Docker Docker - Docker Security - Docker

transcript

@behemphi@stackengin

D O C K E R D O C K E R

D O C K E R … S E C U R I T Y … D O C K

B O Y D H E M P H I L L , D I R E C T O R O F E V A N G E L I S M

G O A L S

• Understand Why Docker is

Such a Big Deal

Love to @petecheslock

G O A L S

Such a Big Deal

• Consider Docker Security

Concerns

Love to @petecheslock

G O A L S

Such a Big Deal

• Consider Docker Security

Concerns

• Ponder a Rational Docker

Adoption Strategy Love to @petecheslock

– B O Y D H E M P H I L L

“As and Ops director, I am personally guilty of

pooping rainbows on security concerns.”

W H O A M I ?

• Technologist

W H O A M I ?

• Technologist

• Community Builder

W H O A M I ?

• Technologist

• Extroverted Nerd

W H O A M I ?

• Technologist

• Extroverted Nerd

• Evangelist

- T H E A U S T I N D E V O P S C O M M U N I T Y

“Come to Docker Austin and Austin DevOps. Your

participation will move the conversations towards

your passion - security.”

T H I S T H I N G O F

W H I C H Y O U

S P E A K ?

• Docker Docker Docker

W H I C H Y O U

S P E A K ?

• Orchestration, Service

Discovery, Community

W H I C H Y O U

S P E A K ?

• Orchestration, Service

Discovery, Community

• Like what you hear? Come

join the conversation:

http://goo.gl/YyyJOx

- B O B Q U I L L I N - C E O

“Buy copious amounts of StackEngine goodness.”

W H O A R E

Y O U ?

• Have heard of Docker

W H O A R E

Y O U ?

• Have heard of Docker?

• Have experimented with

Docker on the job?

W H O A R E

Y O U ?

• Have heard of Docker?

• Have experimented with

Docker on the job?

• Are using Docker in a

production environment?

- S E C U R I T Y H O B B I T S

“Unicorns nothing, Balrogs is more like it!”

C O M M O N

G R O U N D

• Philosophy

C O M M O N

G R O U N D

• Philosophy

• Model

C O M M O N

G R O U N D

• Philosophy

• Model

• Implementation

C O M M O N

G R O U N D

• Philosophy

• Model

• Implementation

• Tooling

“Don’t be a tools”

H T T P S : / / G O O . G L / R T 2 S W F

M I C R O -

S E R V I C E S

M I C R O - T E A M S

• Docker makes micro-

service philosophy

available to mere mortals

M I C R O -

S E R V I C E S

service philosophy

• Containers are

infrastructure boundaries

for services

M I C R O -

S E R V I C E S

service philosophy

• Containers are

for services

• Extraordinary business for

early adopters.

M I C R O -

S E R V I C E S

service philosophy

• Containers are

for services

• Extraordinary business for

early adopters.

• Terrifying

- T H E U N E N L I G H T E N E D ?

“Developer freedom is antithetical to practical

security”

P R O C E S S

D E N S I T Y

• ~2.2% of US power is data

centers.

http://goo.gl/1TBdd7

P R O C E S S

D E N S I T Y

centers.

• Docker adoptions are

cutting infrastructure

spend by 50% to 80%

http://goo.gl/vB4UDF

P R O C E S S

D E N S I T Y

centers.

• Docker adoptions are

cutting infrastructure

spend by 50% to 80%

• Density comes with its own

problems

– D E V O P S

“Lessons learned from early Ops adoption will

inform security efforts.”

Q U I C K S U M M A R Y

• Significant business advantages

• Cost Savings

• linux.com - https://goo.gl/CJM6ZX

• Increase feature velocity

• Increase innovation

• Reduce communication friction

• Understand the pitfalls and plan for them

• Don’t reject new, make it better

– D O C K E R A N D $ 1 , 0 0 0 , 0 0 0 , 0 0 0

“Docker is worthy of your consideration.”

I D E N T I T Y

M A N A G E M E N

• You are root and so is

anyone else who can

`docker run`

I D E N T I T Y

M A N A G E M E N

anyone else who can

`docker run`

• Orchestration tools such a

StackEngine address this.

I D E N T I T Y

M A N A G E M E N

anyone else who can

`docker run`

• Orchestration tools such a

StackEngine address this.

• Look for ACLs at the API,

CLI and GUI levels.

– S O M E B A D A C T O R

- S O M E D E V E L O P E R W I T H A G O O D I D E A

`docker run --privileged --entrypoint "rm -rf /root" -v

/root:/root:rw stackhub/haproxy`

H T T P : / / G O O . G L / U H I K P R

I M A G E

V E R I F I C A T I O

• This is not a new problem

I M A G E

• Docker Content Trust

I M A G E

• Docker Content Trust

• Caveats:

• Not enabled by default

• Image authors must

make the effort

http://goo.gl/lU7zLk

D O C K E R A S A

H Y P E R V I S O R

• Venom

http://goo.gl/4VyTKv

D O C K E R A S A

H Y P E R V I S O R

• Venom

• Battle Hardening

Project Inception Date

Docker 2013

Xen 2003

KVM 2005

D O C K E R A S A

H Y P E R V I S O R

• Venom

• Complexity - Lines of Code

ProjectLines of

CodeReference

Docker 300k goo.gl/m8lIn0

Xen 500k goo.gl/xu2uVc

KVM 13,500k goo.gl/9wSPM7

D O C K E R A S A

H Y P E R V I S O R

• Venom

• Code Churn

D O C K E R

D O C K E R L A N G

D O C K E R A S A

H Y P E R V I S O R

• Venom

• Code Churn

• Rate of Change

ProjectCommits per month - previous

12 months

Docker 627

Xen 204

KVM 5894

D O C K E R A S A

H Y P E R V I S O R

• Venom

• Code Churn

• Rate of Change

• Contributors

ProjectContributors - previous 12

months

Docker 634

Xen 116

KVM 3580

ProjectIncep-

Lines of

Codechurn

Commits

Contri-

buters

Docker 2013 300k 627 634

Xen 2003 500k 204 116

KVM 2005 13,500k 5894 3580

– B O Y D H E M P H I L L

“If nothing else, running Docker in a Hypervisor as

a security measure should be considered more

closely. Thanks https://www.openhub.net/ !”

B L A C K B O X T E S T I N G

D E V O P S 2 . 0

• Ops is a bottleneck, then

DevOps

D E V O P S 2 . 0

DevOps

• Sec is a bottleneck, now

DevSec

D E V O P S 2 . 0

DevOps

DevSec

• Black Box testing with full

cheats

D E V O P S 2 . 0

DevOps

DevSec

• Black Box testing with full

cheats

• Security is a form of

Quailty. Move it as far to

the front of the SDLC as

possible.

D E V O P S 2 . 0

DevOps

DevSec

• Black Box testing with full cheats

• Security is a form of Quailty.

Move it as far to the front of the

SDLC as possible.

• Attack yourself, make it a game

and build it in to daily workflows.

– P A R A P H R A S I N G A D R I A N C O C K C R O F T

“Attack yourself, celebrate your breaches. ”

S T R A N G L E R

P A T T E R N

• http://goo.gl/YkrgqE

• Replace one thing at a

time and do it well

“Evolution, not revolution. Revolutions are bloody

and never achieve the original goal. ”

@stackengin

e@behemphi– J O H N N Y A P P L E S E E D

“Questions, comments, tomatoes?”

Docker Docker - Docker Security - Docker

Technology