Security is all about layers.
Linux security tech
namespace - isolation
- process ID - PID 1 on every container
- Network - container's own isolated network
- mount - / filesystem
- IPC - for share memory access and isolates from shared memory outside the container
- user - map different user inside and host
- UTS - provide a hostname
Control Group (cgroup) - setting limit
Capabilities - allow container run as root but limit the root capabilities
MAC system - Mandatory Access Control system
seccomp - filter node t0 limit the syscalls a container can make to the host
Docker Security
Swarm Mode
- Cryptographic node IDs
- Mutual authentications via TLS
- Secure join token
- CA configuration with auto certificate rotation
- Encrypted cluster store
- Encrypted networks
Docker Security Scan
- Binary-level scan against CVE database
- Docker Trusted Registry has the scan
Docker Content Trust
- sign image when push
- verify image when pulling
- enable sign
export DOCKER_CONTENT_TRUST=1
- once DCT enabled, you won't be able to pull and work with unsigned images
Docker Secrets
- secrets are encrypted at rest, in-flight, mounted in the in-memory filesystem, and operate under a least-privilege model
- docker secret sub-command
- attach secrets to service by --secret flag to the
docker service create
Secure client and daemon communication
- create a CA private key and public key (certificate)
- Create daemon and client key pair
- configure daemon by updating daemon.json plus have daemon key pair and CA certificate
- configure the client by having client key pair and CA certificate and environment variable DOCKERHOST AND DOCKERTLS_VERIFY=1