1: History and Motivation
Examine the evolution of virtualization technologies from bare metal, virtual machines, and containers and the tradeoffs between them.
2: Technology Overview
Explores the three core Linux features that enable containers to function (cgroups, namespaces, and union filesystems), as well as the architecture of the Docker components.
3: Installation and Set Up
Install and configure Docker Desktop
4: Using 3rd Party Container Images
Use publicly available container images in your developer workflows and learn how about container data persistence.
5: Example Web Application
Building out a realistic microservice application to containerize.
6: Building Container Images
Write and optimize Dockerfiles and build container images for the components of the example web app.
7: Container Registries
Use container registries such as Dockerhub to share and distribute container images.
8: Running Containers
Use Docker and Docker Compose to run the containerized application from Module 5.
9: Container Security
Learn best practices for container image and container runtime security.
10: Interacting with Docker Objects
Explore how to use Docker to interact with containers, container images, volumes, and networks.
11: Development Workflow
Add tooling and configuration to enable improved developer experience when working with containers.
•Developer Experience Wishlist
12: Deploying Containers
Deploy containerized applications to production using a variety of approaches.
Container Security
There are two main aspects to consider when thinking about container security:
- Container Image Security: What vulnerabilities exist in your image that an attacker could exploit?
- Container Runtime Security: If an attacker successfully compromises a container, what can they do? How difficult will it be to move laterally?
Image Security
- Keep the attack surface area small
- Use minimal base images to reduce the number of installed components, decreasing the chance of vulnerabilities. ChainGuard is a good source for secure base images.
- Don't include unnecessary components
- Exclude components that aren't needed at production time in your Dockerfile.
- Utilize multi-stage builds
- Use multi-stage builds for components needed during the build process but not at runtime.
- Scan images for vulnerabilities
- Use tools such as Snyk (built into Docker) or Trivy (from Aqua Security) to scan images for potential vulnerabilities.
- Avoid running as root user
- Run containers with a Linux user with minimal permissions.
- Don't store sensitive information in images
- Treat images as if they're public and inject sensitive data at runtime.
- Sign images cryptographically
- Sign your images to prove their origin and ensure their integrity.
- Pin base images
- Pin your base images to at least the minor version number to automatically incorporate bug fixes but avoid breaking changes.
Runtime Security
- Use user namespace remap
- Enable the user namespace remap option in Docker daemon (dockerd) to separate container user namespaces from the host system.
- Set the file system as read-only
- Configure the file system as read-only for containers that don't require write access.
- Remove and add capabilities as needed
- Use the
cap_dropoption to remove all capabilities, then add back any necessary ones.
- Use the
- Limit CPU and memory
- Restrict CPU and memory usage to prevent denial-of-service situations.
- Set
seccomporAppArmorprofiles- Utilize security options to set
seccomporAppArmorprofiles for additional security layers.
- Utilize security options to set