Docker meetup 2015-01-22: The Roast of DockerGÃ©rard de Vos
The meetup was opened by Schuberg Philis’ (and Dockercon’s!) Harm Boertien https://twitter.com/Harm_Ops who quickly handed over the mic to Mark Coleman https://twitter.com/mrmrcoleman. Mark handled the announcements (merger with Docker Utrecht :) and introduced the theme of the evening: whereas the previous meetups were all about the possibilities of Docker, this one was about its weaknesses. Or, as he later mentioned, “The Roast of Docker” :)
Adrian Mouat https://twitter.com/adrianmouat from Container Solutions was the first of three speakers with a very good talk about Provenance, or “Who are you and where the hell did you come from?”
This was a lot about trust: do you know where the different components of the docker image come from? which versions? open for man-in-the-middle attacks?
The current, tiny bit broken, image signing was covered too.
This is not only a security thing, subtle differences between your builds can break things in spectacular ways.
Lots of solutions were offered too. Other products like linux distributions have experience with these matters. There is secure signing, version pinning and use of HTTPS over HTTP.
Adrian presented some examples from the community: good like WordPress & MongoDB and not so much like Python & Jenkins.
Check the following if you create containers:
Mike Wessling https://twitter.com/mikew42 from BitBrains was up next and his presentation “Falling off the Shoulders of Giants” was around the blackbox issue with Docker. While it is technically possible to create Docker images that are transparent, manageable, monitorable, etc. it is not easy or daily practise for a lot of the images out there. Mike misses a lot of the “knobs” to tune, configure containers. There was a lot of interaction during this talk as Mike mentioned pain points and members from the audience offered suggestions on how to fix them or are not an issue. One of these was around JBoss, with Docker you can create a nice container around it, but it already is a container: a WAR or EAR file and for ops tuning, configuration management happens through the JBoss container. Putting it in docker means a lot of the tools of ops is taken away. Nice remark made during the talk was: Is a Container just a slow OS process or a fast VM? I think that depends on if you ask that a dev or an ops guy.
Michael Boelen https://twitter.com/mboelen from CISOfy "Are your Containers tightly secured to the ship" covered the low level security of Docker and it’s host OS. What he noticed when researching is that there is very little information out there, so if you work on this please write about it too :)
Michael went into the Linux security features SELinux, apparmor, seccomp, cgroups and kernel capabilities. They are there to keep processes in check and since Docker images are just that they should be applied to them too.
The presentation also has a nice list of security best practices and applying them to your containers.
What was clear from the meetup is that there are valid concerns with running Docker in production environments. That there is a divide between dev and ops, also/especially so with regards to Docker. What made this devops is that the different concerns were voiced, people listened and are trying to work together and grow towards eachother.
Check out the pictures at http://www.meetup.com/Docker-Amsterdam/photos/all_photos/?photoAlbumId=25864887
Rudi Heinen and Gérard de Vos