Post on 20-May-2020
[meetup] Docker Brasov #2Securing the Software Supply Chain with Docker
June 2016
Track #1: Review the Docker Birthday material + Extra: Swarm HACK
2
https://dockerize.it/
Review the Docker Birthday material
• https://github.com/docker/docker-
birthday-3/blob/master/tutorial.md
• Docker Tools: client, machine,
compose, docker hub
• Docker commands:
docker run, docker pull; docker
images; docker ps, docker build,
docker port, docker stop, docker rm;
• Docker Hub: https://hub.docker.com/
• Learn basics for node or python app
if look inside the dockerfile
• Docker Image vs Docker Container
Dockerfile --- is BUILD into --> Docker
Image
- Dockerfile is the physical
storage (like your source before
compiling), that is used for provisioning a
container
- Docker Container (a running
image) is an Instance of the image
- We can start more Containers
using the same image
What is the term associated with build image? Dockerfile
(It is actually a file called Dockerfile)
How do I get the images? 2 ways:
• docker pull <image name> It downloads the
image
• docker build It compiles the Dockerfile from
current directory
Docker Compose
• Docker Compose is a tool for defining and
running multi-container Docker applications
• With Compose, you define a .yml file that
describes all the containers and volumes
that you want, and the networks between
them. In the example-voting-app directory,
you'll see a docker-compose.yml file
NEW RESOURCES!!!!! Docker for Java developers. It is very well done explain for any developer: https://github.com/docker/labs/tree/master/java
Extra: Swarm HACK
- Not using Docker Machine
- This cluster is deployed using
Vagrant
- Still the Voting app
Extra: Swarm HACK
- Millions of people can vote nearly
simultaneously without your
website becoming unavailable.
- You don't need exact real time
results because you will
announce them the next day, but
you do need confidence that
every vote will eventually get
counted.
- https://github.com/rav121/swarm-
microservice-demo-v1.git (forked)
Extra: Swarm HACK
- Install Vagrant
- Install Virtual Box
- From the cloned repo run
vagrant up
- 5 VMs will be provisioning
- The cluster setup (with swarm)
aka the swarm manager will be
done from the master machine
master: 192.168.33.11interlock: 192.168.33.12frontend01: 192.168.33.20frontend02: 192.168.33.21*worker01: 192.168.33.200
store: 192.168.33.250
To enter into master vm
vagrant ssh master
Extra: Swarm HACKdocker -H=tcp://192.168.33.11:2375 run --restart=unless-stopped
-d -p 8500:8500 -h consul progrium/consul -server -bootstrap
Vagrant ssh master
- docker -H=tcp://192.168.33.20:2375 run --restart=unless-stopped -d swarm join --advertise=192.168.33.20:2375 consul://192.168.33.11:8500/
- docker -H=tcp://192.168.33.200:2375 run --restart=unless-stopped -d swarm join --advertise=192.168.33.200:2375 consul://192.168.33.11:8500/
- export DOCKER_HOST="tcp://192.168.33.11:3375“
- docker network create --driver overlay mynetirtual Box
- ## Commands to test the cluster- docker info
Extra: Swarm HACK
# build web-vote-app(if you have more nodes):- cd web-vote-app
- docker -H tcp://192.168.33.20:2375 build -t web-vote-app .
- docker -H tcp://192.168.33.21:2375 build -t web-vote-app
!!!!!
Build for each web node because `docker
build` on swarm master won't put image on
every machine
Extra: Swarm HACK
# put redis image on the web node:
docker -H tcp://192.168.33.20:2375 pull redis
!!!!!
Build for each web node because `docker
build` on swarm master won't put image on
every machine
docker -H tcp://192.168.33.21:2375 pull redisdocker -H tcp://192.168.33.22:2375 pull redis
where …20, …21, ….22 are nodes(vms) with the vote app
Track #3: Docker Bench
Docker Content Trust
Security Scanning
Docker secures your software supply chain
13
+ +Secure
PlatformSecure Content
Secure Access
Role based access
control (RBAC)
AD/LDAP integration
Auth plugins
All available isolation
and containment
Default security
settings and profiles
Docker Bench
Containers as a Service for the modern software
supply chain
Developers
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
RUNDeploy, Manage, Scale
IT Operations
What’s NewSecure Content: Image scanning and vulnerability detection
Deep visibility with binary level scanning
• Detailed BOM of included components and vulnerability profile
• Checks packages against CVE database AND the code inside to protect against tampering
• Covers wide range of languages, binaries, OS
Proactive risk management
• Continuous monitoring of CVE/NVD databases with notifications pointing to repos and tags that contain new vulnerabilities
Secure the software supply chain
• Integrated workflow with Docker Content Trust
• Available for Official Repos since Nov 2015
15
Sample Bill of
Materials (BOM)
Secure Content: Image scanning and vulnerability detection
Scanner
CVE Scanningvalidation
service
Docker Security Scanning
Scan Trigger(APIs)
Plu
gin
F
ram
ew
ork CVE/NVD
Database
BOM Database BOM
Notifications
Push image
Docker Cloud
w/Private
Repo
Common questions on content security
• What is inside my container?
• How do I know where this code came from?
• How do I keep our team safe from bad components?
• How do I stay on top of patches for compliance and governance?
• How do I NOT make this a giant pain for everyone? (including myself)
17
Secure platform
pid namespace
mnt namespace
net namespace
uts namespace
user namespace
pivot_root
uid/gid drop
cap drop
all cgroups
selinux
apparmor
seccomp
All Linux
isolation
capabilities
Secure by default
1. Out of the box
default settings
and profiles
2. Granular
controls to
customize settings
Best Practices: Docker Bench update
Ensure secure host configurations
• Aligned to recommendations in Center for Internet Security’s Benchmark for Docker Engine 1.11
• Automates checking your host configs against the benchmark recommendations
Easy to use
• Available to run as a container or using a Compose file
www.dockerbench.com
Secure access
Who? Can execute what action? Against what resources?
Authentication
Authorization
Access Control
Auditing
Key highlights:
• Role based access control (RBAC)
• Support for LDAP/AD integration
• Plugin framework
@Betty
Secure Content: Across the content lifecycle
Before Docker After Docker
• Faster, more successful software updates
• Simplify software compliance process
• Trusted delivery with self contained, secure and signed containers
• Unified workflow enabling both dev and ops
• Cumbersome tools with high failure rates of patches
• Reactive and slow process
• Software and dependency matrix with patches create more dependencies and clashes
• Security is a silo from dev and app ops
1. Start with a secure base
22
SHIPSecure Content & Collaboration
Set up a central repository • IT creates and scans base images. • Images are digitally signed• Images are pushed to central registry
IT
BOM
Root Key
Scanning
Registry
2. Build secure apps
23
Developers
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
Enable developer workflows• Pull from library of secure images• Local Docker host establishes trust with repo and registry• Build apps, add image layers and CI test• Scan updated image and generate new BOM• Remediate issues or deploy
BOM
Scanning
View history of BOMs for all scanned tags per repo
3. Deploy apps
24
Developers
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
Deploy your apps• Deploy apps to next environment• Secure host configurations with Docker Bench• Hosts establish trust with repo
RUNDeploy, Manage, Scale
IT Operations
Docker hosts
4. Proactively manage vulnerabilities and updates
25
Developers
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
Proactively manage new vulnerabilities • New VULN added to database
regarding a package• Docker checks all BOMs that have
this package• Notification is sent re: affected
repos and tags
IT Operations
BOM
RUNDeploy, Manage, Scale
Docker hosts
CVE
Database
New VULN added
Email Notification
4. Proactively manage vulnerabilities and updates
26
Developers
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
Manage software compliance and governance• Update image, re-scan for new BOM, re-sign, re-push to registry• Remove compromised containers• Deploy new containers • Image freshness guarantee ensures the only the latest runs
IT Operations
RUNDeploy, Manage, Scale
Docker hosts New BOM
Scanning
THANK YOU