Container Security Fundamentals in 4 Hours
Published by O'Reilly Media, Inc.
Mastering Container Security: From Basics to Production Hardening
- Learn how containers work, and how they are different from VMs
- Understand what to consider when isolating, securing, and hardening containers
- Examine the runtime implications of running containers and other issues, given your risk profile
Containers are everywhere. From local development and testing to large-scale production workloads, container orchestrators like Kubernetes or Hashicorp Nomad are frequently used. Getting started with containers is simple—after all, it’s a “docker run ”—thanks in part to Docker’s efforts. However, productionizing containers is a whole different story. Containers are very different from VMs and require a different set of tools and techniques to isolate and secure.
Join expert Raju Gandhi to learn how to secure and harden containers so that you’re better equipped to mitigate their associated risks. You’ll gain a better appreciation of how containers work and the solutions and technologies available to secure them and get a strong foundation for further research and follow-up.
What you’ll learn and how you can apply it
- Create leaner images that provide a smaller surface area for threat vectors
- Recall how to start and run containers so they are isolated and secure
This live event is for you because...
- You’re a developer who works with containerized workloads and you want to learn about container security best practices.
- You specialize in security or operations and want to understand the threat vectors involved with containers and strengthen your organization’s toolchain around containers.
- You want to become a true DevSecOps adopter, incorporating security into your application and runtime stack from the start.
Prerequisites
- A computer with Vagrant installed and Docker running locally
- A level of comfort with building, running, and inspecting images and containers
- Familiarity with the command line and a basic understanding of how Linux works
Recommended preparation:
- Start a VM with the provided Vagrantfile or run Linux natively on your workstation (repository link to come)
Recommended follow-up:
- Read Container Security (book)
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Presentation (20 minutes)
- Introductions, and the threat landscape
Understanding Cgroups (30 minutes)
- Presentation & Live Demo: What are cgroups?
- Exercise: Creating a cgroup and limit resources using cgroups: 15 mim
- Break: 10 min
Build your own container! (50 minutes)
- Presentation & Live Demo: Understanding namespaces
- UTS
- Network
- User
- PIDs
- Exercise: Isolating users and network
- Presentation: chroot
- Exercise: chroot
- Presentation: Bringing cgroups, namespaces and chroot together
- Exercise: Build your own container
- Break 10 min
Dockerfile best practices (30 minutes)
- Presentation: Reduce image sizes and make deterministic builds
- Exercise: Using multi-stage builds to build leaner images
- Break: 10 min
Secrets management: (20 minutes)
- Presentation: Preventing leaks
- Exercise: Using volumes for secrets
- Alternatives (Hashicorp Vault)
Shifting Left (30 min)
- Presentation: Linting via Hadolint
- Exercise: Using Hadolint
- Presentation: Trivy for CVE scanning
- Exercise: CVE detection and fixing using Trivy
- Break: 10 min (60 min)
Presentation: VMs versus containers (10 min)
Docker build best practices (15 minutes)
- Presentation: The dangers of docker build
- Presentation: The dangers of using latest
- Exercise: Is “latest” really latest?
- Break 5 min
Securing the runtime: (25 minutes)
- Presentation: Running containers safely
- Exercise: Mounting too much
- Presentation: The dangers of not “pulling”
- Presentation: The dangers of running as “root”
- Exercise: Break out of a container
- Presentation: Running “rootless” containers
Q/A(10 min)
Your Instructor
Raju Gandhi
Raju Gandhi is the founder of DefMacro Software as well as a consultant, author, teacher, and speaker at conferences around the world. As a software developer and teacher, he believes in keeping things simple, preferring to understand and explain the “why” as opposed to the “how.” Raju blogs at LooselyTyped.com and lives in Ohio with his wife, Michelle, their three children, Mason, Micah, and Delphine, and furry family members Buddy, Skye, and Princess Zara. Find his contact information at Rajugandhi.com. He’s always looking to make new friends.