Merken

Create secure production environment using Docker

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
well let's welcome and Seville and let's find something new about how to create production environments secure production environments using be fit and you can you hear me yes a case of for thing for coming to uh principal eigen because my eyes made said I will not talk about focus accused environments and I'm going to give you some of the best practices that you can use and will you use the principal who 1 and and this and from being called this which is a Mexican companies software company and and often study will appear I've been using for 2 years almost 2 years now and because the the so there will bridge ultimate intensity managers and infrastructure so all this I don't know what 1 of my so the let's talk about a a little bit of the content of the fault and we're gonna laugh at you know whole containers works and what is behind the scenes when we use local containers and we're gonna listed the main concerns and you have to keep in mind when you use location and holds great demand this secure images because the images on the basis of Security look while Haldeman injuries and good practices and this is sort of a lot of features that you would want to share with you so the whole of rewards uh the fear is the thing that we have to keep in mind is thus containers of nodes of the machines every promoting use I provides sought to manage the execution of of a guest operating system so containers that are quite different containers are a bunch of processes where a continous generally and services services is still present you can install packages in those containers containers have network interfaces but they are not here my since they feel like a diplomat useful they're not and containers are possible because of 2 of their future agendas which are see groups and namespaces so what are assumed so which is what's this feature is the true meaning that counts and isolates the residences of the host and weak you have the memory this guy you will never work I you know that stays OK I'm gonna give uh the gigabytes of these the container and I'm going to enable these in the that features for for the use containers and manage this stuff heretical groups you know all the children of r all right of process it is going to be the same as 1 of the standard and what namespaces uh namespaces is the feature that isolates containers that the processes and it would have their own system you when you use container you for example do PSP not container and you just go no no the just the processes that are running in that container I so if you can isolate a file system memory USA and networking is slightly that's the reason and it's like a it's truth with restaurants containers we've we've just right and then there's a group of the mean uh home which you can see and namespaces you need to know what you can see OK and the next what the kernel parameters and another provision of the Unix system and would have to kind of processes in a way which are privileges processes and whose effective user ID E 0 basically are the processes that the room processes and privilege processes uh we're whose effectively use right these notes you and these these processes have are attached to the full permission checking based on the on the on the process of permissions that said that and Linux a kind of apologies also to uh find right this set so this access control system every sample a that stability is shown make arbitrary changes of the 5 year it this to a change the provisions of 5 and we can and make instances in every single finding that system OK if you rose the the code of of
spoken the source code for all the local you gonna see the list of probabilities this is the default is the 1st step of is that have appeared passes default and if you want to see our views what computers so the capabilities that are supported by Chairman of the combined together and that's the and that's the URL and you can study so
and what are the main reason for when you use spoken and 1 of the concerns there's the fall of the bulk of the money and they requires that root privileges when you the use of the documents so if you control the the look logarithm when you will have access to the growth and if you if you enable the rest the RESTful API and is not authenticated by default so if you use attack discovery during your API and remember that if you have proved axis through the well if you control the look and you will have through access or privileges you in the poster so how can it happen I secured the RESTful API well you can enable the TLS by using the flocculus when running the uh the demands and you can create a CA server and client keys is it that's for authentication but what about all authorization and focus on the books of the recession is all or nothing you can do everything already can do nothing so look at prolines generated the and so you can a greater and other systems will by yourself and the bypass this this problem and escaping is another concern that this is caused by all the way that the privilege of ratios from removing all postal capabilities it we never work the false and that is the box and the application code it means that that contain sometimes have a lot of capabilities and if you if you the if you of all the capabilities yet but you may not know have had this could be a problem when I remember that I use Internet Internet with topologies it could be brought in the host so how can you prevent this well this is somewhere and then explain this in each region of this system so 1st of all and look up as we saw capabilities that with probabilities we can perform on the road with operations or or operation that means that the request through provision but for example in this case in in this example I and dropping all the capabilities and basically the is running a container that is just you can just use it grammar look for example of question you can think of nothing double single probability you can develop a for example tones and this is a container won't be able to change their emissions and you can combine flux for example droplet probabilities and applicable when it is that you're going to use and some that I think you were gonna start asking how can I know which topology displayed I'm going to so the answer is you have to keep in mind which the probabilities you you could use the or you can store them and if you will the thing that you have to endure goes up process which to use them as strange capabilities and you're not the security you can run your test you if you have DB and you can run them and see if you need or drop or other operating and remember that a containers and they just have to be the continues have to have there is no more than they database welcome and this is more easy to enable that are more up or more easily music you to model which is in charge of the securing the operating system and other programs so Obama or these pieces there's security profiles to a greater granularity uh consideration overcapacities all your containers and then if you are using the wound right now and you probably it is this durable into an astronomer and you can take it With this common in eighties status and the this is there are going to use this command is going to be used there the profiles of the about
our own loaded and well once you create your profile so you can agree on what you can do all that and with the simple commands if you want application and read with this profile you just have to indicate what of your profile and the is sometimes is quite simple and others have used this tool which is named use being it's useful or create profiles in nice way the final user always of most of the cases and he's very few create inside your doctor files with the user at commands and other users of the directive not and your continues with the taxes and what they will contain the this is a big still the could be I don't know the of 1 Howard told but and I'm just going to this the benefits of the use of this approach basically that they benefits are limiting containers so it needed to be limited to that is in areas that have been prevented compromised your container simplifying development following 46 they parts it if you and this is very easy to run just with the factory believe and declare for file system and if you are on a continuum with with this lack and and for example and and breaks out the container in the factory won't be able to right In the final already find nothing and so we will be better and you can come by combine it with the with using volumes so you can freeze the the the the file system of fuel of pure container but you can add volume and and right so that quality and so on you can combine this and this information 1 the major concern is much from an and so when you use systems that communicate with harmonic networks trust is a central concern so far when you use the top arranging you both images and you push images How can you verify that you're getting the exact match that that of the postulated all hot and you know that the image the image has not been tampered with all the professors solve this problem with the principal quantum trust which basically agreed are assigned the images we have sophisticated and using digital images and and this is when you and it is very easy to correct reduce explored local content trust and possible the 1st operation that you that you do as a pollution for example and you it's wrong of or field random or for images and it's going to is going to water with this feature the if Europe and you're using constant trust at the 1st time is look quantum trust is going to create the the the key and everything is behind the scenes and you don't need to to worry about nothing you don't have to learn a special combination of of the commands that said that up and why do not worried about the users and local controls and AGG and because the quantum trust creates as side note the something that you have with time things that so you can and you you you can disable all the images for example of this in this image is no longer available so you you you have to both of these so with this with this approach and you will be you will have the updated images Europe uh Europe containers and of course you have to create security images and which is the the next topic and how can you
create and maintain secure images so the full of
verified itself where is this is very important and you have to verify the out of the city of the of the software that you are the loading and when you're using i-vectors management in these takes care for you so you have 2 of uh worry too much about if you are below the rope forms part of enemies while you should use for example http used as instead of HTTP and you have to say check for sci fi some value checksums with a GPU for example and when it comes to part of the party obviously you can use the singular of process creates on you about in phys not just spoken and when that the precise and this this is important because sometimes if you want to half consistency in Europe images it's very in the fall that is to say that it's so easy for example from other kinds of 1 4 instead of from time and the Mandarin muscles what this is this is like the and this is important this is the so the importance of always that the use directive so we if you use the use of the 3 major the user that Goldman and property relations as possible and if you have to use what are don't use the symbol is that a so you can use in model-based images want to answer and those for example have a 60 megabytes and if you use of of mine is something many models and this image is 5 3 5 minutes and you could produce fact surfaces the complexity and size of the images this is an example of using a and with the science and you you can install the Python runtime and variances AT T is the package manager of all time so all of this is that this
system overrides whenever possible especially when it comes about the security in features that appear at the moment and find the and a using looking with British left and this is flat it's is going to remote almost all the limits that contain half pro-life known security and I will provide access to the the user or the local group of pesticide mention a few of the uh if you have control of the and the problem when you be that you could have a group that exists in the in the host and probably providing access to the Unix OK or 1st API to potentially interesting of callers were container this especially when when you use the adding things for example on you don't use managed to make the document in a certain way and you have to keep in mind that this is the and consider using that prevents security this as the
report states have those of common best practices are on Dr. containers in prevention and is just described of
limited privileges for the running you and him over the
UID answer GATE right and show that you're not going on in that means most of the cases of it's better not having thankfully and when exporting false or exposing continues to an important and general want focus schools interfaces so you have to be sure that you're exposing the and the container the the network to to over to right
interface and the full respect this is provided that the revised uh on internet
your going to find that 1 shows information about this topic and the mean of the continuing in the communication by the default and you can communicate with other containers and even if you if you're not using the flock of links and you can sense of control pockets and he made the memory of the school subject to help prevent from those effects if and the son of man so we have what this is there and this is the guys that I've I had based its presentation on an the LCA is working on or to provide a lot of documentation about its security thank you for listening
we the few and so we use so come OK so I had a few surprises using doctor with that IP tables because injects certain rules for a networking do you have any tips on how to deal with that elegantly so I don't write some rules and then what the doctors actually by passing them as it should contain there is the purpose of your container and manage the network world what you want to and so I had a container basic it was running combined I just export exposed to monitor port and limits a bunch of everything else so I wrote some might be table rules on my post and I realize that basically doctor had inserted some I wanted I wanted to combine of work the only accessible from local host and then I noticed that basically might be tables rule saying only of which only from locals except were being bypassed because inserted its networking rules and they were actually short circuiting my rules so if and it seems to be a common problem the you know of an elegant solution and it depends on the size of the of to start we can cause if you want of to talk from and specific security issues that go on for quite a long time I've been I've been using spoken with vital for most of the 1 year and I think that the this advice this applies for almost all images for especially for vitamin well could be Adams try to creating table contained so if you if you called have will supplement religious and you can drop we've agreed only 5 systems so so little any other questions OK if not let's say hello thank you once more to wondrous the
Bit
Prozess <Physik>
Gruppenkeim
Bridge <Kommunikationstechnik>
Computeranimation
Kernel <Informatik>
Datenmanagement
Eigenwert
Regelkreis
Dateiverwaltung
Softwareindustrie
Schnittstelle
Parametersystem
Namensraum
Softwareentwickler
Datennetz
Computersicherheit
Güte der Anpassung
Singularität <Mathematik>
Stellenring
Arithmetisches Mittel
Dienst <Informatik>
Rechter Winkel
Festspeicher
URL
Programmierumgebung
Zentraleinheit
Standardabweichung
Instantiierung
Stabilitätstheorie <Logik>
Mathematisierung
Demoszene <Programmierung>
Virtuelle Maschine
Knotenmenge
Hauptideal
Task
Netzbetriebssystem
Datennetz
Stichprobenumfang
Inhalt <Mathematik>
Bildgebendes Verfahren
Soundverarbeitung
Beobachtungsstudie
Physikalisches System
Fokalpunkt
Quick-Sort
Inverser Limes
Basisvektor
Mini-Disc
Prozess <Physik>
Formale Grammatik
Kartesische Koordinaten
Computerunterstütztes Verfahren
Computeranimation
Internetworking
Netzwerktopologie
Metropolitan area network
Client
Fahne <Mathematik>
Gruppe <Mathematik>
Code
Wurzel <Mathematik>
Tropfen
Default
Softwaretest
Nichtlinearer Operator
Sichtenkonzept
Schlüsselverwaltung
REST <Informatik>
Computersicherheit
Singularität <Mathematik>
Profil <Aerodynamik>
Quellcode
Quader
Server
Client
Schlüsselverwaltung
Proxy Server
Server
Quader
Schaltnetz
Fluss <Mathematik>
Code
Logarithmus
Netzbetriebssystem
Datennetz
Delisches Problem
Optimierung
Modul
Autorisierung
Physikalischer Effekt
Tropfen
Datenmodell
Einfache Genauigkeit
Mailing-Liste
Physikalisches System
Fokalpunkt
Einfache Genauigkeit
Benutzerprofil
Authentifikation
Harmonische Analyse
Wasserdampftafel
Parser
Computeranimation
Richtung
Demoszene <Programmierung>
Spezialrechner
Hauptideal
Fahne <Mathematik>
Randomisierung
Quantisierung <Physik>
Dateiverwaltung
Spezifisches Volumen
Softwareentwickler
Bildgebendes Verfahren
Modul
Nichtlinearer Operator
Matching <Graphentheorie>
Datennetz
Computersicherheit
Stellenring
Profil <Aerodynamik>
Physikalisches System
Elektronische Publikation
Benutzerprofil
Datenfeld
Flächeninhalt
Maschinenschreiben
Mereologie
Deklarative Programmiersprache
Gamecontroller
Faktor <Algebra>
Information
Schlüsselverwaltung
Lesen <Datenverarbeitung>
Prozess <Physik>
Gruppenkeim
Datenmanagement
Ikosaeder
Komplex <Algebra>
Computeranimation
Data Mining
Richtung
Spezialrechner
Bildschirmmaske
Informationsmodellierung
Datenmanagement
Fahne <Mathematik>
Software
Inverser Limes
Widerspruchsfreiheit
Bildgebendes Verfahren
Funktion <Mathematik>
Caching
Tropfen
Elektronische Publikation
Schlüsselverwaltung
Theoretische Physik
Kategorie <Mathematik>
Computersicherheit
Singularität <Mathematik>
Relativitätstheorie
Rechenzeit
Symboltabelle
Physikalisches System
Software
Mereologie
Client
Gamecontroller
Binärdaten
Physikalisches System
Schnittstelle
Verknüpfungsglied
Datennetz
Rechter Winkel
Datennetz
Singularität <Mathematik>
Fokalpunkt
Verkehrsinformation
Computeranimation
Aggregatzustand
Telekommunikation
Computersicherheit
Singularität <Mathematik>
Green-Funktion
Benchmark
Schar <Mathematik>
Kombinatorische Gruppentheorie
Binder <Informatik>
ROM <Informatik>
Computeranimation
Inverser Limes
Internetworking
Arithmetisches Mittel
Font
Digitalsignal
Festspeicher
Gamecontroller
Information
Default
Schnittstelle
Metropolitan area network
Umwandlungsenthalpie
Datennetz
Computersicherheit
Injektivität
Stellenring
Schlussregel
Physikalisches System
Ranking
Bildgebendes Verfahren
Computeranimation
Tabelle <Informatik>

Metadaten

Formale Metadaten

Titel Create secure production environment using Docker
Serientitel EuroPython 2016
Teil 107
Anzahl der Teile 169
Autor Cidel, Andrés
Lizenz CC-Namensnennung - keine kommerzielle Nutzung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben
DOI 10.5446/21098
Herausgeber EuroPython
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Andrés Cidel - Create secure production environment using Docker Docker is a relatively new technology platform that helps teams develop, deploy and scale applications with greater ease and speed. However, there are doubts about using Docker in production environments. One important reason is that containers don't provide the same security layer as hypervisors do. The purpose of this talk is pointing out that using Docker in production is perfectly valid, not just for develop and CI environments. We'll learn: - How Docker works. - Main risks. - How create and maintain secure images. - How defend containers. - How delimit security risks in containers. - Best practices for running containers.

Ähnliche Filme

Loading...