View profile

Lock down your Docker apps

Hey Docker people, I just got back from my Euro Tour of conferences, friends, and beer! I finished wi
Lock down your Docker apps
By Bret Fisher • Issue #16 • View online
Hey Docker people, I just got back from my Euro Tour of conferences, friends, and beer! I finished with a workshop at GOTO Conference in Berlin, teaching Kubernetes and Swarm.
This newsletter covers various topics and tips on locking down Docker and your apps inside it.

Real-Time Docker Monitoring
How Do I Make Sure My App is Secure?
It’s kind of a flawed question, no system can be truly secure unless you unplug your machine and throw it in Davy Jones Locker on the bottom of the sea floor. The only thing we can do is take steps to hardening and safeguarding our environment to ensure we are doing all we can to keep it safe. I have a GitHub repo called “AMA” where users can Ask Me Anything. In one issue, I go over security recommendations for Docker on Linux. Ill highlight some of those here! Topics here range from Linux general security, to “Rootless Docker”, which I covered in a previous newsletter!
What security concerns should I have with Docker? Bret's AMA
Where Do I Start?
First, check out the DockerCon talk I gave which covered general production guidelines, Versions of OS’s, proper base images, cluster designs, etc.
DockerCon - Production Concerns
The next tip when starting to cover Docker security is the same as covering any other new Docker topic. Read the Docs! Below you will find the docs page which covers the 4 major areas to consider when covering Docker’s security: The Linux kernel with namespaces and cgroups, the daemon’s attack surface, the container’s configuration profile, and hardening security features.
Docker security | Docker Docs
Other Quick Tips Found in the AMA:
You can take some simple precautionary measures to your image like adding a USER stanza in your Dockerfile, specifying a specific username to avoid running apps as root. You can also use a 3rd party image scanner like Aqua Security’s Microscanner as a container to analyze your image. Their link is below. Another best practice that is notably important, is to avoid running images where you do not explicitly trust the source. Docker Hub does not run a scan on every image that is uploaded, so they are not immune to malicious images being pushed, as verified by the latest worm found in the last link below.
Aqua’s MicroScanner: Free Image Vulnerability Scanner for Developers
Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub
Thanks for reading,
–Bret
Weekly YouTube Live: bretfisher.com/youtube
Course Coupons: bretfisher.com/courses
Did you enjoy this issue?
Bret Fisher

Frequent updates on my projects, videos, and opinions focused on the container ecosystem, including Docker, Kubernetes, Docker Swarm, CI/CD, and container DevOps.

If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
Powered by Revue
Bret Fisher, Virginia Beach, Virginia, USA