Well, hi everyone, the truth is that to take into account the security and control of resources when putting into production a container-based architecture, you have to read a lot, because by default a container is deployed with everything enabled by default. It can use all the memory, CPU, disk access, and if you are not careful you can even assume that the root user does all the tasks. Obviously we have to avoid all that.

There is a lot to read, be advised! Thank you Bret Fisher.

https://docs.docker.com/engine/security/

Security tools

https://sysdig.com/blog/20-docker-security-tools/

Bret Fisher´s security concerns

https://github.com/BretFisher/ama/discussions/150

Secure computing mode (seccomp)

https://docs.docker.com/engine/security/seccomp/

AppArmor (Application Armor)

https://docs.docker.com/engine/security/apparmor/

docker-bech-security

https://github.com/docker/docker-bench-security

A Dockerfile sample showing how to use a not root user.

https://github.com/BretFisher/dockercon19/blob/master/1.Dockerfile

Official guide about how to use USER directive.

https://docs.docker.com/engine/reference/builder/#user

User namespaces!

https://docs.docker.com/engine/security/userns-remap/

Container vulnerabilities database

https://cve.mitre.org

Find and fix security vulnerabilities

https://snyk.io

https://www.paloaltonetworks.com/prisma/cloud

Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues

https://github.com/aquasecurity/trivy

Threat detection for easier security policy management across containers

https://sysdig.com/opensource/falco/

Content trust in Docker

https://docs.docker.com/engine/security/trust/

Seccomp security profiles for Docker

https://docs.docker.com/engine/security/seccomp/

AppArmor security profiles for Docker

https://docs.docker.com/engine/security/apparmor/

Rootless mode (Experimental)

https://github.com/docker/engine/blob/v19.03.0-rc3/docs/rootless.md

Experimenting with Rootless Docker

Hardening Docker daemon with Rootless mode

# Docker CE for Linux installation script (Rootless mode)
https://get.docker.com/rootless

“Distroless” Docker Images

https://github.com/GoogleContainerTools/distroless

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s