DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
What's in store for DevOps in 2023? Hear from the experts in our "DZone 2023 Preview: DevOps Edition" on Fri, Jan 27!
Save your seat
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. DevOps and CI/CD
  4. Integrating Docker Solutions Into Your CI/CD Pipeline

Integrating Docker Solutions Into Your CI/CD Pipeline

Learn about solutions for integrating Docker and DevSecOps into your CI/CD pipeline with these points from All Day DevOps talks.

Derek Weeks user avatar by
Derek Weeks
·
Apr. 22, 18 · Tutorial
Like (4)
Save
Tweet
Share
10.02K Views

Join the DZone community and get the full member experience.

Join For Free

Docker Image Security

Docker. It seems like in this day and age, you are either using Docker containers or you are going to use Docker containers. If you haven’t jumped on the bandwagon yet, check out a previous article, Docker: The New Ordinary. If you are on the wagon or are thinking about it but have concerns about their security, it’s time to read on.

José Manuel Ortega (jmortega.github.io) is a software engineer and security researcher in Spain.  I recently watched his presentation online entitled, Testing Docker Images Security. He gave an overview of typical Docker deployments, explained the attack surface and threats, presented how to detect vulnerabilities, and outlined a couple of best practices. In short, his advice will help you learn how to better secure your Docker containers.

[New to Docker? Read this paragraph; all others skip ahead.]  If you aren’t sure what Docker is, José offers this explanation, “Docker containers wrap a piece of software in a complete file system that contains everything it needs to run: code, runtime, system tools, system libraries - anything you can install on a server, regardless of the environment it is running in.”

That is, containers are isolated but share an operating system and, where appropriate, binaries and libraries. Docker provides an additional layer of isolation, making your infrastructure safer by default. This makes the application lifecycle faster and easier to configure, reducing risks in your applications.

For starters, José lays out Docker’s default mechanisms for security:

  • Linux kernel namespaces
  • Linux Control Groups (cgroups)
  • The Docker daemon
  • Linux capabilities (libcap)
  • Linux security mechanisms like AppArmor or SELinux

Screen Shot 2018-04-08 at 7.17.58 AM

José walks through others tools, add-ons, best practices, etc. to increase Docker container security. I will cover most of them here.

Docker Inspect Tool. The Docker Inspect Tool is built into Docker. It provides information about the host name, the ID of the image, etc. and it comes up when you start Docker.

Docker Content Trust. It protects against untrusted images. It can enable signing checks on every managed host, guarantee integrity of your images when pulled, and provide trust from publisher to consumer.

Screen Shot 2018-04-08 at 7.19.01 AM

Docker File Security. Docker files build Docker containers. They should not write secrets, such as users and passwords. You should remove unnecessary setuid and setgid permissions, download packages securely using GPG and certificates, and try to restrict an image or container to one service.

Container Security. Docker security is about limiting and controlling the attack surface on the kernel. Don’t run your applications as root in containers, and create specific users for testing and policing the Docker image. Run filesystems as read-only so attackers can not overwrite data or save malicious scripts to the image.

José provided a useful checklist to check the security of a Docker container, but it’s not a short one.  Remember, if you are going to deploy hundreds or thousands of these containers, you’ll want to ensure consistent handling of security concerns to keep the hackers at bay:

  • Do not write secrets to Docker files
  • Create a user
  • Follow version pinning for base images, packages, etc.
  • Remove unnecessary setuid, setgid permissions
  • Do not write any kind of update instructions alone in a Docker file
  • Download packages securely
  • Do not download unnecessary packages
  • Use COPY instead of ADD
  • Use the HEALTHCHECK command
  • Use gosu instead of sudo whenever possible
  • Use-no-cache (if applicable) when building
  • Enable Docker Content Trust
  • Ensure images are free from known vulnerabilities
  • Ensure images are scanned frequently throughout your DevOps pipeline
  • Ensure your images, packages are up-to-date
  • Use file monitoring solutions for image layers (if required)

Auditing Docker Images. You can scan your images for known vulnerabilities with a wide variety of commercial and open source tools such as:

  • Docker’s native Security Scanning
  • Sonatype’s Nexus Lifecycle
  • Twistlock
  • Docker Bench Security
  • CoreOS Clair
  • Dagda
  • Aqua
  • Tenable
  • Anchore

All of these solutions can be integrated into one element of your CI/CD pipelines -- some can be integrated in multiple places.

José explored these solutions and best practices in more detail and offered up technical implementation tips in his full talk, available for free here. If you are working on or interested in Docker security, his talk is worth your time.

Thirsty for more DevOps discussions led by practitioners (not vendors)?  You too can binge watch 99 other talks from the All Day DevOps conference here.

Docker (software) Continuous Integration/Deployment security Pipeline (software) operating system

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Dockerizing an Ansible Playbook, Part 1
  • A Beginner's Guide to Back-End Development
  • Project Hygiene
  • Educating the Next Generation of Cloud Engineers With Google Cloud

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: