Aguascalientes Local Chapter 2 nd Meeting
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
AguascalientesLocalChapter
2nd Meeting
About– ChapterLeader
• JuanGama– ApplicationSecurityEngineer@AspectSecurity– 9+yearsinAppsec,Testing,Development– MaintainerofOWASPBenchmark– IlikeGIFs!
Docker
WhatisDocker?
• "Docker istheworld'sleadingsoftwarecontainerizationplatform"
Whatisacontainer?
• Consistsofanentireruntimeenvironment:anapplication,plusallitsdependencies,librariesandotherbinaries,andconfigurationfilesneededtorunit,bundledintoonepackage.
Docker inventedcontainers?
Docker vs LXC,Jails,Vagrant
• LXCrunsinthehostbuthasit'sownsectionofRAM,CPU,disk,etc.ClosertoaVM.Dockercanbejustoneprocess,needsavolume.
• VagrantisascriptforVMs.
Docker vs Virtualization
• Virtualizationincludesanentireoperatingsystemaswellastheapplication.Docker sitsontopoftheOS
Docker vs Virtualization
Docker vs Virtualization
WhyDocker?
• Solvesdependencyproblemsandtheproblemofancienttimes:
• "Itworksonmymachine!"
Docker Components
• Docker Engine
• Docker Hub
Docker Engine
• Docker daemon– Runsonthehostmachine
• Docker Client– CLIusedtointeractwiththedaemon
• WindowsandOSX– docker-machine(smalllinux runningtheDockerdaemon)- NeedsVirtualbox
Docker WorkflowComponents
• Docker image– Hastheenv,yourapplication,OS,dependencies,
• Docker Container– Createdfromimages,start,stop,move,delete
• Docker Registry– Publicandprivaterepotostoreimages
• Dockerfile– Automatesimageconstruction
Docker
• Docker Container
• Docker Composer
• Docker Swarm
Demo
Docker Security
• Quitesecure.• Namespacesforisolation:processesrunningwithina
containercannotsee,andevenlessaffect,processesrunninginanothercontainer,orinthehostsystem
• Eachcontaineralsogetsitsownnetworkstack.• ControlGroupsforresourceaccountingandlimiting,
ensurethateachcontainergetsitsfairshareofmemory,CPU,diskI/O;and,moreimportantly,thatasinglecontainercannotbringthesystemdownbyexhaustingoneofthoseresources.
Docker Security• OnlytrustedusersshouldbeallowedtocontrolyourDocker daemon
• “root”withinacontainerhasmuchlessprivilegesthanthereal“root”.Forinstance,itispossibleto:– denyall“mount”operations;– denyaccesstorawsockets(topreventpacketspoofing);– denyaccesstosomefilesystem operations,likecreatingnewdevicenodes,changingtheowneroffiles,oralteringattributes(includingtheimmutableflag);
– denymoduleloading;– andmanyothers.
Docker Security
• Additional:AppArmor,SELinux,GRSEC• RuninsideaVM• Compromisedimages• DOS• https://www.docker.com/docker-security
Related Documents
![PHP Experience 2016 - [Palestra] Vagrant, LXC, Docker, etc: Entenda as diferenças](https://static.cupdf.com/doc/110x72/58a068a61a28ab06528b55f1/php-experience-2016-palestra-vagrant-lxc-docker-etc-entenda-as-diferencas.jpg)
