Docker security features include: 1. Encrypted node ID; 2. TLS-based authentication mechanism; 3. Security access token; 4. CA configuration that supports periodic certificate automatic update; 5. Encrypted cluster storage ; 6. Encrypted network; 7. Docker security scanning; 8. Docker content trust; 9. Docker key, etc.
The operating environment of this tutorial: linux5.9.8 system, docker-1.13.1 version, Dell G3 computer.
The Docker platform also introduces a large number of its own security technologies. Swarm mode is built on TLS and is extremely simple and flexible to configure. Security scans scan images at the binary source code level and provide detailed reports of known flaws.
Docker content trust allows users to sign and certify content, and keys are now first-class citizens in Docker. Docker sets reasonable default values for these security technologies, but users can also modify the configuration or disable these security technologies.
Swarm mode
Swarm mode is the future trend of Docker. Swarm mode allows users to manage multiple Docker hosts in a cluster and deploy applications in a declarative manner.
Each Swarm is composed of manager and worker nodes, and the nodes can be Linux or Windows. The manager node forms the control layer in the cluster and is responsible for cluster configuration and workload distribution. Worker nodes are containers that run application code.
As expected, Swarm mode includes many security features out of the box, while also setting sensible defaults. These security features include the following.
Encrypted node ID.
TLS-based authentication mechanism.
Secure access token.
CA configuration that supports periodic certificate automatic updates.
Encrypted cluster storage (configuration DB).
Encrypted network.
Docker Security Scan
The ability to quickly find code flaws is crucial. Docker Security Scanning makes it easy to detect known flaws in Docker images.
Docker security scanning is now available for private repository images on Docker Hub. At the same time, this technology can also be used as part of the Docker trusted service localization deployment solution. Finally, all official Docker images have been security scanned, and scan reports are available in their repositories.
Docker security scanning scans Docker images at the binary code level, and checks the software in them against a database of known vulnerabilities (CVE database). After the scan is completed, a detailed report is generated.
Open a browser to visit Docker Hub and search for the Alpine repository. The image below shows the Tags tab of the official Alpine repository.
#The Alpine warehouse is an official warehouse, which means that the warehouse will automatically scan and generate corresponding reports. As you can see, the images with image tags edge, lates, and 3.6 have all passed the check for known defects. However, the alpine:3.5 image has known defects (marked in red).
If you open the alpine:3.5 image, you can find the detailed information as shown below.
This is an easy way to discover details of known flaws in your own software.
Docker Trusted Registry (DTR) is part of the localized image warehouse service in Docker Enterprise Edition. It provides the same capabilities and also allows users to control their image scanning timing. and scanning methods.
For example, DTR allows users to choose whether to automatically trigger scans when images are pushed, or whether they can only be triggered manually. At the same time, DTR also allows users to manually update the CVE database, which is an ideal solution for scenarios where DTL cannot connect to the Internet to automatically update CVE data.
This is Docker security scanning, a great way to deeply detect whether Docker images have known security flaws. Of course, with greater ability comes greater responsibility. When users discover defects, they need to bear the responsibility of solving the corresponding defects.
Docker Content Trust
Dockr Content Trust (Docker Content Trust, DCT) makes it easy for users to confirm the integrity of downloaded images and its publisher. This is important when downloading images in an untrusted network environment.
At a high level, DCT allows developers to sign images published to Docker Hub or Docker Trusted Services. When these images are pulled, the signature status will be automatically confirmed. The image below illustrates this process.
#DCT can also provide key context, such as whether the image has been signed and can be used in production environments, whether the image has been replaced by a new version and becomes obsolete, etc.
The context provided by DTC is still in its infancy and is quite complex to configure. To enable DCT functionality on a Docker host, all you have to do is set the DOCKER_CONTENT_TRUST variable to 1 in your environment.
$ export DOCKER_CONTENT_TRUST=1
Copy after login
In actual environments, users may want to enable this feature by default in the system.
If you use the Docker unified configuration layer (part of Docker Enterprise Edition), you need to check the Run Only Signed Images checkbox as shown in the figure below. This will force all nodes in the UCP cluster to run only signed images.
As can be seen from the above figure, UCP further encapsulates the DCT and provides security preference information of the signed image. For example, a user may have a requirement that only images signed by secops can be used in a production environment.
Once the DCT function is turned on, unsigned images cannot be obtained and used. The following figure shows the error reported when trying to pull an unsigned image through the Docker CLI or UCP Web UI interface again after DCT is turned on (both examples try to pull the image labeled "unsigned").
The following figure shows how DCT prevents the Docker client from pulling a tampered image.
#The following figure shows how DCT prevents clients from pulling old images.
Docker content trust is an important technology that helps users check images pulled from the Docker service. The basic mode of this technology is very simple to configure, but some advanced features such as context are still very complicated to configure at this stage.
Docker Key
Many applications require keys. Such as passwords, TLS certificates, SSH keys, etc.
Before Docker version 1.13, there was no standard and secure way to share keys between applications. A common way is for developers to write the key as text into an environment variable. This is far from ideal.
Docker1.13 introduces Docker keys, turning keys into first-class citizens in the Docker ecosystem. For example, a new subcommand docker secret has been added to manage keys. There is also a dedicated place to create and manage keys in Docker's UCP interface.
In the background, the key is encrypted after creation and during transmission, is mounted to the memory file system when used, and is only accessible to those services that have been authorized. This is truly a comprehensive end-to-end solution.
The figure below shows the overall process.
Each step of the workflow shown in the figure above is introduced in turn.
1) The key is created and sent to Swarm.
2) The key is stored in the cluster storage and is encrypted (each manager node can access the cluster storage).
3) Service B is created and the key is used.
4) The process of key transmission to the task node (container) of service B is encrypted.
5) The container of service B decrypts the key and mounts it to the path /run/secrets. This is a temporary in-memory file system (this step is different in Windows Docker because there is no concept of an in-memory file system in Windows).
6) Once the container (service task) is completed, the memory file system is closed and the key is deleted.
7) Containers in service A cannot access the key.
Users can manage keys through the docker secret subcommand, and can specify a key for a service by appending --secret when running the docker service create command.
Recommended learning: "docker video tutorial"
The above is the detailed content of What are the security features of docker?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
