View profile

Lock down your Docker apps

Bret Fisher
Bret Fisher
Hey Docker people, I just got back from my Euro Tour of conferences, friends, and beer! I finished with a workshop at GOTO Conference in Berlin, teaching Kubernetes and Swarm.
This newsletter covers various topics and tips on locking down Docker and your apps inside it.

Real-Time Docker Monitoring
How Do I Make Sure My App is Secure?
It’s kind of a flawed question, no system can be truly secure unless you unplug your machine and throw it in Davy Jones Locker on the bottom of the sea floor. The only thing we can do is take steps to hardening and safeguarding our environment to ensure we are doing all we can to keep it safe. I have a GitHub repo called “AMA” where users can Ask Me Anything. In one issue, I go over security recommendations for Docker on Linux. Ill highlight some of those here! Topics here range from Linux general security, to “Rootless Docker”, which I covered in a previous newsletter!
What security concerns should I have with Docker? Bret's AMA
Where Do I Start?
First, check out the DockerCon talk I gave which covered general production guidelines, Versions of OS’s, proper base images, cluster designs, etc.
DockerCon - Production Concerns
The next tip when starting to cover Docker security is the same as covering any other new Docker topic. Read the Docs! Below you will find the docs page which covers the 4 major areas to consider when covering Docker’s security: The Linux kernel with namespaces and cgroups, the daemon’s attack surface, the container’s configuration profile, and hardening security features.
Docker security | Docker Docs
Other Quick Tips Found in the AMA:
You can take some simple precautionary measures to your image like adding a USER stanza in your Dockerfile, specifying a specific username to avoid running apps as root. You can also use a 3rd party image scanner like Aqua Security’s Microscanner as a container to analyze your image. Their link is below. Another best practice that is notably important, is to avoid running images where you do not explicitly trust the source. Docker Hub does not run a scan on every image that is uploaded, so they are not immune to malicious images being pushed, as verified by the latest worm found in the last link below.
Aqua’s MicroScanner: Free Image Vulnerability Scanner for Developers
Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub
Thanks for reading,
Weekly YouTube Live:
Course Coupons:
Did you enjoy this issue? Yes No
Bret Fisher
Bret Fisher @bretfisher

Commentary on tools and techniques I find interesting around Docker, Kubernetes, Cloud Native DevOps, and DevSecOps.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.
Bret Fisher, Virginia Beach, Virginia, USA