Securing Docker Container Workloads

Docker containers are a mainstream mechanism for application delivery, and securing the container workload is vital. This course will give you the knowledge and techniques you need for securing containerized software applications.
Course info
Rating
(20)
Level
Intermediate
Updated
Jan 22, 2018
Duration
3h 13m
Table of contents
Course Overview
Isolating Container Workloads with Linux Namespaces
Controlling Access to Resources Using Control Groups
Managing the Privileges Available to a Container Workload
Limiting the System Calls Available to Container Workloads
Implementing Access Control for Container Workloads
Description
Course info
Rating
(20)
Level
Intermediate
Updated
Jan 22, 2018
Duration
3h 13m
Description

Packaging, distributing, and running software applications in containers is no longer a pastime just for early adopters. Containers are mainstream, and with that comes a concern about the security and integrity of containers as an application delivery mechanism. In this course, Securing Docker Container Workloads, you'll learn how to secure your application workloads from the perspective of the container itself. First, you'll learn about the Linux security mechanisms that go together to create the abstract concept of the container, and how they work together to ensure that containers are good neighbors. Next, you'll explore the privileges that are available to container workloads, and how you can adopt and apply the principle of least privilege to reduce the risk of privilege escalation. Finally, you'll see how to minimize the attack surface available from within a container by limiting the access it has to the kernel and other system objects. By the end of this course, you'll be equipped with the knowledge and techniques necessary for securing your Docker container workloads.

About the author
About the author

Nigel is an IT professional with over 25 years of experience, gained in technical and management roles, including as CEO of a technical consulting organization. He has recently returned to his technical roots, and provide tuition in the domain of microservices and container technologies.

More from the author
Securing the Docker Platform
Beginner
4h 6m
21 Jun 2018
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everybody. I'm Nigel Brown, and welcome to my course, Securing Docker Container Workloads. In some corners of the IT world, containers are viewed with some skepticism when it comes to security. This skepticism is unwarranted, and if you take some time to apply some standard security mechanisms, you can make your container workloads pretty hard to compromise. This course is all about applying Linux security mechanisms from the perspective of container application workloads. In this course, the main topics that we'll cover include the use of namespaces and control groups, which provide isolation, applying the principle of least privilege in order to better protect our containers, reducing the attack surface available to container workloads, and implementing controls to limit access to system objects. We're not going to turn you into a Linux security expert, but by the end of the course, you'll have a thorough understanding of the security mechanisms at your disposal for making your container application workloads more secure. Before beginning the course, you should have some practical experience of Linux and some familiarity with the Docker platform and its commandline interface. If you've ever wondered whether it's safe to run your applications in Docker containers, or what it takes to make them as secure as possible, then join me to discover how to secure your Docker container workloads.

Controlling Access to Resources Using Control Groups
Hi, and welcome back to Securing Docker Container Workloads with me, Nigel Brown. We've already taken a look at one container primitive, the Linux namespace. And now it's time to investigate another one, the control group. This module is called Controlling Access to Resources Using Control Groups. You're already familiar with isolating container processes, but what about ensuring that containers behave nicely when it comes to consuming resources? That's where control groups come in. In this module, we're going to cover the basics of control groups, what they are, what they do, and we'll see how they are applied in order to control access to the host's physical resources. We're interested in Docker container workloads, so we'll extend our working knowledge of control groups, and see how Docker makes use of them in order to implement limits and controls. We'll move on to discuss some reasons for wanting to apply limits and controls, along with the resources we're able to subject to those limits and controls. For good measure, we'll demonstrate how to apply those controls using the Docker commandline interface. By the end of this module, you'll have gained a thorough insight into a valuable tool that Docker uses as a lever to help maintain the integrity of the host and its container workloads. You'll also have the knowledge that will help you to start planning for the controls that you want to employ for securing your own Docker container workloads.

Managing the Privileges Available to a Container Workload
Hello there, and welcome to this next module in this course, Securing Docker Container Workloads. My name is Nigel Brown, and in this module, we're going to take a look at managing the privileges available to a container workload. When we run container workloads, it's pretty crucial that we do all we can to protect the integrity of the workload to make sure that it isn't compromised in any way. A compromised container is bad news. Privilege plays a big part in securing our container workloads and having the means to effectively manage privileges is an essential tool in our security-focused toolbox. Let's get on and see what we're going to cover. You have a number of things at your disposal for managing container workload privileges. Just before we take a look at what they are, we should take a moment to consider the importance of managing privilege and the approach we should take in order to minimize our exposure to risk. We'll see how we can reduce the privileges available in a container workload deployment with the creation of a non-privileged user before we then move on to address some of the practical concerns with running our container as a non-privileged user. When we have good tools at our disposal which aid our endeavors, we should use them. We'll take a look at the Linux kernel's capabilities mechanism for managing the privileges available to a process before we finish up by exploring how Docker applies capabilities to manage the privileges available to a container workload. By the end of the module, you'll have a good sense of the relevance of managing privileges for container workloads and applications and the knowledge you need to plan the effective management of your own Docker container workloads.

Limiting the System Calls Available to Container Workloads
Hello again. My name's Nigel Brown, and you're watching a course entitled Securing Docker Container Workloads. In this next module in the course called Limiting the System Calls Available to Container Workloads, we're going to see how to make use of another Linux kernel mechanism in our quest to secure our Docker containers. There is no silver bullet when it comes to securing Docker containers. Our approach needs to involve minimizing the risk of compromise, which you can achieve through reducing the attack surface available to someone trying to exploit our container. We're going to see how we can achieve this using the Linux kernel's secure computing mode, or seccomp, for short. Let's get an overview of the content for the module. To start off with, we'll gain an understanding of the kernel's secure computing mode itself, which we'll follow with a brief demonstration of how it works in practice. We'll move on to see how Docker makes use of seccomp and what's available to you to enable you to customize its use to suit the purposes of your specific scenarios. In fact, a certain amount of investigation is required to match a seccomp configuration with the requirements of an application or workload. And we'll explore how we can then analyze those requirements for subsequent use. To finish off, we'll create a custom seccomp profile for a particular container workload and then apply the profile to a running instance of the workload. At the end of the module, you'll be able to make good use of another important security feature of the Linux kernel in order to better secure the Docker container workloads you're responsible for.

Implementing Access Control for Container Workloads
Okay, we're about to embark on the final module of this course, Securing Docker Container Workloads. In this final module, which is called Implementing Access Control for Container Workloads, we get to see another powerful Linux kernel mechanism at play. We're all familiar with the standard techniques at our disposal for controlling access to files located in a file system. But is this enough when we want to control the way container workloads access the objects within their environment? Well, we're going to see how Linux security modules can be applied to give us more strength and depth when it comes to securing our container workloads. Let's take a moment to see what we'll cover. To get us started, we'll take in an overview of the concept of Linux security modules and how they can help with access control. Then we'll explore the first of the security modules available to use in a Docker context. That's SELinux. Of course, while we're discussing it, we'll also take a look at how it can be applied to container workloads. Another popular Linux security module is App Armor, and again, we'll explore how it works and how it can be applied to container workloads. And then to finish up, we'll generate a simple AppArmor profile and apply it to a container workload in order to see how Linux security modules help us to control access. At the end of the module, you won't be an expert in SELinux or AppArmor, but you will have an understanding of the concepts behind these security mechanisms and what they can achieve on your behalf. More importantly, you'll have the means to get started with developing access control policy for your Docker container workloads. Let's get going.