View profile

Docker Defaults Can Improve Security

Revue
 
In my series on security features and controls in Docker, this week I talk about what you get out of
 

FasterOps: Improving Your Container DevOps Skills

November 4 · Issue #17 · View online
Commentary on tools and techniques I find interesting around Docker, Kubernetes, Cloud Native DevOps, and DevSecOps.
In my series on security features and controls in Docker, this week I talk about what you get out of the box by just using Docker defaults.
How Does "Just Docker" Keep My App Safe?
By using the default out of the box settings with Docker, we gain access to a tight knit secure platform that provides many resources to keep your app safe. These resources include security tools enabled out of the box, like AppArmor, and seccomp which are tools that can help with access restrictions. Along with the general Linux features around cgroups and namespaces, we can isolate what a container can and cannot access.
Docker Security Tips: Just use Docker! Docker Security Tips: Just use Docker!
www.youtube.comShare
It’s Halloween! This week I step through the best things you can do to improve your Docker #security setup and lock down your app images and containers.
What security concerns should I have with Docker?
github.comShare
A common question I get around making sure Docker is secure.
Docker & AppArmor: 30.000 foot view - @lucjuggery - Medium
medium.comShare
When it comes to the sensitive topic of container security, several options are considered.
Docker engine security | Docker Documentation
docs.docker.comShare
Review of the Docker Daemon attack surface
How These Tools to Reduce Your Risk Profile
Kernel namespaces provide the first defense against security threats: isolation. By limiting access through individual network stacks, PIDs, and Users, containers are highly controllable as to what they are able to see. Alongside of this, are cgroups, which provide control over resources a container can have access to. This includes CPU, RAM, and network bandwidth. For instance, a properly configured cgroup will prevent a container from overloading the host CPU. Another feature in the Linux kernel is “Seccomp” or secure computing. This allows you to restrict the actions that are available from within a container. In the docs found below, you can learn how Docker enables some locked-down “sane defaults”. You can also configure your own!
Docker Namespace and Cgroups - Kasun Rathnayaka - Medium
medium.comShare
Namespaces are a fundamental aspect of containers on Linux.
Seccomp security profile- Docker Docs
docs.docker.comShare
Enabling seccomp in Docker
Thanks for reading,
–Bret
Weekly YouTube Live: bretfisher.com/youtube
Course Coupons: bretfisher.com/courses
Podcast: bretfisher.com/podcast
Twitter: twitter.com/bretfisher
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Bret Fisher, Virginia Beach, Virginia, USA