Docker Security

Hey, dear Docker DevOps enthusiast! In this post we will discuss about docker security, docker service security, docker engine-level security, etc.

SELinux is Security-Enhanced Linux

it provides a mechanism for supporting access control security policies
SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distros.

The 'root' user by default owns the processes spawned by a container are run.

secgroup limits the disk quota.

Security Issue


Rotate your join-token for both worker and manager when there is a suspicion that someone might have got access to the token for adding managers to the cluster.

Secretes are immutable in a docker swarm cluster. They cannot be updated sof if you want to modify the secret then you have to create a new secret file and update that to the existing service.
step 1: First we need to Create new secret,
step 2: Attach the newly created secret with an update option the service to use this new secret.
step 3: The Service resart may require - docker swarm cluster would take car of that
step 4: and delete the old secret


 docker service update --help |grep secret

      --secret-add secret                  Add or update a secret on a service

      --secret-rm list                     Remove a secret


secrets and configs are encrypted during transit and at rest in a docker swarm.
Configs operate in a similar way to secrets, except that they are not encrypted at rest and are mounted directly into the container’s filesystem without the use of RAM disks. Configs can be added or removed from a service at any time, and services can share a config.




The default location of secrets inside a Docker container '/run/secrets/'. The default locaiton of a config file when using Docker config '/'.

References:


Comments

MS Dynamics said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Ansible 11 The uri module with examples

Jenkins Active choices parameter - Dynamic input

DevOps Weapons