ironing out docker
play

ironing out Docker at ironPeak services ironpeak.be 1. $ whoami - PowerPoint PPT Presentation

Oct 24, 2023 •29 likes •189 views

ironing out Docker at ironPeak services ironpeak.be 1. $ whoami Niels Hofmans role Independent Cybersecurity Consultant work Code Security, App Security, Hardening, F5 BIG-IP interest Go, Docker, Cloud, Media contact hello@ironpeak.be

  1. ironing out Docker at ironPeak services ironpeak.be

  2. 1. $ whoami Niels Hofmans role Independent Cybersecurity Consultant work Code Security, App Security, Hardening, F5 BIG-IP interest Go, Docker, Cloud, Media contact hello@ironpeak.be github github.com/HazCod 1 - whoami ironpeak.be

  3. 2. $ tree user host image Runtime 2 - tree ironpeak.be

  4. 3. $ client The Client (you!) - Hidden attack surface - Several attack vectors - Phishing - Hardware - Software - Open-Source - Social Networks - Reused/shared Passwords 3 - client ironpeak.be

  5. 3. $ client The Client (you!) - Awareness - Phishing - Common Sense - E-mail headers, content, DMARC - Hardware - Disk encryption - Lock-down BIOS/SMC - Trustless with 2FA - Lock your session 3 - client ironpeak.be

  6. 3. $ client The Client (you!) - Software - OS Hardening - Non-privileged User - Firewall - Patching - Verify & Tag Open-Source - Additional - Information leakage: e.g. LinkedIn, Github - Password manager with 2FA 3 - client ironpeak.be

  7. 4. $ host Host hardening - CIS Benchmarks - Firewall Daemon hardening - CIS Benchmarks, docker-bench-security, kube-bench - User Namespace Remapping - Live Restore - No experimental features - Swarm autolock - Kernel hardening: github.com/google/gvisor - Enable SELinux/AppArmor + seccomp 4 - host ironpeak.be

  8. 4. $ host Daemon Access - UNIX Socket over SSH - HTTP+TLS auth Host Auditing - Off-site log server over TLS/SSH - Log forging / Denial of Service - Audit tracing e.g. sysdig.org + falco.org, github.com/netdata/netdata Private Registry - client: DOCKER_CONTENT_TRUST=1 - daemon: content_trust: enforced 4 - host ironpeak.be

  9. 5. $ image - DIY & Commercial - Base images: alpine (!), minideb, centos github.com/GoogleContainerTools/distroless - docker-slim - Image Signing - Leakage - .dockerignore - docker secrets/vault - Remove defaults - Network: bridge - Storage: AUFS 5 - image ironpeak.be

  10. 5. $ image Dockerfile - Linters; hadolint, … - Pin os/package versions - FROM & Multi-stage builds - Least Privilege - $user & root without shells - tighten permissions - remove unnecessary tooling - USER - COPY --chown=x:x instead of ADD - Scan for package vulnerabilities 5 - image ironpeak.be

  11. 5. $ image.findWally() 5 - image ironpeak.be

  12. 5. $ image.findWally() USER? 5 - image ironpeak.be

  13. 5. $ image.getFixed() 5 - image ironpeak.be

  14. 6. $ runtime: container Container Runtime Properties - Read-Only filesystem - mounts: noexec, nodev, nosuid, mode, size, uid/gid - pids-limit=1 - cgroup limits: cpu, memory/swap, network, size, disk i/o, ... - restart: on-failure:5 - cap_drop: ALL - security_opt: - no_new_privileges - SELinux/AppArmor + seccomp - Environment variables vs. Secrets 6 - runtime ironpeak.be

  15. 6. $ runtime: app Application Security - OWASP ASVS: Level 1 - Level 3 - web: github.com/OWASP/ASVS - mobile: github.com/OWASP/owasp-masvs - Static Application Security Testing (SAST) - linters - OSS + commercial - Dynamic Application Security Testing (DAST) - OpenVAS, OWASP ZAP, … - Training & Awareness! 6 - runtime ironpeak.be

  16. 7. $ exit https://ironpeak.be/slides/190319-ironing-out-docker.pdf 7 - exit ironpeak.be

Recommend

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

674 views • 29 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 11: Ironing and Approximate

CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 11: Ironing and Approximate

CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 11: Ironing and Approximate Mechanism Design in Single-Parameter Bayesian Settings Instructor: Shaddin Dughmi Outline Recap 1 Non-regular Distributions: Ironing 2 Implications

569 views • 33 slides
Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Eric Holm Skyler Manzanares Yuxin (Kelly) Wang http://gerardable.com/wp-content/uploads/2014/12/docker-whale-home-logo.png Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing this Whale! Free,

997 views • 28 slides
Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me Software engineer at Docker Maintainer on SwarmKit and Docker Engine open source projects Focusing on distributed state, task scheduling,

1.29k views • 62 slides
Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner Data Science Consultant accantec group | Alstertor 17 | 20095 Hamburg | Tel.: +49 (40) 67 59 59 0 | Fax.: +49 (40) 67 59 59 29 | www.accantec.de |

664 views • 29 slides
Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker container ls # list running containers docker run <image_name> # run an image as a container docker exec <container> <command> # run a

1.1k views • 6 slides
Our apartments come with all mod cons Apartments with separate bedroom (iron and ironing

Our apartments come with all mod cons Apartments with separate bedroom (iron and ironing

Welcome to La Paudze Apartment Hotel Paudex, Lausanne Our apartments come with all mod cons Apartments with separate bedroom (iron and ironing board available) Living room with 65" HD TV Fully fitted kitchenette with tea-

303 views • 13 slides
Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno cgimeno@bifi.es Instituto de Biocomputacin y Fsica de Sistemas Complejos info@bifi.es http://bifi.es 0. Index Introduction What is Docker? A

401 views • 14 slides
Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the Internet won't shut up about it." (LinuxCon 2014 keynote) *Founder of dotcloud and creator of the Docker project What are Linux containers or

206 views • 19 slides
Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc.

Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc.

Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc. @michael_hrivnak Docker is Popular Deployment gets most of the attention. 1 Developer 1 Laptop 3 Skills Exit Codes $ sudo docker run -it --rm centos:centos7

347 views • 17 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY "Containers Don't Contain" Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux "... total systemic

502 views • 48 slides
Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer Devops / Golang artist The Docker ecosystem Docker Engine : run containerized processes (aka: containers) Docker Compose : run multi-container

381 views • 13 slides
The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker developers Work on security, systems software, applications, LinuxKit, containers @justincormack 2 From OS to languages? From OS to

843 views • 39 slides
Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike Goelzer & Victor Vieux Docker Orchestration Overview Mike Goelzer / mgoelzer@docker.com / gh: mgoelzer Orchestration in Docker Orchestration

599 views • 39 slides
Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering 4/20/2016

Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering 4/20/2016

Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering 4/20/2016 Agenda Who is Smartsheet + why we started using Docker Docker fundamentals Demo - creating a service Demo - building service + Docker container Demo

510 views • 29 slides
Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1 About Docker at OVH 2014-2015: Home-made container orchestrator, Sailabove, based on LXC 2016: Switch to Docker & Mesos/Marathon 6

487 views • 19 slides
Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese

Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese

Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese Technical Account Manager Docker, Inc. pvn@docker.com @pvn Agenda Preliminaries Container Security Considerations Containment

585 views • 20 slides
Demystifying Docker JUG Saxony Day 2015 Bernd Fischer Whos that guy? Passionate Java

Demystifying Docker JUG Saxony Day 2015 Bernd Fischer Whos that guy? Passionate Java

Demystifying Docker JUG Saxony Day 2015 Bernd Fischer Whos that guy? Passionate Java Developer (especially Spring) Agile and Devops infected Docker enthusiast berndfischer63@gmail.com @berndfischer63 JUG Saxony, Docker Meetup Dresden

521 views • 41 slides
Chapter 15 Turns One: Ironing Out the Details November/December 2006 Mark G. Douglas October

Chapter 15 Turns One: Ironing Out the Details November/December 2006 Mark G. Douglas October

Chapter 15 Turns One: Ironing Out the Details November/December 2006 Mark G. Douglas October 17, 2006 marked the first anniversary of the effectiveness of chapter 15 of the Bankruptcy Code as part of the comprehensive bankruptcy reforms

832 views • 14 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides

More recommend