Oct 28, 2019

Lock down your Docker apps

Bret Fisher

Hey Docker people, I just got back from my Euro Tour of conferences, friends, and beer! I finished with a workshop at GOTO Conference in Berlin, teaching Kubernetes and Swarm.

This newsletter covers various topics and tips on locking down Docker and your apps inside it.

Real-Time Docker Monitoring

This Weeks Sponsor: Enhance visibility into the performance of your entire containerized environment and investigate issues quickly with Datadog. Optimize horizontal auto-scaling with high-granularity metrics and easily detect clusters over or under-allocating available resources via the auto-generated container map. Try monitoring your Docker containers with Datadog and they’ll send you a free t-shirt!

www.datadoghq.com

How Do I Make Sure My App is Secure?

It’s kind of a flawed question, no system can be truly secure unless you unplug your machine and throw it in Davy Jones Locker on the bottom of the sea floor. The only thing we can do is take steps to hardening and safeguarding our environment to ensure we are doing all we can to keep it safe. I have a GitHub repo called “AMA” where users can Ask Me Anything. In one issue, I go over security recommendations for Docker on Linux. Ill highlight some of those here! Topics here range from Linux general security, to “Rootless Docker”, which I covered in a previous newsletter!

What security concerns should I have with Docker? Bret's AMA

Security recommendations for Docker on Linux servers, in order of priority.

github.com

Where Do I Start?

First, check out the DockerCon talk I gave which covered general production guidelines, Versions of OS’s, proper base images, cluster designs, etc.

DockerCon - Production Concerns

DevOps in the Real World is far from perfect, yet we all dream of that amazing auto-healing fully-automated CI/CD microservice infrastructure that we’ll have “someday.”

www.youtube.com

The next tip when starting to cover Docker security is the same as covering any other new Docker topic. Read the Docs! Below you will find the docs page which covers the 4 major areas to consider when covering Docker’s security: The Linux kernel with namespaces and cgroups, the daemon’s attack surface, the container’s configuration profile, and hardening security features.

Docker security | Docker Docs

Review of the Docker Daemon attack surface

docs.docker.com

Other Quick Tips Found in the AMA:

You can take some simple precautionary measures to your image like adding a USER stanza in your Dockerfile, specifying a specific username to avoid running apps as root. You can also use a 3rd party image scanner like Aqua Security’s Microscanner as a container to analyze your image. Their link is below. Another best practice that is notably important, is to avoid running images where you do not explicitly trust the source. Docker Hub does not run a scan on every image that is uploaded, so they are not immune to malicious images being pushed, as verified by the latest worm found in the last link below.