Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 8. Keeping up Security

In this chapter, we will be taking a look at keeping up with security as it relates to Docker. By what means you can use to help keep up to date on Docker-related security issues that are out there for the version of the Docker tools you might be running now? How do you stay ahead of any security issues and keep your environments secure even with threats? In this chapter, we will look at multiple ways in which you can keep up on any security issues that arise and the best way to obtain information as quickly as possible. You will cover learning to help enforce the idea of keeping security in the forefront of your mind and subscribing to things such as e-mail lists that not only include Docker, but also include items that are related to the environments you are running with Linux. Other items are keeping up on following what is going on with regards to items such as GitHub issues that relate to Docker security, following along with the Internet Relay Chat (IRC) rooms, and watching websites such as the CVE.

In this chapter, we will be covering the following topics:

Keeping up with security
- E-mail list options
- GitHub issues
- IRC rooms
- CVE websites
Other areas of interest

Keeping up with security

In this section, we will take a look at the multiple ways that you can obtain or keep up to date about the information related to the security issues that may occur in Docker products. While this isn't a complete list of tools that you can use to keep up on issues, this is a great start and consists of the most commonly used items that are used. These items include e-mail distribution lists, following the GitHub issues for Docker, IRC chat rooms for the multiple Docker products that exist, CVE website(s), and other areas of interest to follow on items that relate to Docker products, such as the Linux kernel vulnerabilities and other items you can use to mitigate the risks.

E-mail list options

Docker operates two mailing lists that users can sign up to be a part of. These mailing lists provide means to both gather information about the issues or projects others are working on and spark your thoughts into doing the same for your environment. You can also use them to help blanket the Docker community with questions or issues that you are running into when using various Docker products or even other products in relation to Docker products.

The two e-mail lists are as follows:

Docker-dev
Docker-user

What is the Docker-dev mailing list mostly geared towards? You guessed it, it is geared towards the developers! These are the people who are either interested in developer type roles and what others are developing or are themselves developing code for something that might integrate into various Docker products. This could be something such as creating a web interface around Docker Swarm. This list would be the one you want to post your questions at. The list consists of other developers and possibly even those that work at Docker itself that might be able to help you with any questions or issues that you have.

The other list, the Docker-user list, is geared towards the users of the various Docker products or services and have questions on either how to use the products/services or how they might be able to integrate third-party products with Docker. This might include how to integrate Heroku with Docker or use Docker in the cloud. If you are a user of Docker, then this list is the right one for you. You can also contribute to the list as well if you have advanced experience, or something comes across the list that you have experience in, or have dealt with previously.

There is no rule that says you can't be on both. If you want to get the best of both worlds, you can sign up for both and gauge the amount of traffic that comes across each one and then make the decision to only be on one, based on where your interests lie. You also have the option of not joining the lists and just following them on the Google Groups pages for each list.

The Google groups page for the Docker-dev list is https://groups.google.com/forum/#!forum/docker-dev and the Google groups page for the Docker-user list is https://groups.google.com/forum/#!forum/docker-user.

Don't forget that you can also search through these lists to see if your issue or questions might have already been answered. As this book is about security, don't forget that you can use these two mailing lists to discuss items that are security related—whether they be development or user related.

GitHub issues

Another method of keeping up with security-related issues is to follow the GitHub issues. As all the code for the Docker core and other various piece of Docker such as Machine, Swarm, Compose, and all others are stored on GitHub, it provides an area. What exactly are GitHub issues and why should I care about them is what you are probably asking yourself right now. GitHub Issues is a bug tracker system that GitHub uses. By tracking these issues, you can view the issues that others are experiencing and get ahead of them in your own environment, or it could solve the problem in your environment, knowing that others are having the same issue and it's not just on your end. You can stop pulling what is left of your hair.

As each GitHub repository has its own issues section, we don't need to look at each and every issues section, but I believe it is worthwhile to view one of the repositories issues section so that you know what exactly you are looking at in order to help decipher it all.

The following screenshot (which can be found at https://github.com/docker/docker/issues) shows all the current issues that exist with the Docker core software code:

From this screen, we can not only see how many issues are open, but also know how many have been closed. These are issues that were once an issue and solutions were derived for them and now they have been closed. The closed ones are here for historic purposes in order to be able to go back in time and see what solution might have been provided to solve an issue.

In the following screenshot, we can filter the issue based on the author, that is, the person who submitted the issue:

In the following screenshot, we can also filter the issue based on labels and these might include api, kernel, apparmor, selinux, aufs, and many more:

In the following screenshot, we see that we can also filter by milestone:

Milestones are essentially tags to help sort issues based on fixing an issue for a particular purpose. They can also be used to plan upcoming releases. As we can see here, some of these include Windows TP4 and Windows TP5.

Lastly, we can filter issues based on assignee, that is, the person to whom it is assigned to fix or address the issue, as shown in the following screenshot:

As we can see, there are lot of ways in which we can filter the issues, but what does an issue actually look like and what does it contain? Let's take a look at that in the following section.

In the following screenshot, we can see what an actual issue looks like:

Some of the information that we can see is the title of the issue and the unique issue number. We can then see that this particular issue is open, the person who reported the issue, and for how long it's opened. We can then see how many comments are there on the issue and then a large explanation of the issue itself. On the right-hand side, we can see what labels the issue has, what its milestone is, who it is assigned to, and how many participants are involved in the issue. Those involved are people who have commented on the issue in some way.

In the last image, which is at the bottom of the issue from the preceding image, we can see the timeline of the issue, such as who it was assigned to and when, as well as when it was assigned a label and any additional comments.

IRC rooms

The first thing to understand is what exactly IRC is. If you think back to the older days, we probably all had some form of IRC rooms when we had AOL and had chat rooms that you could join based on your location or topic. IRC operates in the same way where there is a server that clients, such as yourself, connect to. These rooms are typically based on a topic, product, or service that people have in common that can come together to discuss. You can chat as a group but also utilize private chats with others in the same room or channel as you.

Docker utilizes IRC for discussion about its products. This allows not only end users of the products to engage in discussion, but also in the case of Docker, most of those who actually work for Docker and on these products tend to be in these rooms on a daily basis and will engage with you about issues you might be seeing or questions you have.

With IRC, there are multiple servers that you can use to connect to the hosted channels. Docker uses the http://freenode.net server (it is the server you would use if you were to use a third-party client to connect to IRC; however, you can also use http://webchat.freenode.net) and then all their channels for their products are things such as #docker, #docker-dev, #docker-swarm, #docker-compose, and #docker-machine. All channels start with the pound sign (#), followed by the channel name. Within these channels, there are discussion for each product. Beyond these channels, there are other channels where you can discuss Docker-related topics. In the previous chapter, we discussed the Shipyard project, which allows you to have a GUI interface that overlays on top of your Docker Swarm environment. If you had questions about this particular product, you could join the channel for that product, which is #shipyard. There are other channels you can join as well and more created daily. To get a list of channels, you will need to connect to your IRC client and issue a command. Follow the given link to find out how to do this:

http://irc.netsplit.de/channels/?net=freenode

Chat archives are also kept for each channel, therefore, you can search through them as well to find out whether discussions are happening around a question or issue that you may be experiencing. For example, if you wanted to see the logs of the #docker channel, you could find them here:

https://botbot.me/freenode/docker/

You can search for other channel archives on the following website:

https://botbot.me

CVE websites

In Chapter 5, Monitoring and Reporting Docker Security Incidents, we covered CVEs and Docker CVEs. A few things to remember about them are listed in the following:

CVEs can be found at https://cve.mitre.org/index.html
Docker-related ones can be found at https://www.docker.com/docker-cve-database
To search for CVE's use the following URL: https://cve.mitre.org/index.html
If you were to open this CVE from the preceding link, you will see that it gathers some information as shown in the following:
- CVE ID
- Description
- References
- Date entry created
- Phase
- Votes
- Comments
- Proposed

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 8. Keeping up Security

Create new playlist

Sign In

Sign Up