Difference between revisions of "Docker/C3/Docker-Security/English"
From Script | Spoken-Tutorial
(Created page with " <div style="margin-left:0cm;margin-right:0cm;"></div> <div style="margin-left:1.27cm;margin-right:0cm;"></div> {| border="1" |- || '''Visual Cue''' || '''Narration''' |- |-...") |
|||
| Line 1: | Line 1: | ||
| − | |||
| − | |||
| − | |||
{| border="1" | {| border="1" | ||
|- | |- | ||
| Line 9: | Line 6: | ||
|| '''Narration''' | || '''Narration''' | ||
|- | |- | ||
| − | |- | + | |- |
|| Show slide: | || Show slide: | ||
'''Title Slide''' | '''Title Slide''' | ||
| − | | | + | || Hello and welcome to the '''Spoken Tutorial''' on “'''Docker Security'''”. |
|- | |- | ||
| − | | | + | ||Show Slide: |
'''Learning Objectives''' | '''Learning Objectives''' | ||
| − | | | + | || In this tutorial, we will learn about |
| − | * | + | * '''Security''' in '''Docker''' |
| − | * | + | * '''Docker Content Trust '''and''' Image Signing''' |
| − | * | + | * Tools for '''Security''' Scanning |
|- | |- | ||
| − | | | + | ||Show Slide: |
'''System Requirements''' | '''System Requirements''' | ||
| − | | | + | || To record this tutorial, I am using |
| − | * | + | * '''Ubuntu Linux OS '''version''' 22.04''' and |
| − | * | + | * '''Docker '''version '''27.0.2''' |
|- | |- | ||
| − | | | + | ||Show Slide: |
'''Pre-requisites''' | '''Pre-requisites''' | ||
| − | + | '''https://spoken-tutorial.org/''' | |
| − | | | + | || To follow this tutorial, |
| − | * | + | *You must have basic knowledge of using '''Linux''' terminal |
| − | * | + | * For pre-requisite '''Linux''' tutorials, please visit this site |
|- | |- | ||
| − | | | + | ||Show Slide: |
'''Security in Docker''' | '''Security in Docker''' | ||
| − | | | + | || '''Security''' in '''Docker''' protects '''containerized apps''' from threats. |
It ensures data integrity and confidentiality. | It ensures data integrity and confidentiality. | ||
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || Let us see some key steps to secure '''Docker Hosts'''. |
For example, we shall see how to manage '''user''' privileges using '''docker group'''. | For example, we shall see how to manage '''user''' privileges using '''docker group'''. | ||
|- | |- | ||
| − | | | + | ||In terminal, type '''getent group docker''' and press '''Enter''' |
| − | | | + | || Open the terminal by pressing '''Ctrl, Alt and T keys''' together. |
First let us verify if the '''docker group''' exists. | First let us verify if the '''docker group''' exists. | ||
| Line 63: | Line 60: | ||
Type''' '''the command as shown''' '''and press enter. | Type''' '''the command as shown''' '''and press enter. | ||
|- | |- | ||
| − | | | + | ||Highlight the output |
'''docker:x:984:''' | '''docker:x:984:''' | ||
| − | | | + | || We get this output which verifies that the '''docker group '''exists in our system. |
Note that '''docker group '''is created by default during '''docker '''installation. | Note that '''docker group '''is created by default during '''docker '''installation. | ||
| Line 78: | Line 75: | ||
We can see that no users are added to the group yet. | We can see that no users are added to the group yet. | ||
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || Now let us add our system username. |
|- | |- | ||
| − | | | + | ||Type '''sudo usermod -aG docker pranjal '''and press '''Enter''' |
| − | | | + | || Type the command as shown. |
Here replace '''pranjal''' with your system username.Enter the password if prompted. | Here replace '''pranjal''' with your system username.Enter the password if prompted. | ||
|- | |- | ||
| − | | | + | ||Type '''getent group docker''' and press '''Enter''' |
| − | | | + | || To verify, again let us enter the command as shown. |
|- | |- | ||
| − | | | + | ||Highlight the output |
| − | | | + | || Now we can see our username after the last '''colon'''. |
|- | |- | ||
| − | | | + | ||Reboot or Logout and login. |
| − | | | + | || Reboot the system to have the changes applied or logout and login again. |
|- | |- | ||
| − | | | + | ||In terminal, type '''docker images''' and press '''Enter''' |
| − | | | + | || Now let us try running '''docker''' commands without using '''sudo'''. |
Type '''docker images''' and press '''Enter'''. | Type '''docker images''' and press '''Enter'''. | ||
|- | |- | ||
| − | | | + | ||Highlight the output |
| − | | | + | || We get the list of '''docker images''' available in our system. |
The '''docker '''group helps the users to run '''Docker '''commands without''' sudo '''prefix. | The '''docker '''group helps the users to run '''Docker '''commands without''' sudo '''prefix. | ||
| − | That is, it gives '''root'''-level privileges | + | That is, it gives '''root'''-level privileges over '''Docker '''to '''docker''' group members. |
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || Now let us see methods to secure '''docker daemon'''. |
For example, we shall see how to limit resource use. | For example, we shall see how to limit resource use. | ||
|- | |- | ||
| − | | | + | ||Type '''docker run --memory="256m" --cpus="1" stuser1/node-express''' and press '''Enter''' |
| − | | | + | || In the terminal, enter the command as shown. |
This command starts a '''container '''using the '''image node hyphen express'''. | This command starts a '''container '''using the '''image node hyphen express'''. | ||
| Line 121: | Line 118: | ||
Setting resource limits helps manage performance, stability, and cost. | Setting resource limits helps manage performance, stability, and cost. | ||
|- | |- | ||
| − | | | + | ||Highlight the output |
| − | | | + | || We can see that now, our '''container '''is running. |
|- | |- | ||
| − | | | + | ||Type '''docker stats''' and press '''Enter''' |
| − | | | + | || Open a new terminal session, and close the previous one. |
To verify, type''' docker stats '''and press '''Enter.''' | To verify, type''' docker stats '''and press '''Enter.''' | ||
| Line 135: | Line 132: | ||
The output may be different for you. | The output may be different for you. | ||
|- | |- | ||
| − | | | + | ||Type '''docker ps''' and press '''Enter''' |
| − | | | + | || In the new terminal session, enter the command as shown to stop the running container. |
We can see a list of running '''containers'''. | We can see a list of running '''containers'''. | ||
|- | |- | ||
| − | | | + | ||Copy the '''Container_id''' |
| − | | | + | || Copy the '''container ID'''. |
|- | |- | ||
| − | | | + | ||Type '''docker stop <Container_id> '''and press '''Enter''' |
| − | | | + | || Enter the '''docker stop '''command as shown and paste the '''container ID'''. |
This will stop the running '''container'''. | This will stop the running '''container'''. | ||
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || Next let us see about '''Docker Content Trust '''and '''Image Signing'''. |
|- | |- | ||
| − | | | + | ||Show Slide: |
'''Docker Content Trust and Image Signing''' | '''Docker Content Trust and Image Signing''' | ||
| − | | | + | || '''Docker Content Trust''' i.e. '''DCT''', allows you to verify the integrity. |
It also verifies the publisher of '''Docker images''' through '''digital signatures'''. | It also verifies the publisher of '''Docker images''' through '''digital signatures'''. | ||
| Line 160: | Line 157: | ||
It ensures that only '''signed images''' are '''pulled''' and '''run'''. | It ensures that only '''signed images''' are '''pulled''' and '''run'''. | ||
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || Now let us implement this process on our '''system'''. |
|- | |- | ||
| − | | | + | ||In terminal, type '''export DOCKER_CONTENT_TRUST=1 '''and press '''Enter''' |
| − | | | + | || To enable '''DCT''', we will use the command as shown. |
|- | |- | ||
| − | | | + | ||In terminal, type '''docker login '''and press '''Enter''' |
Enter password if prompted | Enter password if prompted | ||
| − | | | + | || Then we need to '''login''' to '''Docker Hub''' to push and pull '''images '''from it. |
Type '''docker login '''and press '''Enter''' | Type '''docker login '''and press '''Enter''' | ||
| Line 175: | Line 172: | ||
Enter the '''Docker Hub '''credentials if prompted. | Enter the '''Docker Hub '''credentials if prompted. | ||
|- | |- | ||
| − | | | + | ||Highlight the output |
| − | | | + | || We have successfully logged in. |
|- | |- | ||
| − | | | + | ||Type '''docker tag stuser1/node-express stuser1/node-express-dct:sign''' and press '''Enter'''. |
| − | | | + | || Then let us '''tag''' the '''image''' with '''node-express-dct sign''' version for better clarification. |
Enter the command as shown.Make sure, '''stuser1''' is replaced with your '''docker hub '''username. | Enter the command as shown.Make sure, '''stuser1''' is replaced with your '''docker hub '''username. | ||
|- | |- | ||
| − | | | + | ||Type '''docker trust key generate demokey''' and press '''Enter''' |
| − | | | + | || Then type the command as shown. |
This command creates a new '''cryptographic key '''pair for signing '''Docker images'''. | This command creates a new '''cryptographic key '''pair for signing '''Docker images'''. | ||
| Line 192: | Line 189: | ||
It will be used to verify the authenticity of '''images'''. | It will be used to verify the authenticity of '''images'''. | ||
|- | |- | ||
| − | | | + | ||Type''' passphrase '''and press '''Enter''' |
| − | | | + | || We are prompted to enter a password that will protect the '''private key'''. |
Type the desired password and press '''Enter'''. | Type the desired password and press '''Enter'''. | ||
|- | |- | ||
| − | | | + | ||Confirm '''passphrase''' |
| − | | | + | || Again to confirm we are asked to enter the same password. |
|- | |- | ||
| − | | | + | ||Highlight '''Successfully generated…''' sentence from the output. |
| − | | | + | || We can see that our '''private key''' is successfully generated and loaded. |
The corresponding '''public''' '''key '''is available at the given '''directory'''. | The corresponding '''public''' '''key '''is available at the given '''directory'''. | ||
|- | |- | ||
| − | | | + | ||Type '''docker trust signer add --key demokey.pub teststsigner stuser1/node-express-dct:sign''' |
| − | | | + | || Type the command as shown. |
This commands adds a trusted '''signer '''for the given '''image'''. | This commands adds a trusted '''signer '''for the given '''image'''. | ||
|- | |- | ||
| − | | | + | ||Highlight '''teststsigner ''' |
| − | | | + | || I have named the '''signer '''as '''teststsigner'''. |
|- | |- | ||
| − | | | + | ||Highlight '''demokey.pub''' |
| − | | | + | || It uses the '''public key '''file '''demokey dot pub '''to verify the '''signer's '''identity. |
|- | |- | ||
| − | | | + | ||Press '''Enter''' |
| − | | | + | || Press '''Enter''' |
|- | |- | ||
| − | | | + | ||Highlight '''Enter passphrase for new root key''' |
| − | | | + | || Here, '''Docker''' is asking for the password for the '''root key'''. |
It is the key foundation for securing and trusting '''Docker image '''signing. | It is the key foundation for securing and trusting '''Docker image '''signing. | ||
|- | |- | ||
| − | | | + | ||Type the password and press '''Enter''' |
| − | | | + | || Type the desired password and press '''Enter.''' |
Password need not be the same as before.Confirm the password by entering it again. | Password need not be the same as before.Confirm the password by entering it again. | ||
|- | |- | ||
| − | | | + | ||Highlight '''Enter passphrase for repository key''' |
| − | | | + | || Now, '''Docker''' is asking for the password for the repository''' key'''. |
|- | |- | ||
| − | | | + | ||Highlight '''stuser1/node-express-dct:sign''' |
| − | | | + | || This '''repository key''' is responsible for signing '''images '''in this '''directory'''. |
This '''key''' is different from the previously generated '''keys'''. | This '''key''' is different from the previously generated '''keys'''. | ||
| Line 240: | Line 237: | ||
Password need not be the same as before. | Password need not be the same as before. | ||
|- | |- | ||
| − | | | + | ||Type the password and press '''Enter''' |
| − | | | + | || Type the desired password and press '''Enter.'''Confirm the password by entering it again. |
|- | |- | ||
| − | | | + | ||Highlight '''Successfully added…''' sentence |
| − | | | + | || We can see, that the '''signer teststsigner''' is successfully added to the '''directory'''. |
|- | |- | ||
| − | | | + | ||Type '''docker trust sign stuser1/node-express-dct:sign '''and press '''Enter''' |
| − | | | + | || Now let us '''sign''' the '''Docker image''' using '''Docker Content Trust'''. |
Enter the command as shown. | Enter the command as shown. | ||
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || The '''image''' is automatically '''pushed''' to '''Docker Hub''' during the '''signing '''process. |
The '''layers''' are parts of the image that are already '''pushed'''. | The '''layers''' are parts of the image that are already '''pushed'''. | ||
| Line 258: | Line 255: | ||
Hence it shows as mounted from the existing image. | Hence it shows as mounted from the existing image. | ||
|- | |- | ||
| − | | | + | ||Type the password for '''demokey''' and press '''Enter''' |
| − | | | + | || Enter the password for '''demokey'''. |
|- | |- | ||
| − | | | + | ||Highlights ‘'''Successfully signed docker.io/stuser1/node-express-dct:sign'''’ |
| − | | | + | || The '''image''' is successfully''' signed'''. |
|- | |- | ||
| − | | | + | ||Type '''docker trust inspect stuser1/node-express:sign''' |
| − | | | + | || Enter the command as shown. |
It displays '''trust data''' for the given '''image''' in a human-readable format. | It displays '''trust data''' for the given '''image''' in a human-readable format. | ||
|- | |- | ||
| − | | | + | ||Scroll through the output. |
| − | | | + | || It includes '''signed tags''', '''signers''', and '''keys''' used. |
|- | |- | ||
| − | | | + | ||Type '''export DOCKER_CONTENT_TRUST=0''' and press '''Enter''' |
| − | | | + | || Before proceeding, disable '''DCT '''to avoid errors when '''pulling images'''. |
To do so, enter the command as shown. | To do so, enter the command as shown. | ||
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || Next we will see about '''security scanning''' and '''tools''' used for it. |
Security scanning identifies '''vulnerabilities''' in '''containerized''' applications. | Security scanning identifies '''vulnerabilities''' in '''containerized''' applications. | ||
|- | |- | ||
| − | | | + | ||Show Slide: |
| − | + | '''Tools for Security Scanning''' | |
| − | | | + | || '''Docker Scout:''' |
It is Integrated with Docker Hub. | It is Integrated with Docker Hub. | ||
| Line 295: | Line 292: | ||
It is an '''open-source''' tool that scans '''Docker images''' for '''vulnerabilities'''. | It is an '''open-source''' tool that scans '''Docker images''' for '''vulnerabilities'''. | ||
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || First we shall see '''security''' scanning using the '''docker scout '''tool. |
|- | |- | ||
| − | | | + | ||Go to web browser and type [https://hub.docker.com/ https://hub.docker.com/] and press '''Enter''' |
| − | | | + | || Go to the web browser, and enter the '''link '''as shown. |
This will take us to '''Docker Hub''' website. | This will take us to '''Docker Hub''' website. | ||
|- | |- | ||
| − | | | + | ||Enter '''username '''and '''password '''to '''sign in''' |
| − | | | + | || In the top right corner, click on the '''sign in''' and enter your credentials. |
Once signed in, we will be redirected to the '''repositories '''section. | Once signed in, we will be redirected to the '''repositories '''section. | ||
|- | |- | ||
| − | | | + | ||From the list, click on '''stuser1/node-express''' |
| − | | | + | || We can see the list of our pushed '''images'''. |
Click on '''stuser1/node-express'''. | Click on '''stuser1/node-express'''. | ||
|- | |- | ||
| − | | | + | ||On the '''stuser1/node-express '''page, click on '''Settings '''option, just above the '''stuser1/node-express '''box |
| − | | | + | || Just above the '''stuser1/node-express '''box, we can see various options. |
It includes '''General''', '''Tags''', '''Builds''', and more. | It includes '''General''', '''Tags''', '''Builds''', and more. | ||
| Line 321: | Line 318: | ||
Select '''Settings '''option. | Select '''Settings '''option. | ||
|- | |- | ||
| − | | | + | ||From the '''Image security insight settings '''section, click on '''Docker Scout image analysis '''button. |
| − | | | + | || In the '''Image security insight settings''', select '''Docker Scout image analysis''' to enable it. |
|- | |- | ||
| − | | | + | ||Click on '''Save '''button |
| − | | | + | || Save it by clicking on the '''Save '''button. |
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || We get a notification informing us that we have reached the repository limit of our free plan. |
If we want to secure more repositories with '''Docker Scout''', we can upgrade our plan. | If we want to secure more repositories with '''Docker Scout''', we can upgrade our plan. | ||
|- | |- | ||
| − | | | + | ||Click on '''General '''option |
| − | | | + | || Then go back to the '''General''' option. |
We can see in the '''Tags '''section, '''vulnerabilities '''are visible. | We can see in the '''Tags '''section, '''vulnerabilities '''are visible. | ||
|- | |- | ||
| − | | | + | ||Click on '''latest '''from '''Tag '''column |
| − | | | + | || Click on the '''latest Tag''', to get detailed information. |
We can see the list of '''packages''' that are affected. | We can see the list of '''packages''' that are affected. | ||
|- | |- | ||
| − | | | + | ||Hover over the yellow coloured box. |
| − | | | + | || If you hover over the coloured boxes, the''' severity level''' is visible. |
|- | |- | ||
| − | | | + | ||Scroll through '''vulnerabilities '''section |
| − | | | + | || In the right column, we can see the various '''packages''' with their severity levels. |
|- | |- | ||
| − | | | + | ||Only narration |
| − | | | + | || Now let us see '''security''' scanning using the '''Trivy '''tool. |
|- | |- | ||
| − | | | + | ||In terminal, type '''docker pull [http://ghcr.io/aquasecurity/trivy:0.18.3 ghcr.io/aquasecurity/trivy] '''and press '''Enter''' |
| − | | | + | || First, we shall pull the '''Trivy''' '''image''' from the '''github container registry.''' |
Switch to the terminal and enter the command as shown. | Switch to the terminal and enter the command as shown. | ||
|- | |- | ||
| − | | | + | ||Highlight the output |
| − | | | + | || We have downloaded the '''Trivy''' '''image'''. |
|- | |- | ||
| − | | | + | ||In terminal, type '''docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd)/trivy:/root/.cache/ ghcr.io/aquasecurity/trivy:latest image stuser1/node-express''' |
| − | | | + | || Even after pulling the '''image''', '''Trivy '''itself is not installed on our '''host''' system. |
Instead, we can '''run''' the '''Trivy '''commands within the '''Trivy Docker container'''. | Instead, we can '''run''' the '''Trivy '''commands within the '''Trivy Docker container'''. | ||
| Line 366: | Line 363: | ||
Type the command as shown. | Type the command as shown. | ||
|- | |- | ||
| − | | | + | ||Highlight '''docker run''' |
| − | | | + | || This starts the '''Trivy''' '''container''', which we just pulled in the previous step. |
|- | |- | ||
| − | | | + | ||Highlight '''--rm''' |
| − | | | + | || This option auto-removes the '''container '''after it finishes running. |
|- | |- | ||
| − | | | + | ||Highlight '''-v''' |
| − | | | + | || '''v flag '''mounts '''host directories '''into the '''container'''. |
|- | |- | ||
| − | | | + | ||Highlight '''/var/run/docker.sock:/var/run/docker.sock''' |
| − | | | + | || This '''mounts '''the '''Docker socket''', letting '''Trivy '''access the '''Docker''' to scan '''images'''. |
|- | |- | ||
| − | | | + | ||Highlight''' $(pwd)/trivy:/root/.cache/''' |
| − | | | + | || This ensures that relevant data is '''cached '''to speed up future scans. |
|- | |- | ||
| − | | | + | ||Highlight '''ghcr.io/aquasecurity/trivy:latest''' |
| − | | | + | || This specifies the '''Trivy Docker image '''that we want to run. |
|- | |- | ||
| − | | | + | ||Highlight '''stuser1/node-express''' |
| − | | | + | || This is the '''image '''that we want '''Trivy''' to scan. |
|- | |- | ||
| − | | | + | ||Press '''Enter''' |
| − | | | + | || Press '''Enter'''. |
This may take some time. | This may take some time. | ||
|- | |- | ||
| − | | | + | ||Scroll up through the report |
| − | | | + | || We can see the '''vulnerabilities''', with details. |
We can use this report for further analysis. | We can use this report for further analysis. | ||
|- | |- | ||
| − | | | + | ||Show Slide: |
'''Summary''' | '''Summary''' | ||
| − | | | + | || This brings us to the end of this tutorial. Let us summarise. |
In this tutorial, we have learnt about | In this tutorial, we have learnt about | ||
| − | * | + | * '''Security''' in '''Docker''' |
| − | * | + | * '''Docker Content Trust''' and '''Image Signing''' |
| − | * | + | * Tools for '''Security Scanning''' |
|- | |- | ||
| − | | | + | ||Show Slide: |
'''Assignment''' | '''Assignment''' | ||
| − | | | + | || As an assignment, please do the following: |
| − | * | + | * Pull''' nginx image''' and scan it for '''vulnerabilities''' using '''trivy''' tool. |
| − | * | + | * Save the output in '''trivyReport.txt file'''. |
|- | |- | ||
| − | | | + | ||Show Slide: |
'''Assignment Observation''' | '''Assignment Observation''' | ||
| − | | | + | || We have successfully pulled the '''nginx''' '''image'''. |
|- | |- | ||
| − | | | + | ||Show Slide: |
'''Assignment Observation''' | '''Assignment Observation''' | ||
| − | | | + | || Here I have extended the command with the '''redirection operator'''. |
It is followed by the name of the file where I want to save the report. | It is followed by the name of the file where I want to save the report. | ||
|- | |- | ||
| − | | | + | ||Show Slide: |
'''Assignment Observation''' | '''Assignment Observation''' | ||
| − | | | + | || This is the report saved in '''trivyReport dot txt file'''. |
|- | |- | ||
| − | | | + | ||Show Slide: |
'''About Spoken Tutorial project''' | '''About Spoken Tutorial project''' | ||
| − | | | + | || The video at the following link summarises the '''Spoken Tutorial''' project. |
Please download and watch it. | Please download and watch it. | ||
|- | |- | ||
| − | | | + | || Show Slide: |
| − | + | '''Spoken Tutorial Workshops''' | |
| − | | | + | || The '''Spoken Tutorial Project''' team conducts workshops and gives certificates. |
| − | + | For more details, please write to us. | |
|- | |- | ||
| − | | | + | || Show Slide: |
'''Answers for THIS Spoken Tutorial''' | '''Answers for THIS Spoken Tutorial''' | ||
| − | | | + | || Please post your timed queries in this forum. |
|- | |- | ||
| − | | | + | || Show Slide: |
| − | + | '''FOSSEE Forum''' | |
| − | | | + | || For any general or technical questions on '''docker''', visit the''' FOSSEE forum''' and post your question. |
|- | |- | ||
| − | | | + | ||Show slide: |
'''Acknowledgement''' | '''Acknowledgement''' | ||
| − | | | + | || '''Spoken Tutorial '''project was established by the '''Ministry of Education, Government of India'''. |
|- | |- | ||
| − | | | + | ||Slide: |
'''Thankyou''' | '''Thankyou''' | ||
| − | | | + | || This is '''Pranjal Mahajan, '''a '''FOSSEE''' Semester Long Intern 2024, '''IIT Bombay''' signing off |
Thanks for joining. | Thanks for joining. | ||
|- | |- | ||
|} | |} | ||
Revision as of 18:53, 4 February 2025
| Visual Cue | Narration |
| Show slide:
Title Slide |
Hello and welcome to the Spoken Tutorial on “Docker Security”. |
| Show Slide:
Learning Objectives |
In this tutorial, we will learn about
|
| Show Slide:
System Requirements |
To record this tutorial, I am using
|
| Show Slide:
Pre-requisites https://spoken-tutorial.org/ |
To follow this tutorial,
|
| Show Slide:
Security in Docker |
Security in Docker protects containerized apps from threats.
It ensures data integrity and confidentiality. |
| Only narration | Let us see some key steps to secure Docker Hosts.
For example, we shall see how to manage user privileges using docker group. |
| In terminal, type getent group docker and press Enter | Open the terminal by pressing Ctrl, Alt and T keys together.
First let us verify if the docker group exists. Type the command as shown and press enter. |
| Highlight the output
docker:x:984: |
We get this output which verifies that the docker group exists in our system.
Note that docker group is created by default during docker installation. Here x means that the password for the group is not set. 984 is the unique Group ID associated with the docker group used by the system. It may be different for your system. We can see that no users are added to the group yet. |
| Only narration | Now let us add our system username. |
| Type sudo usermod -aG docker pranjal and press Enter | Type the command as shown.
Here replace pranjal with your system username.Enter the password if prompted. |
| Type getent group docker and press Enter | To verify, again let us enter the command as shown. |
| Highlight the output | Now we can see our username after the last colon. |
| Reboot or Logout and login. | Reboot the system to have the changes applied or logout and login again. |
| In terminal, type docker images and press Enter | Now let us try running docker commands without using sudo.
Type docker images and press Enter. |
| Highlight the output | We get the list of docker images available in our system.
The docker group helps the users to run Docker commands without sudo prefix. That is, it gives root-level privileges over Docker to docker group members. |
| Only narration | Now let us see methods to secure docker daemon.
For example, we shall see how to limit resource use. |
| Type docker run --memory="256m" --cpus="1" stuser1/node-express and press Enter | In the terminal, enter the command as shown.
This command starts a container using the image node hyphen express. It limits the container to 256 MB of memory and 1 CPU core. Setting resource limits helps manage performance, stability, and cost. |
| Highlight the output | We can see that now, our container is running. |
| Type docker stats and press Enter | Open a new terminal session, and close the previous one.
To verify, type docker stats and press Enter. This command monitors the real-time resource usage of containers. Now it is using 12.86MB of its 256MB memory limit and minimal CPU showing 0%. The output may be different for you. |
| Type docker ps and press Enter | In the new terminal session, enter the command as shown to stop the running container.
We can see a list of running containers. |
| Copy the Container_id | Copy the container ID. |
| Type docker stop <Container_id> and press Enter | Enter the docker stop command as shown and paste the container ID.
This will stop the running container. |
| Only narration | Next let us see about Docker Content Trust and Image Signing. |
| Show Slide:
Docker Content Trust and Image Signing |
Docker Content Trust i.e. DCT, allows you to verify the integrity.
It also verifies the publisher of Docker images through digital signatures. It ensures that only signed images are pulled and run. |
| Only narration | Now let us implement this process on our system. |
| In terminal, type export DOCKER_CONTENT_TRUST=1 and press Enter | To enable DCT, we will use the command as shown. |
| In terminal, type docker login and press Enter
Enter password if prompted |
Then we need to login to Docker Hub to push and pull images from it.
Type docker login and press Enter Enter the Docker Hub credentials if prompted. |
| Highlight the output | We have successfully logged in. |
| Type docker tag stuser1/node-express stuser1/node-express-dct:sign and press Enter. | Then let us tag the image with node-express-dct sign version for better clarification.
Enter the command as shown.Make sure, stuser1 is replaced with your docker hub username. |
| Type docker trust key generate demokey and press Enter | Then type the command as shown.
This command creates a new cryptographic key pair for signing Docker images. I have named the key as demokey. It will be used to verify the authenticity of images. |
| Type passphrase and press Enter | We are prompted to enter a password that will protect the private key.
Type the desired password and press Enter. |
| Confirm passphrase | Again to confirm we are asked to enter the same password. |
| Highlight Successfully generated… sentence from the output. | We can see that our private key is successfully generated and loaded.
The corresponding public key is available at the given directory. |
| Type docker trust signer add --key demokey.pub teststsigner stuser1/node-express-dct:sign | Type the command as shown.
This commands adds a trusted signer for the given image. |
| Highlight teststsigner | I have named the signer as teststsigner. |
| Highlight demokey.pub | It uses the public key file demokey dot pub to verify the signer's identity. |
| Press Enter | Press Enter |
| Highlight Enter passphrase for new root key | Here, Docker is asking for the password for the root key.
It is the key foundation for securing and trusting Docker image signing. |
| Type the password and press Enter | Type the desired password and press Enter.
Password need not be the same as before.Confirm the password by entering it again. |
| Highlight Enter passphrase for repository key | Now, Docker is asking for the password for the repository key. |
| Highlight stuser1/node-express-dct:sign | This repository key is responsible for signing images in this directory.
This key is different from the previously generated keys.
|
| Type the password and press Enter | Type the desired password and press Enter.Confirm the password by entering it again. |
| Highlight Successfully added… sentence | We can see, that the signer teststsigner is successfully added to the directory. |
| Type docker trust sign stuser1/node-express-dct:sign and press Enter | Now let us sign the Docker image using Docker Content Trust.
Enter the command as shown. |
| Only narration | The image is automatically pushed to Docker Hub during the signing process.
The layers are parts of the image that are already pushed. Hence it shows as mounted from the existing image. |
| Type the password for demokey and press Enter | Enter the password for demokey. |
| Highlights ‘Successfully signed docker.io/stuser1/node-express-dct:sign’ | The image is successfully signed. |
| Type docker trust inspect stuser1/node-express:sign | Enter the command as shown.
It displays trust data for the given image in a human-readable format. |
| Scroll through the output. | It includes signed tags, signers, and keys used. |
| Type export DOCKER_CONTENT_TRUST=0 and press Enter | Before proceeding, disable DCT to avoid errors when pulling images.
To do so, enter the command as shown. |
| Only narration | Next we will see about security scanning and tools used for it.
Security scanning identifies vulnerabilities in containerized applications. |
| Show Slide:
Tools for Security Scanning |
Docker Scout:
It is Integrated with Docker Hub. It scans images for vulnerabilities and provides detailed results. Trivy: It is an open-source tool that scans Docker images for vulnerabilities. |
| Only narration | First we shall see security scanning using the docker scout tool. |
| Go to web browser and type https://hub.docker.com/ and press Enter | Go to the web browser, and enter the link as shown.
This will take us to Docker Hub website. |
| Enter username and password to sign in | In the top right corner, click on the sign in and enter your credentials.
Once signed in, we will be redirected to the repositories section. |
| From the list, click on stuser1/node-express | We can see the list of our pushed images.
Click on stuser1/node-express. |
| On the stuser1/node-express page, click on Settings option, just above the stuser1/node-express box | Just above the stuser1/node-express box, we can see various options.
It includes General, Tags, Builds, and more. Select Settings option. |
| From the Image security insight settings section, click on Docker Scout image analysis button. | In the Image security insight settings, select Docker Scout image analysis to enable it. |
| Click on Save button | Save it by clicking on the Save button. |
| Only narration | We get a notification informing us that we have reached the repository limit of our free plan.
If we want to secure more repositories with Docker Scout, we can upgrade our plan. |
| Click on General option | Then go back to the General option.
We can see in the Tags section, vulnerabilities are visible. |
| Click on latest from Tag column | Click on the latest Tag, to get detailed information.
We can see the list of packages that are affected. |
| Hover over the yellow coloured box. | If you hover over the coloured boxes, the severity level is visible. |
| Scroll through vulnerabilities section | In the right column, we can see the various packages with their severity levels. |
| Only narration | Now let us see security scanning using the Trivy tool. |
| In terminal, type docker pull ghcr.io/aquasecurity/trivy and press Enter | First, we shall pull the Trivy image from the github container registry.
Switch to the terminal and enter the command as shown. |
| Highlight the output | We have downloaded the Trivy image. |
| In terminal, type docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd)/trivy:/root/.cache/ ghcr.io/aquasecurity/trivy:latest image stuser1/node-express | Even after pulling the image, Trivy itself is not installed on our host system.
Instead, we can run the Trivy commands within the Trivy Docker container. Type the command as shown. |
| Highlight docker run | This starts the Trivy container, which we just pulled in the previous step. |
| Highlight --rm | This option auto-removes the container after it finishes running. |
| Highlight -v | v flag mounts host directories into the container. |
| Highlight /var/run/docker.sock:/var/run/docker.sock | This mounts the Docker socket, letting Trivy access the Docker to scan images. |
| Highlight $(pwd)/trivy:/root/.cache/ | This ensures that relevant data is cached to speed up future scans. |
| Highlight ghcr.io/aquasecurity/trivy:latest | This specifies the Trivy Docker image that we want to run. |
| Highlight stuser1/node-express | This is the image that we want Trivy to scan. |
| Press Enter | Press Enter.
This may take some time. |
| Scroll up through the report | We can see the vulnerabilities, with details.
We can use this report for further analysis. |
| Show Slide:
Summary |
This brings us to the end of this tutorial. Let us summarise.
In this tutorial, we have learnt about
|
| Show Slide:
Assignment |
As an assignment, please do the following:
|
| Show Slide:
Assignment Observation |
We have successfully pulled the nginx image. |
| Show Slide:
Assignment Observation |
Here I have extended the command with the redirection operator.
It is followed by the name of the file where I want to save the report. |
| Show Slide:
Assignment Observation |
This is the report saved in trivyReport dot txt file. |
| Show Slide:
About Spoken Tutorial project |
The video at the following link summarises the Spoken Tutorial project.
Please download and watch it. |
| Show Slide:
Spoken Tutorial Workshops |
The Spoken Tutorial Project team conducts workshops and gives certificates.
For more details, please write to us. |
| Show Slide:
Answers for THIS Spoken Tutorial |
Please post your timed queries in this forum. |
| Show Slide:
FOSSEE Forum |
For any general or technical questions on docker, visit the FOSSEE forum and post your question. |
| Show slide:
Acknowledgement |
Spoken Tutorial project was established by the Ministry of Education, Government of India. |
| Slide:
Thankyou |
This is Pranjal Mahajan, a FOSSEE Semester Long Intern 2024, IIT Bombay signing off
Thanks for joining. |
