Docker/C3/Docker-Security/English
| Visual Cue | Narration |
| Show slide:
Title Slide |
Hello and welcome to the Spoken Tutorial on “Docker Security”. |
| Show Slide:
Learning Objectives |
In this tutorial, we will learn about
|
| Show Slide:
System Requirements |
To record this tutorial, I am using
|
| Show Slide:
Pre-requisites https://spoken-tutorial.org/ |
To follow this tutorial,
|
| Show Slide:
Security in Docker |
Security in Docker protects containerized apps from threats.
It ensures data integrity and confidentiality. |
| Only narration | Let us see some key steps to secure Docker Hosts.
For example, we shall see how to manage user privileges using docker group. |
| In terminal, type getent group docker and press Enter | Open the terminal by pressing Ctrl, Alt and T keys together.
First let us verify if the docker group exists. Type the command as shown and press Enter. |
| Highlight the output
docker:x:984: |
We get this output which verifies that the docker group exists in our system.
Note that docker group is created by default during docker installation. Here x means that the password for the group is not set. 984 is the unique Group ID associated with the docker group used by the system. It may be different for your system. We can see that no users are added to the group yet. |
| Only narration | Now let us add our system username. |
| Type sudo usermod -aG docker pranjal and press Enter | Type the command as shown.
Here replace pranjal with your system username. Enter the password if prompted. |
| Type getent group docker and press Enter | To verify, again let us enter the command as shown. |
| Highlight the output | Now we can see our username after the last colon. |
| Reboot or Logout and login. | Reboot the system to have the changes applied or logout and login again. |
| In terminal, type docker images and press Enter | Now let us try running docker commands without using sudo.
Type docker images and press Enter. |
| Highlight the output | We get the list of docker images available in our system.
The docker group helps the users to run Docker commands without sudo prefix. That is, it gives root-level privileges over Docker to docker group members. |
| Only narration | Now let us see methods to secure docker daemon.
For example, we shall see how to limit resource use. |
| Type docker run --memory="256m" --cpus="1" stuser1/node-express and press Enter | In the terminal session, enter the command as shown.
This command starts a container using the image node hyphen express. It limits the container to 256 MB of memory and 1 CPU core. Setting resource limits helps manage performance, stability, and cost. |
| Highlight the output | We can see that now, our container is running. |
| Type docker stats and press Enter | Open a new terminal session, and close the previous one.
To verify, type docker stats and press Enter. This command monitors the real-time resource usage of containers. Now it is using 12.86MB of its 256MB memory limit and minimal CPU showing 0%. The output may be different for you. |
| Type docker ps and press Enter | In the new terminal session, enter the command as shown to stop the running container.
We can see a list of running containers. |
| Copy the Container_id | Copy the container ID. |
| Type docker stop <Container_id> and press Enter | Enter the docker stop command as shown and paste the container ID.
This will stop the running container. |
| Only narration | Next let us see about Docker Content Trust and Image Signing. |
| Show Slide:
Docker Content Trust and Image Signing |
Docker Content Trust that is DCT, allows you to verify the integrity.
It also verifies the publisher of Docker images through digital signatures. It ensures that only signed images are pulled and run. |
| Only narration | Now let us implement this process on our system. |
| In terminal, type export DOCKER_CONTENT_TRUST=1 and press Enter | To enable DCT, we will use the command as shown. |
| In terminal, type docker login and press Enter
Enter password if prompted |
Then we need to login to Docker Hub to push and pull images from it.
Type docker login and press Enter. Enter the Docker Hub credentials if prompted. |
| Highlight the output | We have successfully logged in. |
| Type docker tag stuser1/node-express stuser1/node-express-dct:sign and press Enter. | Then let us tag the image with node-express-dct sign version for better clarification.
Enter the command as shown. Make sure, stuser1 is replaced with your docker hub username. |
| Type docker trust key generate demokey and press Enter | Then type the command as shown.
This command creates a new cryptographic key pair for signing Docker images. I have named the key as demokey. It will be used to verify the authenticity of images. |
| Type passphrase and press Enter | We are prompted to enter a password that will protect the private key.
Type the desired password and press Enter. |
| Confirm passphrase | Again to confirm we are asked to enter the same password. |
| Highlight Successfully generated… sentence from the output. | We can see that our private key is successfully generated and loaded.
The corresponding public key is available at the given directory. |
| Type docker trust signer add --key demokey.pub teststsigner stuser1/node-express-dct:sign | Type the command as shown.
This commands adds a trusted signer for the given image. |
| Highlight teststsigner | I have named the signer as teststsigner. |
| Highlight demokey.pub | It uses the public key file demokey dot pub to verify the signer's identity. |
| Press Enter | Press Enter |
| Highlight Enter passphrase for new root key | Here, Docker is asking for the password for the root key.
It is the key foundation for securing and trusting Docker image signing. |
| Type the password and press Enter | Type the desired password and press Enter.
Password need not be the same as before. Confirm the password by entering it again. |
| Highlight Enter passphrase for repository key | Now, Docker is asking for the password for the repository key. |
| Highlight stuser1/node-express-dct:sign | This repository key is responsible for signing images in this directory.
This key is different from the previously generated keys.
|
| Type the password and press Enter | Type the desired password and press Enter.
Confirm the password by entering it again. |
| Highlight Successfully added… sentence | We can see, that the signer teststsigner is successfully added to the directory. |
| Type docker trust sign stuser1/node-express-dct:sign and press Enter | Now let us sign the Docker image using Docker Content Trust.
Enter the command as shown. |
| Only narration | The image is automatically pushed to Docker Hub during the signing process.
The layers are part of the image that are already pushed. Hence it shows as mounted from the existing image. |
| Type the password for demokey and press Enter | Enter the password for demokey. |
| Highlights ‘Successfully signed docker.io/stuser1/node-express-dct:sign’ | The image is successfully signed. |
| Type docker trust inspect stuser1/node-express:sign | Enter the command as shown.
It displays trust data for the given image in a human-readable format. |
| Scroll through the output. | It includes signed tags, signers, and keys used. |
| Type export DOCKER_CONTENT_TRUST=0 and press Enter | Before proceeding, disable DCT to avoid errors when pulling images.
To do so, enter the command as shown. |
| Only narration | Next we will see about security scanning and tools used for it.
Security scanning identifies vulnerabilities in containerized applications. |
| Show Slide:
Tools for Security Scanning |
Docker Scout:
It is Integrated with Docker Hub. It scans images for vulnerabilities and provides detailed results. Trivy: It is an open-source tool that scans Docker images for vulnerabilities. |
| Only narration | First we shall see security scanning using the docker scout tool. |
| Go to web browser and type https://hub.docker.com/ and press Enter | Go to the web browser, and enter the link as shown.
This will take us to Docker Hub website. |
| Enter username and password to sign in | In the top right corner, click on the sign in and enter your credentials.
Once signed in, we will be redirected to the repositories section. |
| From the list, click on stuser1/node-express | We can see the list of our pushed images.
Click on stuser1/node-express. |
| On the stuser1/node-express page, click on Settings option, just above the stuser1/node-express box | Just above the stuser1/node-express box, we can see various options.
It includes General, Tags, Builds, and more. Select Settings option. |
| From the Image security insight settings section, click on Docker Scout image analysis button. | In the Image security insight settings, select Docker Scout image analysis to enable it. |
| Click on Save button | Save it by clicking on the Save button. |
| Only narration | We get a notification informing us that we have reached the repository limit of our free plan.
If we want to secure more repositories with Docker Scout, we can upgrade our plan. |
| Click on General option | Then go back to the General option.
We can see in the Tags section, vulnerabilities are visible. |
| Click on latest from Tag column | Click on the latest Tag, to get detailed information.
We can see the list of packages that are affected. |
| Hover over the yellow coloured box. | If you hover over the coloured boxes, the severity level is visible. |
| Scroll through vulnerabilities section | In the right column, we can see the various packages with their severity levels. |
| Only narration | Now let us see security scanning using the Trivy tool. |
| In terminal, type docker pull ghcr.io/aquasecurity/trivy and press Enter. | First, we shall pull the Trivy image from the github container registry.
Switch to the terminal and enter the command as shown. |
| Highlight the output | We have downloaded the Trivy image. |
| In terminal, type docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd)/trivy:/root/.cache/ ghcr.io/aquasecurity/trivy:latest image stuser1/node-express | Even after pulling the image, Trivy itself is not installed on our host system.
Instead, we can run the Trivy commands within the Trivy Docker container. Type the command as shown. |
| Highlight docker run | This starts the Trivy container, which we just pulled in the previous step. |
| Highlight --rm | This option auto-removes the container after it finishes running. |
| Highlight -v | v flag mounts host directories into the container. |
| Highlight /var/run/docker.sock:/var/run/docker.sock | This mounts the Docker socket, letting Trivy access the Docker to scan images. |
| Highlight $(pwd)/trivy:/root/.cache/ | This ensures that relevant data is cached to speed up future scans. |
| Highlight ghcr.io/aquasecurity/trivy:latest | This specifies the Trivy Docker image that we want to run. |
| Highlight stuser1/node-express | This is the image that we want Trivy to scan. |
| Press Enter | Press Enter.
This may take some time. |
| Scroll up through the report | We can see the vulnerabilities, with details.
We can use this report for further analysis. |
| Show Slide:
Summary |
This brings us to the end of this tutorial.
Let us summarise. In this tutorial, we have learnt about
|
| Show Slide:
Assignment |
As an assignment, please do the following:
|
| Show Slide:
Assignment Observation |
We have successfully pulled the nginx image. |
| Show Slide:
Assignment Observation |
Here I have extended the command with the redirection operator.
It is followed by the name of the file where I want to save the report. |
| Show Slide:
Assignment Observation |
This is the report saved in trivyReport dot txt file. |
| Show Slide:
About Spoken Tutorial project |
The video at the following link summarises the Spoken Tutorial project.
Please download and watch it. |
| Show Slide:
Spoken Tutorial Workshops |
The Spoken Tutorial Project team conducts workshops and gives certificates.
For more details, please write to us. |
| Show Slide:
Answers for THIS Spoken Tutorial |
Please post your timed queries in this forum. |
| Show Slide:
FOSSEE Forum |
For any general or technical questions on docker, visit the FOSSEE forum and post your question. |
| Show slide:
Acknowledgement |
Spoken Tutorial project was established by the Ministry of Education, Government of India. |
| Slide:
Thankyou |
This is Pranjal Mahajan, a FOSSEE Semester Long Intern 2024, IIT Bombay signing off
Thanks for joining. |
