From 9788b7eefad86b445c4672dd6c2469cefbb2b145 Mon Sep 17 00:00:00 2001 From: sid palas Date: Mon, 6 Feb 2023 11:09:40 -0500 Subject: [PATCH] Add container security section --- 09-container-security/README.md | 33 +++++++++++++++++++ .../README.md | 1 + .../Makefile | 0 .../api-golang/Dockerfile.dev | 0 .../api-golang/README.md | 0 .../api-node/Dockerfile.dev | 0 .../api-node/README.md | 0 .../docker-compose-debug.yml | 0 .../docker-compose-dev.yml | 0 .../Makefile | 0 .../docker-compose-prod.yml | 4 ++- .../docker-swarm.yml | 0 12 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 09-container-security/README.md rename {09-interacting-with-containers => 10-interacting-with-docker-objects}/README.md (83%) rename {10-development-workflow => 11-development-workflow}/Makefile (100%) rename {10-development-workflow => 11-development-workflow}/api-golang/Dockerfile.dev (100%) rename {10-development-workflow => 11-development-workflow}/api-golang/README.md (100%) rename {10-development-workflow => 11-development-workflow}/api-node/Dockerfile.dev (100%) rename {10-development-workflow => 11-development-workflow}/api-node/README.md (100%) rename {10-development-workflow => 11-development-workflow}/docker-compose-debug.yml (100%) rename {10-development-workflow => 11-development-workflow}/docker-compose-dev.yml (100%) rename {11-deploying-containers => 12-deploying-containers}/Makefile (100%) rename {11-deploying-containers => 12-deploying-containers}/docker-compose-prod.yml (98%) rename {11-deploying-containers => 12-deploying-containers}/docker-swarm.yml (100%) diff --git a/09-container-security/README.md b/09-container-security/README.md new file mode 100644 index 0000000..6e2a52c --- /dev/null +++ b/09-container-security/README.md @@ -0,0 +1,33 @@ +# Container Security + +There are two main considerations when it comes to container security (1) the contents of your container image and (2) the security of the execution configuration and environment. + +## Image Security + +*“What vulnerabilities exist in your image that an attacker could exploit?”* + +- Keep attack surface area as small as possible: + - Use minimal base images (multi-stage builds are a key enabler) + - Don’t install things you don’t need (don’t install dev deps) +- Scan images! +- Use users with minimal permissions +- Keep sensitive info out of images +- Sign and verify images +- Use fixed image tags, either: + - Pin major.minor (allows patch fixes to be integrated) + - Pin specific image hash + +## Runtime Security + +*If an attacker successfully compromises a container, what can they do? How difficult will it be to move laterally?* + +### Docker daemon (dockerd) + - Start with --userns-remap option(https://docs.docker.com/engine/security/userns-remap/) + +### Individual containers: +- Use read only filesystem if writes are not needed +- --cap-drop=all, then --cap-add anything you need +- Limit cpu and memory --cpus=“0.5” --memory 1024m +- Use --security-opt + - seccomp profiles (https://docs.docker.com/engine/security/seccomp/) + - apparmor profiles (https://docs.docker.com/engine/security/apparmor/) \ No newline at end of file diff --git a/09-interacting-with-containers/README.md b/10-interacting-with-docker-objects/README.md similarity index 83% rename from 09-interacting-with-containers/README.md rename to 10-interacting-with-docker-objects/README.md index 9c066f2..716e420 100644 --- a/09-interacting-with-containers/README.md +++ b/10-interacting-with-docker-objects/README.md @@ -10,6 +10,7 @@ 6) rm 7) prune 8) save +9) docker scan (snyk security scan, also show trivy) ## Containers diff --git a/10-development-workflow/Makefile b/11-development-workflow/Makefile similarity index 100% rename from 10-development-workflow/Makefile rename to 11-development-workflow/Makefile diff --git a/10-development-workflow/api-golang/Dockerfile.dev b/11-development-workflow/api-golang/Dockerfile.dev similarity index 100% rename from 10-development-workflow/api-golang/Dockerfile.dev rename to 11-development-workflow/api-golang/Dockerfile.dev diff --git a/10-development-workflow/api-golang/README.md b/11-development-workflow/api-golang/README.md similarity index 100% rename from 10-development-workflow/api-golang/README.md rename to 11-development-workflow/api-golang/README.md diff --git a/10-development-workflow/api-node/Dockerfile.dev b/11-development-workflow/api-node/Dockerfile.dev similarity index 100% rename from 10-development-workflow/api-node/Dockerfile.dev rename to 11-development-workflow/api-node/Dockerfile.dev diff --git a/10-development-workflow/api-node/README.md b/11-development-workflow/api-node/README.md similarity index 100% rename from 10-development-workflow/api-node/README.md rename to 11-development-workflow/api-node/README.md diff --git a/10-development-workflow/docker-compose-debug.yml b/11-development-workflow/docker-compose-debug.yml similarity index 100% rename from 10-development-workflow/docker-compose-debug.yml rename to 11-development-workflow/docker-compose-debug.yml diff --git a/10-development-workflow/docker-compose-dev.yml b/11-development-workflow/docker-compose-dev.yml similarity index 100% rename from 10-development-workflow/docker-compose-dev.yml rename to 11-development-workflow/docker-compose-dev.yml diff --git a/11-deploying-containers/Makefile b/12-deploying-containers/Makefile similarity index 100% rename from 11-deploying-containers/Makefile rename to 12-deploying-containers/Makefile diff --git a/11-deploying-containers/docker-compose-prod.yml b/12-deploying-containers/docker-compose-prod.yml similarity index 98% rename from 11-deploying-containers/docker-compose-prod.yml rename to 12-deploying-containers/docker-compose-prod.yml index 521b0cf..039a003 100644 --- a/11-deploying-containers/docker-compose-prod.yml +++ b/12-deploying-containers/docker-compose-prod.yml @@ -1,3 +1,5 @@ +version: '3.7' + services: client-react-nginx: image: sidpalas/devops-directive-docker-course-client-react-nginx:5 @@ -66,4 +68,4 @@ volumes: networks: frontend: - backend: \ No newline at end of file + backend: diff --git a/11-deploying-containers/docker-swarm.yml b/12-deploying-containers/docker-swarm.yml similarity index 100% rename from 11-deploying-containers/docker-swarm.yml rename to 12-deploying-containers/docker-swarm.yml