Security Flashcards
What feature in DTR allows for images to be scanned for possible security flaws?
Vulnerability scanning
How can DTR be used to notify 3rd party tools like Jenkins/GitHub?
webhooks
What are UCP Client Bundles?
A set of downloadable certificates that allow you to execute docker commands on the remote cluster
How to setup the UCP Client Bundles?
- Download client bundles from UCP
- Extract on local
- Get env vars by eval env.sh file from bundle
What does namespaces do in linux and docker?
Namespaces provide separation of host resources, such as pid, mnt, net, IPC, user and UTS
What does cgroups do in linux and docker?
Limits the resources (ram, cpu, network, etc) processes/containers can use
What are two possible ways to limit cpu usage for a container?
- -cpus=1 (restricts to only one one CPU)
- -cpuset-cpus=1,3 (restricts docker to only use the 2nd and 4th cpu)
What is reservation vs limit for docker container?
- m, –memory: Limit is a hard limit
- -memory-reservation: Reservation is a soft limit (docker tries to maintain this when there is contention on the node)
What is MTLS in Docker Swarm?
Mutually Authenticated Transport Layer Security
How to rotate the docker swarm CA cert?
docker swarm ca –rotate
How to create a secret for docker?
docker secret create file_name.txt
How to add a secret to a container when running?
docker run –name my_container –secret my_secret nginx:latest
How to ensure that the image you are pulling has not been intercepted and changed by a middle man?
Use Docker Content Trust
How to enable docker content trust?
By setting host env:
DOCKER_CONTENT_TRUST=1
What are capabilities in terms of Linux and Docker?
Built in Linux capabilities to do certain things like chown and making files immutable