Securing Docker containers
by Uday R. Sawant, William Leemans, Jonathan Hobson, Oliver Pelz
Linux: Powerful Server Administration
- Linux: Powerful Server Administration
- Table of Contents
- Linux: Powerful Server Administration
- Linux: Powerful Server Administration
- Credits
- Preface
- 1. Module 1
- 1. Managing Users and Groups
- 2. Networking
- Introduction
- Connecting to a network with a static IP
- Installing the DHCP server
- Installing the DNS server
- Hiding behind the proxy with squid
- Being on time with NTP
- Discussing load balancing with HAProxy
- Tuning the TCP stack
- Troubleshooting network connectivity
- Securing remote access with OpenVPN
- Securing a network with uncomplicated firewall
- Securing against brute force attacks
- Discussing Ubuntu security best practices
- 3. Working with Web Servers
- Introduction
- Installing and configuring the Apache web server
- Serving dynamic contents with PHP
- Hosting multiple websites with a virtual domain
- Securing web traffic with HTTPS
- Installing Nginx with PHP_FPM
- Setting Nginx as a reverse proxy
- Load balancing with Nginx
- Setting HTTPs on Nginx
- Benchmarking and performance tuning of Apache
- Securing the web server
- Troubleshooting the web server
- 4. Working with Mail Servers
- 5. Handling Databases
- Introduction
- Installing relational databases with MySQL
- Storing and retrieving data with MySQL
- Importing and exporting bulk data
- Adding users and assigning access rights
- Installing web access for MySQL
- Setting backups
- Optimizing MySQL performance – queries
- Optimizing MySQL performance – configuration
- Creating MySQL replicas for scaling and high availability
- Troubleshooting MySQL
- Installing MongoDB
- Storing and retrieving data with MongoDB
- 6. Network Storage
- 7. Cloud Computing
- 8. Working with Containers
- Introduction
- Installing LXD, the Linux container daemon
- Deploying your first container with LXD
- Managing LXD containers
- Managing LXD containers – advanced options
- Setting resource limits on LXD containers
- Networking with LXD
- Installing Docker
- Starting and managing Docker containers
- Creating images with a Dockerfile
- Understanding Docker volumes
- Deploying WordPress using a Docker network
- Monitoring Docker containers
- Securing Docker containers
- 9. Streaming with Ampache
- 10. Communication Server with XMPP
- 11. Git Hosting
- Introduction
- Installing Git
- Creating a local repository with Git CLI
- Storing file revisions with Git commit
- Synchronizing the repository with a remote server
- Receiving updates with Git pull
- Creating repository clones
- Installing GitLab, your own Git hosting
- Adding users to the GitLab server
- Creating a repository with GitLab
- Automating common tasks with Git hooks
- 12. Collaboration Tools
- 13. Performance Monitoring
- 14. Centralized Authentication Service
- 2. Module 2
- 1. Installing CentOS
- Introduction
- Downloading CentOS and confirming the checksum on Windows or OS X
- Creating USB installation media on Windows or OS X
- Performing an installation of CentOS using the graphical installer
- Running a netinstall over HTTP
- Installing CentOS 7 using a kickstart file
- Getting started and customising the boot loader
- Troubleshooting the system in rescue mode
- Updating the installation and enhancing the minimal install with additional administration and development tools
- 2. Configuring the System
- Introduction
- Navigating text files with less
- Introduction to Vim
- Speaking the right language
- Synchronizing the system clock with NTP and the chrony suite
- Setting your hostname and resolving the network
- Building a static network connection
- Becoming a superuser
- Customizing your system banners and messages
- Priming the kernel
- 3. Managing the System
- Introduction
- Knowing and managing your background services
- Troubleshooting background services
- Tracking system resources with journald
- Configuring journald to make it persistent
- Managing users and their groups
- Scheduling tasks with cron
- Synchronizing files and doing more with rsync
- Maintaining backups and taking snapshots
- Monitoring important server infrastructure
- Taking control with GIT and Subversion
- 4. Managing Packages with YUM
- 5. Administering the Filesystem
- 6. Providing Security
- 7. Building a Network
- 8. Working with FTP
- 9. Working with Domains
- 10. Working with Databases
- 11. Providing Mail Services
- 12. Providing Web Services
- 13. Operating System-Level Virtualization
- 14. Working with SELinux
- 15. Monitoring IT Infrastructure
- 1. Installing CentOS
- 3. Module 3
- 1. Working with KVM Guests
- 2. Deploying RHEL "En Masse"
- 3. Configuring Your Network
- 4. Configuring Your New System
- 5. Using SELinux
- 6. Orchestrating with Ansible
- 7. Puppet Configuration Management
- 8. Yum and Repositories
- 9. Securing RHEL 7
- 10. Monitoring and Performance Tuning
- Bibliography
- Index
In this recipe, we will learn Docker configurations that may result in slightly improved security for your containers. Docker uses some advanced features in the latest Linux kernel, which include kernel namespaces to provide process isolation, control groups to control resource allocation, and kernel capabilities and user namespaces to run unprivileged containers. As stated on the Docker documentation page, Docker containers are, by default, quite secure.
This recipe covers some basic steps to improve Docker security and reduce the attack surface on the Ubuntu host as well as the Docker daemon.
The first and most common thing is to use the latest versions of your software. Make sure that you are using the latest Ubuntu version with all security updates applied and that your Docker version is the latest stable version:
- Upgrade your Ubuntu host with the following commands:
$ sudo apt-get update $ sudo apt-get upgrade
- If you used a Docker-maintained repository when installing Docker, you need not care about Docker updates, as the previous commands will update your Docker installation as well.
- Set a proper firewall on your host system. Ubuntu comes preinstalled with UFW; you simply need to add the necessary rules and enable the firewall. Refer to Chapter 2, Networking for more details on UFW configuration.
On Ubuntu systems, Docker ships with the AppArmor profile. This profile is installed and enforced with a Docker installation. Make sure you have AppArmor installed and working properly. AppArmor will provide better security against unknown vulnerabilities:
$ sudo apparmor_status - Next, we will move on to configure the Docker daemon. You can get a list of all available options with the
docker daemon --helpcommand:$ docker daemon --help - You can configure these settings in the Docker configuration file at
/etc/default/docker, or start the Docker daemon with all required settings from the command line. - Edit the Docker configuration and add the following settings to the
DOCKER_OPTSsection:$ sudo nano /etc/default/docker - Turn off inter-container communication:
--icc=false - Set default ulimit restrictions:
--default-ulimitnproc=512:1024 --default-ulimitnofile=50:100 - Set the default storage driver to overlayfs:
---storage-driver=overlay - Once you have configured all these settings, restart the Docker daemon:
$ sudo service docker restart - Now, you can use the security bench script provided by Docker. This script checks for common security best practices and gives you a list of all the things that need to be improved.
- Clone the script from the Docker GitHub repository:
$ git clone https://github.com/docker/docker-bench-security.git - Execute the script:
$ cd docker-bench-security $ sh docker-bench-security.sh
Try to fix the issues reported by this script.
- Now, we will look at Docker container configurations.
The most important part of a Docker container is its image. Make sure that you download or pull the images from a trusted repository. You can get most of the images from the official Docker repository, Docker Hub.
- Alternatively, you can build the images on your own server. Dockerfiles for the most popular images are quite easily available and you can easily build images after verifying their contents and making any changes if required.
When building your own images, make sure you don't add the root user:
RUN group add -r user && user add -r -g user user USER user
- When creating a new container, make sure that you configure CPU and memory limits as per the containers requirements. You can also pass container-specific ulimit settings when creating containers:
$ docker run --cpu-shares1024 --memory 512 --cpuset-cpus 1 - Whenever possible, set your containers to read-only:
$ docker run --read-only - Use read-only volumes:
$ docker run -v /shared/path:/container/path:ro ubuntu - Try not to publish application ports. Use a private Docker network or Docker links when possible. For example, when setting up WordPress in the previous recipe, we used a Docker network and connected WordPress and MySQL without exposing MySQL ports.
- You can also publish ports to a specific container with its IP address. This may create problems when using multiple containers, but is good for a base setup:
$ docker run -p 127.0.0.1:3306:3306 mysql
- Most of these recommendations are taken from the Docker security cheat sheet at https://github.com/konstruktoid/Docker/blob/master/Security/
- The Docker bench security script: https://github.com/docker/docker-bench-security
- The Docker security documentation: http://docs.docker.com/engine/articles/security/
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.