Building a Secure Environment for Operations Using Docker

so

[Music]

[Music]

[Music]

[Music]

[Music]

that actually is doing containers it's the most

[Music]

[Music]

you're staging on production and get bugs goes back into dev that whole loop and cycle is key and paramount as part of the DevOps process being it to be fast and quick helps things out docker helps make that happen a perfect sample bug fixes you want to be able to a bug comes in you want to get it out ASAP doctor can help facilitate that security updates oh my god you know open SSL vulnerability maybe I'm vulnerable stat let me go ahead and patch my container ship it back out so I'm going to fix that patch really quick that's another thing where docker helps facilitate that very fast

sorry I collect one too many times configuration management so talk a little bit about docker now I'm gonna talk about configuration manager configuration management and the top level is just a way to ensure that it's a process that ensures your changes are consistent it's you know based off of what you build what you want for your production or your development environment whatever it is that you're building you have a set of requirements you have a set of what it needs to be configured as and configuration management is ensuring up actually build that way one of the big tools that I use its puppet I like puppet but puppet is the only one that you can use this talk I'll may only

be using puppet to show pace with examples but there's other tools out there as well such as chef and honestly ant Ville is a little bit newer now it's only been a couple years now on the block hasn't been around too much so most people might be more familiar with puppets been around for waterway brought a while now so again big thing while like of it is the cleared of language you know it's also it has the plant server paradigm and it has a REST API if you want to you know do a whole lot more advanced things it's a mature framework there's a lot of contributors to it there's a public forge where you can

find a whole bunch of modules that people have contributed to and actually download them use them there's a whole lot of examples out there so it's pretty user friendly for someone that is just starting out again the most work you have the public master and a public slave your slaves are all the notes and when they run the puppet agent that's running on the system you do have to have an agent on the system some people don't like that so if you're using public be aware of that so if you're running an agent on the system it runs it goes back to pub master pull-downs catalog what is my configuration supposed to look like what am I supposed

to have so that's the sign on the puppet master itself it then goes through and defines on that whether it's you know setting up particular sort of permission whether it's you know installing particular applications whatever the case may be it then feeds it back into the puppet master saying hey this is what I change and this is what I did so it's continues across but it helps ensure that you have a set standard and that standard is repeatable because on the public master I'll get into this in demonstration you can create a manifest that can be applied to multiple different notes which means you only have to do it once and apply the same change across everything which is very

beneficial especially in a large environment when you start sealing to you know tens hundreds you know thousands of hosts we go right at once and use it multiple times it's a little bit about security so security a lot of people this might be review some examples good security concepts when studying through secured us you are disabled and necessary services you know why you're not using it it's bad you shouldn't do it also remove unnecessary packages a patch even if it's on there and it's not running probably still a bad thing he probably shouldn't have it on there keeping things as lightweight as possible is in my opinion a good practice for security when you're setting up your environment for

operations even in development it's a good up setting the limits on who has access to what so again you don't want every user to have access to every file that is probably a bad thing you know if someone happens to have access that they shouldn't then things good leaves or they do bad things in a production environment that's definitely not what you want in developmental environment probably not what you want so you should probably treat your development environment the same as your production environment if you can one of the things is configuration SSH is a good example of this does he fall configuration for a reason it will work for a majority of people but all because it's a default

configuration does not mean it's secure configuration should probably not be a labs login as SSH sometimes by default it can so going through those default configurations and ensuring they're set to what you want for based on your particular entities is paramount and important puppet helps facilitate that one of the things that I use in puppet is it's open sourced as you can see here you go to github com it's a collection of puppet modules they're also on the public port as well and basically it's a it's a framework that enables a lot of default compliance and security standards from the get go out of the box by using sim you can actually for the most part be

completely almost 100% complying with most of like nest 853 regression for like all the different standards that they recommend you should do which in my opinion is a good thing it gets you to a good known starting location they also include some tools in the sent framework such as you know opens gap which is you know the framework to actually be able to run reports they have compliance he built in so you can actually do matching one to one from you know if you happen to be using hippo or you happen to be using you know sig you know you can do that one-to-one mapping between what your compliance is dictates and what might be

you referenced within like NIST or whatever standard so that's why I use location and you know what you can do from there on he's probably an oddity as well so what are the common things a lot of people like to audit package installations login authentications and if I'm using puppet I want to know what puppet changed and if it changed anything whatsoever I want to make sure I disable the service some of the things I use for auto box is a lot of people might be familiar with the elk stack I use elk just because I like rare fauna a little bit more than kibana as far as for view alongs one of the big things why Allegra

fauna is hopefully no one is in your prints belong or elastic yeah cuz I don't like kebab with her fauna it's open source which means there's a lot more flexibility one of the things with her fauna that you can actually do is by default lock it down to where you can do you know use your authentication sometimes with Cubana you have to buy the x-pac and do some other drinks for free I'm all about free if it's free I don't have to pay for it I can use it also it's a better business sale for sometimes in companies what's the bang for the buck and a lot of people they ask well if I'm gonna

spend X dollars why does it really help me security you might not see it initially so selling freeze sometimes a little bit easier so container security this time where I think daughter is gonna be a huge player in the field moving forward if it already hasn't a lot of people are getting up to speed with it and it greatly improves your security posture so not only can you do with a post security but then you can also have doctor security goals one of the biggest things that it helps with is using kernel features such as C groups and you know needs these I'll talk about those here in a minute but those are two critical things that helps ensure your

doctor containers are running in a semi isolated safe to help ensure that one's not talking to the other all still in the same host of webs you can also start applying you know a Palmer which is by default built-ins on the doctor or the doctor daemon itself or selinux if you haven't do running you know on that on your host OS as well and there's a lot of great talks out there if you want to do YouTube for docker a bomber doctor docker selinux on they'll walk you through actually setting up those for your environment if you choose alright so kernel namespace why does it matter namespaces are really something I started learning about a couple years

ago also as I started learning docker doesn't realize the kernel features that were available that doctor was actually using and once I read about them I was like holy cow like why didn't we use this why haven't I been using this to begin with you use without realizing it but other times you don't so don't be utilizing it utilizes it having the builders actually mount a volume inside your dog container then it sees and if your namespace is written in such a way it won't see the other things surrounding where that comes into play is for example the root filesystem a lot of times you know you don't want everyone looking approved but there might be certain things that you want to

mount and for example if you're running a container that is you know just parsing logs you might want to mount you know var log as a read-only so I can actually read the Box the map see it helps do that the application that's running always starts as pin1 it's the first thing that starts up in the container well inside docker container the pig namespace is unique to the post so within the docker namespace it actually shows up as one external it might be you know one two three four five whatever sequence that it actually on the host OS which helps that separation I mention it more so that you are actually aware if you're trying to

debug and you're on the host OS trying to debug what's going on you might have a hundred different containers running trying to understand the difference and you're inside one container it shows up this head one and it's not the same extra so that's more just for is critical because you can allow an application to run as root internal to your container that isn't root on the host OS so that is a big one there used to be some people that were scared about you know getting you know elevated privileges to read in the host OS in earlier verses a docker that actually was a problem that was actually patched early on one dot X cycle so if you're

concerned about that look it up you're seeing you read people how it's actually been patched what the BraunAbility was and why it's not an isolated issue anymore so one of the things I like about C groups is similar to like in VMware or whatever the case may be you can limit your actually VM so the amount of memory in or CPU that they actually end up taking so control groups allow that within a doctor container so you where it's really useful is for example as an Operations perspective you can set control groups on a particular set of containers immediately like memory we all know Java sometimes likes to eat up a lot of memory well if you run a

hundred containers that all eat up 32 gigs of memory and you only have 32 gigs on your system that's probably not going to be a good thing you can sexy groups to limit the amount of memory per container and in essence kill the containers you know when they get to a certain part and restart them that's a whole separate talk with Java and Java containers in memory but it's something to be aware of as you can put limits which is very good all right so now putting it all together again like I said I use simple external modules with puppet to initially set up my secure our webs wouldn't see here is a set of code initially within within a

puppet by default there is the site manifest the site manifest is kind of your defaults that applies globally across your entire environment puppet also has the construct of you can have multiple environments I'll get into that but to be aware of if you can use the same puppet master for both a production environment and a dev environment based on how you set it up as you can see here the environment I'm in a descent which actually has to be the production environment as well it's just assembly but in here you can actually see the type of clients profile okay I talked about clients previously what this compliance profile is you can read the same documentation to get more

better understanding it's just compliance to markup so you can actually see you know what is actually hitting if things are failing itself but I'm saying I'm accent which means I want it compliant and fully secure between I want to use all the sim framework which from setting something up from the ground up and you're just starting out that's what I would recommend and you can start you know going from there again this is the same site that PP you see down there very bottom some other options that are uses here as a database it allows you to set different variables for different notes and/or environments and a higher level contract which allows you to reuse that same manifest across

multiple different nodes like I've mentioned earlier so once you actually have your site peep-peep you have and your see that there's these are all the ones that I have to find right now which is this small test environment which I have running on the laptop is the for host names that I have running and I'm gonna take a look right here at the puppet site one basically what this shows is it shows the classes that I actually want to include that we're not part of the standard site Fifi's and as you see here I've included quite a few you know one of the big ones that I you know decide to add which is the FTP boot which just

allows me to pixie boot which is high boot strapped all my other themes are teacake is a key thing to mention real quick if you're using puppet I recommend you to take a look at our 10k it allows you to actually sync your code directly with a github or any other git repository whether it's an internal base kit or an external base yet you can actually do that CIC be for public manifests of modules as well and tie it to particular tags and versions alright so for puppet with docker how do you do it Gareth it is approved by on the puppet forge there's actually a puppet docker module that's based off of Garris I use

his as you to actually set up docker it facilitates the framework around installing docker as well as running all your patience so real quick in essence of time I will go through the demonstration because the demonstration is mainly focused on this aspect so what I'm logging here is I have both my puppet VM and as well as my daugher VM within puppet you'll see that I'm in the production environment in the modules and a site module which is the one that has everything defined and your notice I have both docker production and docker engine X docker production all it basically does is installs docker and sets up the environment for docker here at the very bottom you're noticed that I

have IP tables rules that's because IP tables are needed to for communication between docker hosts and the actual outside you can't have two things managed IP tables and puppet manages IP tables so therefore you have to add those in manually the docker engine X is actually what installs my containers themselves and over here on your see that I actually don't have any docker containers running no docker images so over here I'll go into my hosts if I can type edit my daugher post configure see that I have the docker engine X commented out once I uncomment it go back over to my docker host I'm gonna elevate to route just because I'm forcing puppet to run

but in general publicly run automatically in the background so it's gonna go through this is what I was talking about earlier it's talking back to the master saying hey what's my configuration what does it need to be so I can actually you know grab everything down and set it while it's doing that I will show you my Firefox browser and I

can see my mouse you see that I'm trying to get to the my docker VM itself that's IP address but it's not actually coming up that's because it's just now applying the docker containers themselves again if I do a talk at PS minus a or C it's up your see that the one I really care about is the first one that's port 80 translated to port 80 and you also see that my IP tables also are allowing port 80 to now communicate as you can see right here so if I go back over here refresh now I can actually see in genetics that was all facilitated by installing the docker container the image itself if I go back over here you

see I now have a docker image that's on there you're see down here I actually don't have any network access so this was all done in a closed environment which is some cases very important so I did this by side loading the docker image using a tarball so that's kind of it in a nutshell I know it was kind of really rushed but let me get through to the very rim are there any questions walk away yes so and so

[Music]

I know we're out of time but you see me afterwards I can answer questions