Sydney Docker Meetup August 2016
amaysim Micro(Nano)services Lead
3 years Dockering, Docker Cloud Early Adoptor, Rancher Cowboy
proudly decoupled services for foodtech, fintech, proptech
shamefully coupled ESBs together for enterprises
github: https://github.com/yunspace
twitter: @yunzhilin
high-level IT security policies.
Buildtime | Security |
---|---|
Trust | Docker Content Trust, Vulnerability Scan |
Attack Surface & Hardening | Micro: RancherOS, CoreOS, SELinux Nano: Scratch, Alpine |
Runtime | Security |
Minimal Privilege | Docker 1.10 User Namespace, Secrets Management |
Security Profile | Docker 1.10 SecComp, AppArmor |
Networking | Micro: VPC, Security Group, Route Table, Firewall Nano: Overlay/Isolated Network, Links |
Limit Resources | cgroup |
Vanilla Docker | Vendors** | |
---|---|---|
autoscaling* | in scope? | ECS, K8 HPA, Microscaling |
nano-segmentation* | Docker Networks | apcera, twistlock, aqua*** |
security | 1.10 updates | apcera, twistlock, aqua*** |
visualisation/ metrics/no-ops |
docker cloud, docker data centre |
rancher, apcera, K8 ui, prometheus, sysdig |
orchestration | swarm, machine | cattle, apcera, ECS, K8 |
stack | compose | rancher-compose, K8 pods |
container | docker | rkt |
* autoscaling and nano-segmentation seem to be the final frontiers in Docker productionisation
** vendor list are purely based on personal experience. K8 variants such as Deis are excluded
*** Currently trialing both Twilock and Aqua
Host OS - Minimal distro, limit access to system containers
Container base image - Alpine or Scratch
FROM scratch
WORKDIR /app
COPY bin/the-hoff /app
EXPOSE 8080
CMD ["./the-hoff"]
FROM alpine:3.4
# download harden script from github
ADD https://raw.githubusercontent.com/LittleBayDigital/docker-alpine-hardened/master/harden.sh && \
/usr/sbin/harden.sh
# run harden script passing in a desired non-root user
RUN chmod u+x /usr/sbin/harden.sh && \
/usr/sbin/harden.sh
# declare the non-root user
USER user
$ docker run -ti --rm alpine-hardened id
uid=1000(user) gid=1000(user)
# create isolated_nw first
docker run --network=isolated_nw -itd --name=nightrider --link kitt:2000 the-hoff
// image white listing
job::/sandbox/user {
{ docker.allow "https://.../trust/good:latest" }
}
// enforce versioning
on job::/prod {
if (dependency equals runtime.ruby) {
package.lock "/apcera/pkg/runtimes::ruby-2.3.1"
}
}
// linking job A to job B
job::/sandbox/a {
if (targetJob nameMatch "job::/sandbox/b") {
permit link
}
}
job::/sandbox/b {
if (sourceJob nameMatch "job::/sandbox/a") {
permit link
}
}