

Docker 2013

Xen 2003

KVM 2005


e

D O C K E R A S A

H Y P E R V I S O R

• Venom


• Complexity - Lines of Code

ProjectLines of

CodeReference

Docker 300k goo.gl/m8lIn0

Xen 500k goo.gl/xu2uVc

KVM 13,500k goo.gl/9wSPM7


e

D O C K E R A S A

H Y P E R V I S O R

• Venom



• Code Churn

D O C K E R

X E N

D O C K E R L A N G

K V M


e

D O C K E R A S A

H Y P E R V I S O R

• Venom



• Code Churn

• Rate of Change

ProjectCommits per month - previous

12 months

Docker 627

Xen 204

KVM 5894


e

D O C K E R A S A

H Y P E R V I S O R

• Venom



• Code Churn

• Rate of Change

• Contributors

ProjectContributors - previous 12

months

Docker 634

Xen 116

KVM 3580

ProjectIncep-

tion

Lines of

Codechurn

Commits

per

month

Contri-

buters

Docker 2013 300k 627 634

Xen 2003 500k 204 116

KVM 2005 13,500k 5894 3580


e

– B O Y D H E M P H I L L

“If nothing else, running Docker in a Hypervisor as

a security measure should be considered more

closely. Thanks https://www.openhub.net/ !”

https://www.openhub.net/


e

B L A C K B O X T E S T I N G


e

D E V O P S 2 . 0

• Ops is a bottleneck, then

DevOps


e

D E V O P S 2 . 0


DevOps

• Sec is a bottleneck, now

DevSec


e

D E V O P S 2 . 0


DevOps


DevSec

• Black Box testing with full

cheats


e

D E V O P S 2 . 0


DevOps


DevSec

• Black Box testing with full

cheats

• Security is a form of

Quailty. Move it as far to

the front of the SDLC as

possible.


e

D E V O P S 2 . 0


DevOps


DevSec

• Black Box testing with full cheats

• Security is a form of Quailty.

Move it as far to the front of the

SDLC as possible.

• Attack yourself, make it a game

and build it in to daily workflows.


e

– P A R A P H R A S I N G A D R I A N C O C K C R O F T

“Attack yourself, celebrate your breaches. ”


e

S T R A N G L E R

P A T T E R N

• http://goo.gl/YkrgqE

• Replace one thing at a

time and do it well

http://goo.gl/YkrgqE


e

“Evolution, not revolution. Revolutions are bloody

and never achieve the original goal. ”

@stackengin

e@behemphi– J O H N N Y A P P L E S E E D

“Questions, comments, tomatoes?”

docker docker - docker security - docker

Technology