Course Overview

Building containerized applications has revolutionized the process of developing and running microservices.  Instead of worrying about underlying system dependencies, container images include all of the necessary components to run an application on any platform, they are much smaller which makes them more portable, and enables simplified autoscaling.

Docker is designed to make it easier to build and run distributed Microservice applications, but this design comes with security challenges.
There are many different aspects of security when working with Docker images, containers and orchestration.

In this class you will learn through lecture and hands-on-labs best practices for securing the Docker host, base image, application images and registry.  We will also discuss challenges and solutions to scaling containers in a production deployment.

Key Learning Areas

The audience for this class is developers, DevOps, architects and any other Engineering personnel interested in running secure containerized applications in a production environment. Attendees will learn how to design and secure, their containerized Docker/Kubernetes deployments.

Course Outline

Day 1

Docker Security Overview

  • Introduction to Docker architecture
  • Overview of Docker Security framework

Docker Image Security

  • Best Practices
  • Secure Docker image builds
  • Optimizing image size
  • Protecting your base images
  • Securing your applications and libraries

Container Registry Security

  • Why private registry?
  • Private registry options

Exploring the Update Framework (TUF)

  • Introduction to TUF specification
  • Understanding TUF
  • Exploring Docker registry protection with Notary

Day 2

Docker Run-Time Security

  • Enable SELinux
  • Enable AppArmor Profiles
  • Utilize Seccomp to restrict syscalls
  • Configure Cgroups

Restrict Linux Capabilities

  • Implementing strategies to prevent container breakout
  • Namespaces to limit what a container can do

CIS Benchmarks

  • Exploring Linux Benchmark Checks
  • Exploring Docker Benchmark Checks

Docker in Production Security Best Practices

  • JEOS (Just Enough OS)
  • Minimal Host OS
  • Limit attack surface
    • Host security
  • Update system patches
  • Scanning for vulnerabilities
  • Host auditing and compliance checks
    • Responding to security incidents in real-time
  • Alerting
  • Logging
  • Monitoring
    • Network security encryption
  • At rest
  • In transit
    • Introspection Log Streaming
  • Metric tracking
  • Auditing Docker platform

Who Benefits

Attendees will leave with a comprehensive understanding of container security. They will have hands-on experience securing the Docker host using SELinux, Cgroups, Namespaces and Seccomp/Syscalls, building secure Docker images, and transmitting them over an encrypted connection. They will also learn how to build minimal base operating system images focused on providing the smallest attack surface. These essential security features protect your containerized production environment.

Prerequisites

You should have six months experience or equivalent working with Docker. If you have attended the Docker Foundation or Advanced Docker course, you are also prepared for this training opportunity.