[meetup] Docker Brasov #2Securing the Software Supply Chain with Docker

June 2016

Track #1: Review the Docker Birthday material + Extra: Swarm HACK

2

https://dockerize.it/

Review the Docker Birthday material

• https://github.com/docker/docker-

birthday-3/blob/master/tutorial.md

• Docker Tools: client, machine,

compose, docker hub

• Docker commands:

docker run, docker pull; docker

images; docker ps, docker build,

docker port, docker stop, docker rm;

• Docker Hub: https://hub.docker.com/

• Learn basics for node or python app

if look inside the dockerfile

• Docker Image vs Docker Container

Dockerfile --- is BUILD into --> Docker

Image

- Dockerfile is the physical

storage (like your source before

compiling), that is used for provisioning a

container

- Docker Container (a running

image) is an Instance of the image

- We can start more Containers

using the same image

What is the term associated with build image? Dockerfile

(It is actually a file called Dockerfile)

How do I get the images? 2 ways:

• docker pull <image name> It downloads the

image

• docker build It compiles the Dockerfile from

current directory

Docker Compose

• Docker Compose is a tool for defining and

running multi-container Docker applications

• With Compose, you define a .yml file that

describes all the containers and volumes

that you want, and the networks between

them. In the example-voting-app directory,

you'll see a docker-compose.yml file

NEW RESOURCES!!!!! Docker for Java developers. It is very well done explain for any developer: https://github.com/docker/labs/tree/master/java

Extra: Swarm HACK

- Not using Docker Machine

- This cluster is deployed using

Vagrant

- Still the Voting app

Extra: Swarm HACK

- Millions of people can vote nearly

simultaneously without your

website becoming unavailable.

- You don't need exact real time

results because you will

announce them the next day, but

you do need confidence that

every vote will eventually get

counted.

- https://github.com/rav121/swarm-

microservice-demo-v1.git (forked)

Extra: Swarm HACK

- Install Vagrant

- Install Virtual Box

- From the cloned repo run

vagrant up

- 5 VMs will be provisioning

- The cluster setup (with swarm)

aka the swarm manager will be

done from the master machine

master: 192.168.33.11interlock: 192.168.33.12frontend01: 192.168.33.20frontend02: 192.168.33.21*worker01: 192.168.33.200

store: 192.168.33.250

To enter into master vm

vagrant ssh master

Extra: Swarm HACKdocker -H=tcp://192.168.33.11:2375 run --restart=unless-stopped

-d -p 8500:8500 -h consul progrium/consul -server -bootstrap

Vagrant ssh master

- docker -H=tcp://192.168.33.20:2375 run --restart=unless-stopped -d swarm join --advertise=192.168.33.20:2375 consul://192.168.33.11:8500/

- docker -H=tcp://192.168.33.200:2375 run --restart=unless-stopped -d swarm join --advertise=192.168.33.200:2375 consul://192.168.33.11:8500/

- export DOCKER_HOST="tcp://192.168.33.11:3375“

- docker network create --driver overlay mynetirtual Box

- ## Commands to test the cluster- docker info

Extra: Swarm HACK

# build web-vote-app(if you have more nodes):- cd web-vote-app

- docker -H tcp://192.168.33.20:2375 build -t web-vote-app .

- docker -H tcp://192.168.33.21:2375 build -t web-vote-app

!!!!!

Build for each web node because `docker

build` on swarm master won't put image on

every machine

Extra: Swarm HACK

# put redis image on the web node:

docker -H tcp://192.168.33.20:2375 pull redis

!!!!!

Build for each web node because `docker

build` on swarm master won't put image on

every machine

docker -H tcp://192.168.33.21:2375 pull redisdocker -H tcp://192.168.33.22:2375 pull redis

where …20, …21, ….22 are nodes(vms) with the vote app

Track #3: Docker Bench

Docker Content Trust

Security Scanning

Docker secures your software supply chain

13

+ +Secure

PlatformSecure Content

Secure Access

Role based access

control (RBAC)

AD/LDAP integration

Auth plugins

All available isolation

and containment

Default security

settings and profiles

Docker Bench

Containers as a Service for the modern software

supply chain

Developers

BUILDDevelopment Environments

SHIPSecure Content & Collaboration

RUNDeploy, Manage, Scale

IT Operations

What’s NewSecure Content: Image scanning and vulnerability detection

Deep visibility with binary level scanning

• Detailed BOM of included components and vulnerability profile

• Checks packages against CVE database AND the code inside to protect against tampering

• Covers wide range of languages, binaries, OS

Proactive risk management

• Continuous monitoring of CVE/NVD databases with notifications pointing to repos and tags that contain new vulnerabilities

Secure the software supply chain

• Integrated workflow with Docker Content Trust

• Available for Official Repos since Nov 2015

15

Sample Bill of

Materials (BOM)

Secure Content: Image scanning and vulnerability detection

Scanner

CVE Scanningvalidation

service

Docker Security Scanning

Scan Trigger(APIs)

Plu

gin

F

ram

ew

ork CVE/NVD

Database

BOM Database BOM

Notifications

Push image

Docker Cloud

w/Private

Repo

Common questions on content security

• What is inside my container?

• How do I know where this code came from?

• How do I keep our team safe from bad components?

• How do I stay on top of patches for compliance and governance?

• How do I NOT make this a giant pain for everyone? (including myself)

17

Secure platform

pid namespace

mnt namespace

net namespace

uts namespace

user namespace

pivot_root

uid/gid drop

cap drop

all cgroups

selinux

apparmor

seccomp

All Linux

isolation

capabilities

Secure by default

1. Out of the box

default settings

and profiles

2. Granular

controls to

customize settings

Best Practices: Docker Bench update

Ensure secure host configurations

• Aligned to recommendations in Center for Internet Security’s Benchmark for Docker Engine 1.11

• Automates checking your host configs against the benchmark recommendations

Easy to use

• Available to run as a container or using a Compose file

www.dockerbench.com

Secure access

Who? Can execute what action? Against what resources?

Authentication

Authorization

Access Control

Auditing

Key highlights:

• Role based access control (RBAC)

• Support for LDAP/AD integration

• Plugin framework

@Betty

Secure Content: Across the content lifecycle

Before Docker After Docker

• Faster, more successful software updates

• Simplify software compliance process

• Trusted delivery with self contained, secure and signed containers

• Unified workflow enabling both dev and ops

• Cumbersome tools with high failure rates of patches

• Reactive and slow process

• Software and dependency matrix with patches create more dependencies and clashes

• Security is a silo from dev and app ops

1. Start with a secure base

22

SHIPSecure Content & Collaboration

Set up a central repository • IT creates and scans base images. • Images are digitally signed• Images are pushed to central registry

IT

BOM

Root Key

Scanning

Registry

2. Build secure apps

23

Developers

BUILDDevelopment Environments

SHIPSecure Content & Collaboration

Enable developer workflows• Pull from library of secure images• Local Docker host establishes trust with repo and registry• Build apps, add image layers and CI test• Scan updated image and generate new BOM• Remediate issues or deploy

BOM

Scanning

View history of BOMs for all scanned tags per repo

3. Deploy apps

24

Developers

BUILDDevelopment Environments

SHIPSecure Content & Collaboration

Deploy your apps• Deploy apps to next environment• Secure host configurations with Docker Bench• Hosts establish trust with repo

RUNDeploy, Manage, Scale

IT Operations

Docker hosts

4. Proactively manage vulnerabilities and updates

25

Developers

BUILDDevelopment Environments

SHIPSecure Content & Collaboration

Proactively manage new vulnerabilities • New VULN added to database

regarding a package• Docker checks all BOMs that have

this package• Notification is sent re: affected

repos and tags

IT Operations

BOM

RUNDeploy, Manage, Scale

Docker hosts

CVE

Database

New VULN added

Email Notification

4. Proactively manage vulnerabilities and updates

26

Developers

BUILDDevelopment Environments

SHIPSecure Content & Collaboration

Manage software compliance and governance• Update image, re-scan for new BOM, re-sign, re-push to registry• Remove compromised containers• Deploy new containers • Image freshness guarantee ensures the only the latest runs

IT Operations

RUNDeploy, Manage, Scale

Docker hosts New BOM

Scanning

THANK YOU