Oregami-News

Here everybody can ask questions about our project or present his ideas.
No special authorization needed to post here!

Moderators: MZ per X, gene

Re: Oregami-News

Postby gene » 10 Nov 2017, 18:28

Hi there. I am still alive! :D

As one step of my technical restructuring of my servers for Kultpower.de and Oregami.org I decided to move from a self hosted Atlassian Confluence to a "Cloud hosted" version of confluence.
That saves me a lot of work and makes it possible to concentrate on more important things.

So, the "old" wiki was available on http://wiki.oregami.org

From now on, the Oregami wiki is available on https://oregami.atlassian.net !
The creator of Kultpower.de
Co-founder of Oregami.org
User avatar
gene
 
Posts: 989
Joined: 25 Jan 2001, 22:20
Location: Münster

Re: Oregami-News

Postby gene » 02 Jan 2018, 10:26

Happy new year for everyone of you! :-)

During the last months my investigations on Docker continued. I need to update my installations for all my hosted web sites (kultpower & oregami), and I decided to do this with the usage of Docker as virtualization software.

After some weeks I got all my sites running with the help of docker. But this was only a first shot and I cannot go to "production" with this one.
The reason: security! Using docker for local development is one thing, using it in production for public web sites is another thing.

So I am now googling "docker security" for quiet some time now :wink: and I would like to list my insights so far. Very helpful for me was this presentation, which give a very good overview on securing docker.

  • Use minimal base image (for example alpine)
  • Use specific versions (e.g. “FROM node:7.7.2-alpine instead of node:latest)
  • processes in docker containers should not run as root user. If there is a vulnerability in a used software package, this could be bad for the host (!) server and not "only" for the one container
  • restrict as many kernel capabilities as possible with the "--cap-drop" option
  • restrict resource usage (e.g. memory) per container
  • open only needed ports - open ports only for needed clients (IP based), e.g. the MySQL database does not need to be open to the web, only to the web server

I will try to implement all these things, it may take some extra time but I think it's worth it.

Stay tuned!
The creator of Kultpower.de
Co-founder of Oregami.org
User avatar
gene
 
Posts: 989
Joined: 25 Jan 2001, 22:20
Location: Münster

Re: Oregami-News

Postby MZ per X » 02 Jan 2018, 22:13

A healthy and productive 2018 to you, too! :)

And I always thought that Docker was invented for security reasons... ;)
User avatar
MZ per X
 
Posts: 1131
Joined: 12 Dec 2010, 12:07
Location: Leipzig / Germany

Re: Oregami-News

Postby gene » 02 Jan 2018, 23:10

MZ per X wrote:And I always thought that Docker was invented for security reasons... ;)


Well, the docker website says:
AGILITY
Accelerate software development and deployment by 13X and respond instantly to customer needs.

PORTABILITY
Eliminate the “works on my machine” once and for all. Gain independence across on-prem and cloud environments.

SECURITY
Deliver applications safer across the entire lifecycle with built in security capabilities and configurations out of the box.

COST SAVINGS
Optimize the use of your infrastructure resources and streamline operations to save 50% in total costs.


They do really mention "security", bit it does not come automatically :D
The creator of Kultpower.de
Co-founder of Oregami.org
User avatar
gene
 
Posts: 989
Joined: 25 Jan 2001, 22:20
Location: Münster

Previous

Return to Open Discussion (english)

Who is online

Users browsing this forum: No registered users and 2 guests

cron