If you are looking for some other items to look into, there are some additional items that we have covered in Chapter 1, Securing Docker Hosts that are worthwhile to conduct a quick review. Make sure to look back at Chapter 1, Securing Docker Hosts to get more details on the next couple of items or links that will be provided in each section.
Let's take a quick look at Docker Notary, but for more information about Docker Notary, you can look back at the information in Chapter 2, Securing Docker Components or the following URL:
https://github.com/docker/notary
Docker Notary allows you to publish your content by signing it with private keys that you are recommended to keep offline. Using these keys to sign your content helps in ensuring others to know that the content they are using is, in fact, from who it says it is—you—and that the content can be trusted, assuming the users trust you.
Docker Notary has a few key goals that I believe are important to point out in the following:
- Survivable key compromise
- Freshness guarantee
- Configurable trust thresholds
- Signing delegation
- Use of existing distribution
- Untrusted mirrors and transport
It is important to know that Docker Notary has a server and client component as well. To use Notary, you will have to be familiar with the command-line environment. The preceding link will break it down for you and give you walkthroughs on setting up and using each component.
Similar to the previous Docker Notary section, let's take a quick look at the hardware signing as it's a very important feature that must be understood fully.
Docker also allows hardware signing. What does this mean? From the previous section, we saw that you can use highly secure keys to sign your content, allowing others to verify that the information is from who it says it is, which ultimately provides everyone great peace of mind.
Hardware signing takes this to a whole new level by allowing you to add yet another layer of code signing. By introducing a hardware device, Yubikey—a USB piece of hardware—you can use your private keys (remember to keep them secure and offline somewhere) as well as a piece of hardware that requires you to tap it when you sign your code. This proves that you are a human by the fact of having to physically touch the YubiKey when you are signing your code.
For more information about the hardware signing part of Notary, it is worthwhile to read their announcement when they released this feature from the following URL:
https://blog.docker.com/2015/11/docker-content-trust-yubikey/
For a video demonstration of using YubiKeys and Docker Notary, please visit the following YouTube URL:
https://youtu.be/fLfFFtOHRZQ?t=1h21m23s
To find out more information about YubiKeys, visit their website at the following URL:
There are also some additional reading materials that can assist with ensuring your focus is on monitoring the security aspect of the entire Docker ecosystem.
Looking back at Chapter 4, Docker Bench for Security, we covered the Docker Bench, which is a scanning application for your entire Docker environment. This is highly useful to help in pointing out any security risks that you might have.
There is also a great free Docker security eBook that I found. This book will cover potential security issues along with tools and techniques that you can utilize to secure your container environments. Not bad for free, right?! You can find this book at the following URL:
https://www.openshift.com/promotions/docker-security.html
You can refer to the following Introduction to Container Security whitepaper for more information:
You can also refer to The Definitive Guide To Docker Containers whitepaper, as follows:
https://www.docker.com/sites/default/files/WP-%20Definitive%20Guide%20To%20Containers.pdf
The last two items—Introduction to Container Security whitepaper and The Definitive Guide To Docker Containers—are directly created from Docker, therefore, they contain information that is directly related to understanding how containers are structured and they breakdown a lot of the Docker information into a central location, which you can download or print out and have at hand at any point of time. They also help you to understand the various layers of containers and how they help keep your environment and applications secure from each other.
While this is not a security-related tool, it is a Docker tool that is very useful and is updated quite frequently. Awesome Docker is a curated list of any and all Docker projects. It allows others to contribute with pull requests to the curated list. The list includes topics for those who are looking to get started with Docker; useful articles; deep-dive articles; networking articles; and articles on using multi-server Docker environments, cloud infrastructure, tips, and newsletters, the list just keeps going on. To view the project as well as the awesomeness of everything that it includes, visit the following URL: