Hardening a GeoNode Project – Some considerations about container security and optimization
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 351 | |
Author | ||
License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/68960 (DOI) | |
Publisher | ||
Release Date | ||
Language | ||
Production Year | 2022 |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
| |
Keywords |
FOSS4G Firenze 2022282 / 351
1
7
13
22
25
31
33
36
39
41
43
44
46
52
53
55
58
59
60
76
80
93
98
104
108
127
128
133
135
141
142
143
150
151
168
173
176
178
190
196
200
201
202
204
211
219
225
226
236
242
251
258
263
270
284
285
292
00:00
Moving averageComputer animation
00:10
Information securityVulnerability (computing)Product (business)BitMathematical optimizationRevision controlGoodness of fitComputer animation
00:39
Product (business)CodeComputer fileScripting languageMedical imaging1 (number)Computer animation
01:48
Level (video gaming)Computer-generated imageryInformation managementClefSource codeState of matterMathematicsInformation securityRevision controlGeometryInstallation artBinary fileComputer data loggingError messageScripting languageTheory of everythingEvent horizonSelf-organizationType theoryComputing platformCodierung <Programmierung>CompilerSineComputer fileLocal GroupVolumeBlogData typeGastropod shellContent (media)RootDevice driverVariable (mathematics)Singuläres IntegralTemplate (C++)PasswordKey (cryptography)DatabaseRepository (publishing)Information securityComputer fileServer (computing)Insertion lossMedical imagingVulnerability (computing)Exception handlingTransformation (genetics)Default (computer science)PasswordRevision controlReliefArithmetic progressionAxiom of choiceMultiplication signNumberMathematicsLevel (video gaming)2 (number)Entire functionBuildingWeb 2.0Marginal distributionHazard (2005 film)Source codeXMLComputer animation
05:22
Computer animation
Transcript: English(auto-generated)
00:02
The speaker is Carlos Eduardo Mota, hardening a geonode project, some considerations about container security and optimisation. Okay, good morning. I will discuss here about some security holes that we have found into the geonode
00:25
project using the 3.3 version. And I will show some little bits of code, a lot of Docker files to show how it's not suitable for production yet.
00:40
And in five minutes I will try to solve this problem. Is geonode on Docker suitable for production? In the geonode documentation there are some documents about how to put geonode in production, but some of the code, the scripts inside the project, it has a lot of little problems
01:09
and I will show you some of them. So, I will start to talk to you about the ten amendments of securing a Docker image.
01:22
There is ten little holes that we have to execute, to put on our Docker files, but I will make it more attention. We have light here. Oh, yes. And I will give some access to these red ones.
01:47
Let's see. The first update done into the Docker file images is only to change the base image. It's a little update on the Docker file, but it has some big problems there.
02:08
Changing the base image to Python 3.8.90, the most recent 3.8 version, solves a lot of critical vulnerabilities we have on the image.
02:22
The full Python used on geonode has about 61 issues and the most recent Python 3.8 has about 48 issues either. And this changing of the Docker file allows us to get the latest security features, not
02:49
only in the Python version, but either in the Linux version, the Debian version. Geonode uses the Buster Debian version, and so he inserts a Bullseye repository into
03:07
the Docker file. Upgrading to Bullseye, there's no need to do this. Let's show the second. Remember, we are going to 612 vulnerabilities to at least 48.
03:24
Okay. The second is to break the entire Docker file into stages of building. First we build the dependencies and then we copy the virtual web created to the release
03:42
image. And so it makes our Docker file more simple and vulnerability less. We fall from 76.3 to 339 issues.
04:02
The other simple change that we do is to literally eliminate the Hoot user into the Docker file, preventing a lot of problems that we can have. The special hazards obtained about these simple changes is to reduce the size margin for
04:24
at least four times minutes. The number of layers to 490 to 29, this is either a good choice. And the vulnerabilities to 76.3 to 339 and can lower more if we apply some lynching into
04:44
the Docker file and correct some little problems. And this is a work in progress for us. We are living to handle sensitive data except on the passwords and so on.
05:03
Finishing. We want to do the same into the GeoServer, GeoNode, the Docker file, and transform into a GeoNode project to put it on public to whoever wants to contribute and make some
05:21
suggestions. Okay, sorry for my poor English, thank you so much.