Security and monitoring

Docker

SUPINFO Official Document

© SUPINFO International University – http://www.supinfo.com

 Course plan

1 Backup and logs

2 Security concern and features

3 Monitoring

4
5

© SUPINFO International University – http://www.supinfo.com

Backup and logs
Security and monitoring

© SUPINFO International University – http://www.supinfo.com

 Backup and restore volumes
• As you may now know with Docker, we don’t care
about systems, configurations… All that matter is
data!
• So you can backup volumes with --volumes-from:
docker run --rm --volumes-from dbstore -v $(pwd):/backup
ubuntu tar cvf /backup/backup.tar /dbdata
docker run --rm --volumes-from dbstore2 -v
$(pwd):/backup ubuntu bash -c "cd /dbdata && tar xvf
/backup/backup.tar --strip 1"

© SUPINFO International University – http://www.supinfo.com

 Backup and restore swarm
• Backup:
˃ Stop Docker on a manager (Maintain the quorum)
˃ Backup /var/lib/docker/swarm
• Restore
˃ Stop Docker on the host
˃ Remove the content of /var/lib/docker/swarm and
restore the content with the backup
˃ Re-init the swarm with:
docker swarm init --force-new-cluster
© SUPINFO International University – http://www.supinfo.com
 View logs for container and service
• Two main commands:
˃ Docker logs
˃ Docker service logs

• Those commands may not return the expected result

due to:
˃ Logging driver configuration
˃ Non-interactive process
© SUPINFO International University – http://www.supinfo.com
 Logging drivers
• By default the login driver is json-file. It can be
changed in /etc/docker/daemon.json
• You can use a specific driver for a container with:
˃ --log-driver
• Two delivery modes:
˃ Direct
˃ Non-blocking delivery

© SUPINFO International University – http://www.supinfo.com

Supported logging drivers

© SUPINFO International University – http://www.supinfo.com

Any Questions
?
© SUPINFO International University – http://www.supinfo.com
 Labs
Look at your logs on containers and services.
Try to launch a container and changing the logging driver.
Backup your swarm
Change any configuration on it and try a restore.*
Create a container with some data (flat, DB or something else).
Backup and restore your data

© SUPINFO International University – http://www.supinfo.com

Security concern and features
Security and monitoring

© SUPINFO International University – http://www.supinfo.com

 Docker standards
• Those certifications are applied to Docker EE:
˃ FISMA
˃ NIST
˃ FedRAMP
˃ …
• You can generate compliance reports with:
˃ https://github.com/docker/compliance

© SUPINFO International University – http://www.supinfo.com

 Areas to consider for Docker Security

Intrinsic security of
the kernel and its Attack surface of Security features of
support for Docker itself the kernel
namespaces

© SUPINFO International University – http://www.supinfo.com

 Understand namespaces
• As we know containers run into a kind of “bubble”.
This bubble corresponds to namespace.
˃ Namespaces provide the first and most straightforward
form of isolation
˃ Each container also gets its own network stack
• Cgroups implement resource accounting and
limiting.

© SUPINFO International University – http://www.supinfo.com

 Docker attack surface
• The Docker Deamon requires root privileges
˃ Only trusted users should have autorizations
˃ Sharing directory between host and containers cannot be
restricted
˃ Docker REST API now uses UNIX socket that allows to
configure permissions.
˃ Also consider to use HTTPS for the Docker API

© SUPINFO International University – http://www.supinfo.com

 Linux Kernel considerations
• Binary “root/non-root” concept:
˃ In a container many services/features don’t require root
privileges
˃ Some service/feature may require root privileges
• Docker grants root access only for services/features
that require it
• So the root inside a container isn’t a “real” root

© SUPINFO International University – http://www.supinfo.com

 Manage sensitive data with secrets
• A secret is some data that is not be transmitted or
stored in configuration file (Dockerfile) unencrypted.
• Secret are used to securely transmit data to
containers that require access.
˃ Usernames and passwords
˃ Certifcates
˃ SSH keys
˃ …
© SUPINFO International University – http://www.supinfo.com
 Manage and use secret
• Create a secret
˃ Docker secret create <Name> <File>
˃ Printf “Secret” | docker secret create <Name>
• Use a secret in a service
˃ […] --secret <name>
• Tips:
˃ For testing, you can use the following command to see the
secret in the container: docker container exec
© SUPINFO International University – http://www.supinfo.com
 Demos
To be sure to show how secrets can be used in a VM*:
Create a secret with a really small html page
Run a nginx that will have the secret as home page

If you want to, run a BDD container and set password with a
secret you define. Connect to this DB with the password used in
secret.

© SUPINFO International University – http://www.supinfo.com

Any Questions
?
© SUPINFO International University – http://www.supinfo.com
 Labs
Follow this guide to secure the Docker daemon socket:
https://docs.docker.com/engine/security/https/
Please read the following about content trust:
https://docs.docker.com/engine/security/trust/content_trust/
Do the example provided by Docker for wordpress password:
https://docs.docker.com/engine/swarm/secrets/#advanced-example
-use-secrets-with-a-wordpress-service

© SUPINFO International University – http://www.supinfo.com

Monitoring
Security and monitoring

© SUPINFO International University – http://www.supinfo.com

 With docker commands
• Docker provides some commands to retrieve
metrics:
˃ Docker ps
˃ Docker top
˃ Docker stats <ContainerList>
˃ Docker container stats/top

© SUPINFO International University – http://www.supinfo.com

 Other command lines
• As Containers use some features of the host
operating system, you can use some Linux features
like iptables:
˃ iptables -I OUTPUT -p tcp --sport 80
˃ iptables -nxvL OUTPUT

© SUPINFO International University – http://www.supinfo.com

 Graphic tools
• Many graphic tools provide you an interface to manage
and/or monitor Docker.
• We will see the following in this course:
˃ Universal Control Plane
˃ Cadvisor
˃ Prometheus
˃ Datadog
˃ Sumo logic
˃ Sysdig
© SUPINFO International University – http://www.supinfo.com
 Universal Control Plan
• Cluster management
solution from Docker
• No limitation
• Allow to deploy, manage
and monitor
• Users and roles
management

© SUPINFO International University – http://www.supinfo.com

 cAdvisor
• Features:
˃ Exports stats
˃ Rest API and client
˃ Auto-tune performance
˃ Capacity planning

© SUPINFO International University – http://www.supinfo.com

 Prometheus
• Features:
˃ Dimensional data
˃ Powerful queries
˃ Great visualization
˃ Precise alerting

© SUPINFO International University – http://www.supinfo.com

 Datadog
• Features:
˃ Real-time boards
˃ Infrastructure maps
˃ Data sharing and chat
˃ Alerts
˃ Machine-learning
• ! Not free

© SUPINFO International University – http://www.supinfo.com

 Sumo logic
• Features
˃ CD optimization
˃ Real-time troubleshooting
˃ Security improvement
˃ Compliance management

• ! Not free

© SUPINFO International University – http://www.supinfo.com

 Sysdig
• Monitoring:
˃ Container
˃ Applications
˃ AWS integration
˃ Topology mapping
• Security features
• ! Not free

© SUPINFO International University – http://www.supinfo.com

Any Questions
?
© SUPINFO International University – http://www.supinfo.com
 Go further !
• The course just shows you some tools.
• Some of them have a good place in the Docker
environment but many others are valuable or can
become valuable.
• Depending on your project, you’ll have search and
test different solutions to find out which one fits the
best.

© SUPINFO International University – http://www.supinfo.com

 Labs
All  Install Docker UCP and review logs and features of the
tools

By group of 2-3*, install one of the tools presented in the course

or another one you want to try.
Make a presentation of the tool (pro/cons, features…). Build an
infrastructure that you can stress to show pertinent information.

© SUPINFO International University – http://www.supinfo.com

The End

© SUPINFO International University – http://www.supinfo.com