| |
|
|
|
October 28 · Issue #16 · View online
Commentary on tools and techniques I find interesting around Docker, Kubernetes, Cloud Native DevOps, and DevSecOps.
|
|
|
Hey Docker people, I just got back from my Euro Tour of conferences, friends, and beer! I finished with a workshop at GOTO Conference in Berlin, teaching Kubernetes and Swarm. This newsletter covers various topics and tips on locking down Docker and your apps inside it.
|
|
|
Real-Time Docker Monitoring
This Weeks Sponsor: Enhance visibility into the performance of your entire containerized environment and investigate issues quickly with Datadog. Optimize horizontal auto-scaling with high-granularity metrics and easily detect clusters over or under-allocating available resources via the auto-generated container map. Try monitoring your Docker containers with Datadog and they’ll send you a free t-shirt!
|
|
|
It’s kind of a flawed question, no system can be truly secure unless you unplug your machine and throw it in Davy Jones Locker on the bottom of the sea floor. The only thing we can do is take steps to hardening and safeguarding our environment to ensure we are doing all we can to keep it safe. I have a GitHub repo called “AMA” where users can Ask Me Anything. In one issue, I go over security recommendations for Docker on Linux. Ill highlight some of those here! Topics here range from Linux general security, to “Rootless Docker”, which I covered in a previous newsletter!
|
What security concerns should I have with Docker? Bret's AMA
Security recommendations for Docker on Linux servers, in order of priority.
|
|
|
First, check out the DockerCon talk I gave which covered general production guidelines, Versions of OS’s, proper base images, cluster designs, etc.
|
DockerCon - Production Concerns
DevOps in the Real World is far from perfect, yet we all dream of that amazing auto-healing fully-automated CI/CD microservice infrastructure that we’ll have “someday.”
|
The next tip when starting to cover Docker security is the same as covering any other new Docker topic. Read the Docs! Below you will find the docs page which covers the 4 major areas to consider when covering Docker’s security: The Linux kernel with namespaces and cgroups, the daemon’s attack surface, the container’s configuration profile, and hardening security features.
|
Docker security | Docker Docs
Review of the Docker Daemon attack surface
|
|
|
You can take some simple precautionary measures to your image like adding a USER stanza in your Dockerfile, specifying a specific username to avoid running apps as root. You can also use a 3rd party image scanner like Aqua Security’s Microscanner as a container to analyze your image. Their link is below. Another best practice that is notably important, is to avoid running images where you do not explicitly trust the source. Docker Hub does not run a scan on every image that is uploaded, so they are not immune to malicious images being pushed, as verified by the latest worm found in the last link below.
|
Aqua’s MicroScanner: Free Image Vulnerability Scanner for Developers
This is Aqua’s free-to-use tool for scanning your container images for package vulnerabilities.
|
Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub
Unit 42 has discovered a new cryptojacking worm in Docker Hub images.
|
|
|
|
Did you enjoy this issue?
|
|
|
|
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Bret Fisher, Virginia Beach, Virginia, USA
|
