Docker-Secure-Deployment-Guidelines - Deployment checklist for securely deploying Docker

  •        32

Within today’s growing cloud-based IT market, there is a strong demand for virtualisation technologies. Unfortunately most virtualisation solutions are not flexible enough to meet developer requirements and the overhead implied by the use of full virtualisation solutions becomes a burden on the scalability of the infrastructure. Docker reduces that overhead by allowing developers and system administrators to seamlessly deploy containers for applications and services required for business operations. However, because Docker leverages the same kernel as the host system to reduce the need for resources, containers can be exposed to significant security risks if not adequately configured. The following itemised list suggests hardening actions that can be undertaken to improve the security posture of the containers within their respective environment. It should be noted that proposed solutions only apply to deployment of Linux Docker containers on Linux-based hosts, using the most recent release of Docker at the time of this writing (1.4.0, commit 4595d4f, dating 11/12/14). Part of the content below is based on publications from Jérôme Petazzoni [1] and Daniel J Walsh [2]. This document aims at adding on to their recommendations and how they can specifically be implemented within Docker. Note: Most of suggested command line options can be stored and used in a similar manner inside a Dockerfile for automated image building. Docker 1.3 now supports cryptographic signatures [3] to ascertain the origin and integrity of official repository images. This feature is however still a work in progress as Docker will issue a warning but not prevent the image from actually running. Furthermore, it does not apply to non-official images. In general, ensure that images are only retrieved from trusted repositories and that the --insecure-registry=[] command line option is never used.

https://github.com/GDSSecurity/Docker-Secure-Deployment-Guidelines

Tags
Implementation
License
Platform

   




Related Projects

vim-olive - Vim Mode Line Verifier

  •    VimL

Vim Mode Line Verifier

vim-mash - Motion Activated Search Highlighter for Vim

  •    VimL

Motion Activated Search Highlighter for Vim

vim-grillz - Flash your wicked grillz!

  •    VimL

Flash your wicked grillz!

vim-foist - Complete whole lines from any partial therein

  •    VimL

Complete whole lines from any partial therein

vim-efmc - Vim Error Format Compiler

  •    VimL

Vim Error Format Compiler


uzbl-utrs - mkng uzbl tlrbl

  •    Javascript

mkng uzbl tlrbl

toycsv - A toy CSV parser written in ruby + lexr + racc

  •    Ruby

A toy CSV parser written in ruby + lexr + racc

tiktok - TikTok provides a simple asynchronous timer object for VimL.

  •    VimL

TikTok provides a simple asynchronous timer object for VimL.

tabby - Using Vim's Tabs the Right Way

  •    VimL

Using Vim's Tabs the Right Way

SohiVila - GNU source-highlight Vim language

  •    

GNU source-highlight Vim language

SinTax - A DSL for generating Vim syntax highlighting files

  •    VimL

A DSL for generating Vim syntax highlighting files

rkdots - Generate a graphviz visualisation of the given javascript statement.

  •    Ruby

Generate a graphviz visualisation of the given javascript statement.

RelNumBar - Show relativenumbers alongside normal numbers in Vim

  •    VimL

Show relativenumbers alongside normal numbers in Vim

Punisher - Punisher hurts you where it hurts most - your time.

  •    VimL

Punisher hurts you where it hurts most - your time.

noisy - Don't chat quietly (weechat channel noises)

  •    Perl

Don't chat quietly (weechat channel noises)

newlisp-manual - Asciidoc version of the newLISP manual

  •    Common

Asciidoc version of the newLISP manual

Marathon-Wow - Wow Even Longer

  •    Common

Wow Even Longer

Land-of-newLISP - Selected snippets from Land of Lisp rewritten in newLISP

  •    Common

Selected snippets from Land of Lisp rewritten in newLISP

Fossilise - Poor man's collaborative editing in Vim

  •    VimL

Poor man's collaborative editing in Vim

firstly - Convert Between Numeric, Spelt, and Short & Long Ordinal Forms of Numbers

  •    VimL

Convert Between Numeric, Spelt, and Short & Long Ordinal Forms of Numbers