1
00:00:02,670 --> 00:00:04,777
‫The first one is basically do some reading.

2
00:00:05,586 --> 00:00:09,060
‫Like this top part is around

3
00:00:09,450 --> 00:00:11,690
‫giving yourself the basic education of what...how

4
00:00:12,780 --> 00:00:15,699
‫does Docker work? What is basic security in Docker?

5
00:00:15,720 --> 00:00:17,631
‫How does Docker even, you know, protect

6
00:00:18,690 --> 00:00:20,039
‫your container? That sort of stuff.

7
00:00:20,610 --> 00:00:23,639
‫I have basically a production talk you can watch

8
00:00:23,640 --> 00:00:25,079
‫here. We're not going to watch that now.

9
00:00:25,770 --> 00:00:27,834
‫I do have a link here to the Docker security guide.

10
00:00:29,040 --> 00:00:31,735
‫Now, what's interesting about the Docker security guide

11
00:00:32,070 --> 00:00:33,070
‫here is that it's

12
00:00:35,610 --> 00:00:37,589
‫really just about how does Docker security work?

13
00:00:37,590 --> 00:00:39,199
‫Or, how does Docker itself work?

14
00:00:40,090 --> 00:00:42,050
‫There is way better videos in my course.

15
00:00:42,320 --> 00:00:45,056
‫I put links in there to other reference videos that are an

16
00:00:45,572 --> 00:00:47,303
‫entire hour about the underpinnings of Docker.

17
00:00:47,400 --> 00:00:49,812
‫The two main things you need to care about are kernel

18
00:00:50,460 --> 00:00:51,550
‫namespaces and Cgroups.

19
00:00:52,380 --> 00:00:54,833
‫Namespaces, they go through a nice

20
00:00:55,700 --> 00:00:58,320
‫overview of how this stuff works.

21
00:00:59,210 --> 00:01:01,611
‫The summary here is there's two, main features in

22
00:01:02,340 --> 00:01:05,458
‫Linux that allow Docker to

23
00:01:05,459 --> 00:01:07,811
‫even be possible. Kernel namespaces is a way for

24
00:01:08,700 --> 00:01:10,611
‫the kernel to take an application, or a

25
00:01:11,700 --> 00:01:13,660
‫set of applications, and namespace them.

26
00:01:14,520 --> 00:01:16,671
‫Namespace is essentially limiting

27
00:01:18,600 --> 00:01:21,050
‫their view, their access to any resources, or what

28
00:01:21,541 --> 00:01:24,195
‫they see, whether that's networking, other programs in

29
00:01:24,720 --> 00:01:28,079
‫memory, or files on disk, it limits that

30
00:01:28,080 --> 00:01:29,450
‫scope per program.

31
00:01:29,770 --> 00:01:32,393
‫So, it can be for each individual program, and

32
00:01:33,000 --> 00:01:35,579
‫we know those as containers now. Because namespaces isn't

33
00:01:35,580 --> 00:01:38,339
‫specific to Docker. It was around a lot longer than Docker

34
00:01:38,340 --> 00:01:40,300
‫has been. It's been actually around as a

35
00:01:41,281 --> 00:01:43,699
‫concept in different Unix distributions for over a decade.

36
00:01:43,700 --> 00:01:47,159
‫We might have heard this in Solaris

37
00:01:47,160 --> 00:01:49,169
‫Jails or other types of technologies that

38
00:01:50,540 --> 00:01:52,500
‫essentially made you think that you were

39
00:01:54,060 --> 00:01:56,510
‫on your own server, but really, you were contained

40
00:01:57,060 --> 00:01:59,792
‫inside a server with many other people and many other apps,

41
00:01:59,793 --> 00:02:02,194
‫right. We've done that a lot in Linux and hosting

42
00:02:02,371 --> 00:02:03,371
‫platforms.

43
00:02:04,550 --> 00:02:07,350
‫Namespaces is that feature. It gives your container its own

44
00:02:07,351 --> 00:02:10,249
‫NIC. It's a virtual NIC just for that container.

45
00:02:10,410 --> 00:02:12,232
‫It gives it its own file space

46
00:02:13,890 --> 00:02:16,300
‫where it doesn't see the rest of the following file system,

47
00:02:16,390 --> 00:02:19,281
‫and it doesn't let it see other programs running outside of

48
00:02:19,460 --> 00:02:22,673
‫that container. So, it's about its access and view, right.

49
00:02:22,910 --> 00:02:23,910
‫That's namespaces.

50
00:02:24,170 --> 00:02:25,250
‫That just works out-of-the-box.

51
00:02:25,780 --> 00:02:28,083
‫That's how Docker makes a container run without

52
00:02:29,580 --> 00:02:30,580
‫seeing everything else on the system.

53
00:02:31,210 --> 00:02:32,601
‫The other big thing is control groups, or we call them

54
00:02:32,602 --> 00:02:34,690
‫Cgroups for short. Control groups

55
00:02:36,300 --> 00:02:38,581
‫are mostly about limiting resource usage.

56
00:02:38,740 --> 00:02:41,718
‫You can tell a container it only has access to 1GB of RAM,

57
00:02:42,500 --> 00:02:44,842
‫one CPU, that sort of stuff.

58
00:02:44,950 --> 00:02:47,547
‫It also allows for some metrics where you can measure

59
00:02:48,570 --> 00:02:50,721
‫things around that stuff, but it's really mostly

60
00:02:52,410 --> 00:02:55,709
‫about limiting your container. Remember, your

61
00:02:55,710 --> 00:02:59,069
‫containers, by default, can have access to all resources in

62
00:02:59,070 --> 00:03:01,291
‫terms of they can eat up all the file space, they can take

63
00:03:01,292 --> 00:03:03,179
‫all CPUs, and they can eat up all the memory.

64
00:03:03,180 --> 00:03:06,599
‫That's just a standard container, but you can set options

65
00:03:06,600 --> 00:03:09,819
‫in docker run, or in Swarm, or

66
00:03:10,150 --> 00:03:12,698
‫Kubernetes. Any of those things have the ability for

67
00:03:13,890 --> 00:03:14,890
‫you to control resources.

68
00:03:16,290 --> 00:03:18,909
‫But, it's just not by default, right. By default, any

69
00:03:18,940 --> 00:03:20,020
‫container gets everything.

70
00:03:20,560 --> 00:03:23,304
‫When you're going into production, this is definitely on

71
00:03:23,620 --> 00:03:26,029
‫your to do list. I wouldn't say control groups are

72
00:03:26,030 --> 00:03:29,110
‫necessarily a security feature except

73
00:03:29,230 --> 00:03:31,810
‫for a particular application

74
00:03:32,560 --> 00:03:34,720
‫taking up everything that it shouldn't, and then it makes

75
00:03:34,780 --> 00:03:36,303
‫other things not be able to run, right.

76
00:03:36,700 --> 00:03:39,520
‫That's not...I don't look at that as direct security.

77
00:03:39,550 --> 00:03:42,343
‫I look at that as sort of semi-related to security, where

78
00:03:42,580 --> 00:03:45,490
‫someone could technically do a denial of service by

79
00:03:45,550 --> 00:03:47,706
‫letting your app eat up all the resources on

80
00:03:48,520 --> 00:03:51,520
‫your server. So, you know, that kind of thing.

81
00:03:51,550 --> 00:03:53,229
‫Those are the basics.

82
00:03:53,530 --> 00:03:55,719
‫Once you understand the basics, there's a couple of good

83
00:03:55,720 --> 00:03:58,415
‫blog articles here on different types of security tools

84
00:03:58,720 --> 00:04:01,330
‫out there. There's tons of tools,

85
00:04:02,148 --> 00:04:03,599
‫right. I'm not going to mention all of them today.

86
00:04:03,610 --> 00:04:06,189
‫Obviously, there's lots of stuff out there, but a lot of

87
00:04:06,190 --> 00:04:08,710
‫them are complicated and take projects.

88
00:04:08,920 --> 00:04:11,979
‫You have to implement them, or buy them, and then dedicate

89
00:04:11,980 --> 00:04:12,980
‫servers for them, right.

90
00:04:13,060 --> 00:04:16,029
‫Big products around auditing, or

91
00:04:16,360 --> 00:04:18,565
‫making sure you pass certain credentials like

92
00:04:19,480 --> 00:04:21,679
‫a PCI credit card security, or government regulation

93
00:04:21,680 --> 00:04:23,199
‫security, that kind of stuff.