Securing the Socks Shop
- 8. One example Failure Exploration
Network segmentation and policy,
Container security, Orchestrator Security
Application Security, External threats
Backup security, Organisational issues,
Responsibility issues, ...
If you read this then you’ve read too far
- 10. SOCK SHOP
An open source reference microservices
architecture
Icon by http://www.flaticon.com/authors/freepik
- 15. MD front-end Dockerfile
FROM mhart/alpine-node:6.3
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
ENV NODE_ENV "production"
ENV PORT 8079
EXPOSE 8079
CMD ["npm", "start"]
- 18. MD front-end Dockerfile
FROM mhart/alpine-node:6.3
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
ENV NODE_ENV "production"
ENV PORT 8079
EXPOSE 8079
CMD ["npm", "start"]
- 19. Let’s add some nasties
docker-compose exec front-end sh
apk add sl
--update-cache
--repository http://dl-3.alpinelinux.org/alpine/edge/testing/
--allow-untrust &&
export TERM=xterm &&
sl
- 22. Let’s add some nasties
docker-compose exec front-end sh
echo "<h1>Phil, you’re such a good presenter. Everyone is loving the talk. Even
those at the back sleeping. They’re dreaming about you...</h1><img
src="http://www.mememaker.net/static/images/memes/4395158.jpg"/>" >
public/index.html
- 27. MD catalogue Dockerfile
FROM busybox:1
RUN addgroup mygroup &&
adduser -D -G mygroup myuser
USER myuser
EXPOSE 80
COPY app /
CMD ["/app", "-port=80"]
- 28. MD catalogue Dockerfile
FROM alpine:3.4
RUN addgroup mygroup &&
adduser -D -G mygroup myuser &&
apk add --update libcap
EXPOSE 80
COPY app /
RUN chmod +x /app &&
chown -R myuser:mygroup /app &&
setcap 'cap_net_bind_service=+ep' /app
USER myuser
CMD ["/app", "-port=80"]
- 30. The result?
apk add sl
--update-cache
--repository http://dl-3.alpinelinux.org/alpine/edge/testing/
--allow-untrust &&
export TERM=xterm &&
sl
echo "This won’t work" > public/index.html
grep Cap /proc/self/status
- 32. 11,788
People taken to hospital following accidents
while putting on socks, tights or stockings in
the UK, 2003
- 43. Let’s review some concepts
User
Set a user in your Dockerfiles so
they don’t run as root
Immutable
Make the root container file system
read only
Restraint
Prevent unauthorised execution
Network
Segmentation
Prevent inter-network access
Global firewall
Block everything, minimise the
surface area
Network Policy
Be a bouncer, tell your containers
who’s allowed access