Diogo Mónica

Least Privilege Container Orchestration

The Docker platform and the container has become the standard for packaging, deploying, and managing applications. In order to coordinate running containers across multiple nodes in a cluster, a key capability is required: a container orchestrator. Orchestrators are responsible for critical clustering and scheduling tasks, such as: Managing container scheduling and resource allocation. Support service discovery and hitless application deploys. Distribute the necessary resources that applications need to run. Unfortunately, the distributed nature of orchestrators and the ephemeral nature of resources in this environment makes securing orchestrators a challenging task. In this post, we will describe in detail the less-considered—yet vital—aspect of the security model of container orchestrators, and how Docker Enterprise Edition with its built-in orchestration capability, Swarm mode, overcomes these difficulties. Motivation and threat model One of the primary objectives of Docker EE with swarm mode is to provide Continue reading…

Sophia Parafina

Securing the AtSea App with Docker Secrets

Passing application configuration information as environmental variables was once considered best practice in 12 factor applications. However, this practice can expose information in logs, can be difficult to track how and when information is exposed, third party applications can access this information. Instead of environmental variables, Docker implements secrets to manage configuration and confidential information. Secrets are a way to keep information such as passwords and credentials secure in a Docker CE or EE with swarm mode. Docker manages secrets and securely transmits it to only those nodes in the swarm that need access to it. Secrets are encrypted during transit and at rest in a Docker swarm. A secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running. The AtSea Shop is an example storefront application that can be deployed Continue reading…

Victor Coisne

DockerCon 2017 Day 1 Highlights

What an incredible DockerCon 2017 we had last week. Big thank you to all of the 150+ confirmed speakers, 100+ sponsors and over 5,500 attendees for contributing to the success of these amazing 3 days in Austin. You’ll find below the videos and slides from general session day 1.All the slides will soon be published on our slideshare account and all the breakout session video recordings available on our DockerCon 2017 youtube playlist. Here’s what we covered during the day 1 general session: 17:00 Developer Workflow improvements and demo 37:00 Secure Orchestration and demo 59:00 Introducing LinuxKit: a toolkit for building secure, lean and portable linux subsystems 1:15 Introducing the Moby Project: a new open source project to advance the software containerization movement Development workflow Improvements Solomon’s keynote started by introducing new Docker features to improve the development workflows of Docker users: multi-stage builds and desktop-to-cloud integration. With multi-stage builds Continue reading…