Core Security and Optimization Concepts
This section explores advanced security hardening techniques, performance optimization strategies, and comprehensive monitoring solutions essential for production Docker deployments.
Advanced Security Hardening
Kernel Security Features
# Enable AppArmor profile
docker run --security-opt apparmor:docker-default nginx
# Custom AppArmor profile
docker run --security-opt apparmor:custom-profile myapp
# SELinux context
docker run --security-opt label:type:container_t \
--security-opt label:level:s0:c100,c200 \
myapp
# Custom seccomp profile
docker run --security-opt seccomp:./custom-seccomp.json myapp
Custom seccomp profile:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64"],
"syscalls": [
{
"names": [
"accept", "accept4", "access", "adjtimex", "alarm", "bind", "brk",
"capget", "capset", "chdir", "chmod", "chown", "chroot", "clock_getres",
"clock_gettime", "clock_nanosleep", "close", "connect", "copy_file_range",
"creat", "dup", "dup2", "dup3", "epoll_create", "epoll_create1",
"epoll_ctl", "epoll_pwait", "epoll_wait", "eventfd", "eventfd2",
"execve", "execveat", "exit", "exit_group", "faccessat", "fadvise64",
"fallocate", "fanotify_mark", "fchdir", "fchmod", "fchmodat", "fchown",
"fchownat", "fcntl", "fdatasync", "fgetxattr", "flistxattr", "flock",
"fork", "fremovexattr", "fsetxattr", "fstat", "fstatfs", "fsync",
"ftruncate", "futex", "getcwd", "getdents", "getdents64", "getegid",
"geteuid", "getgid", "getgroups", "getpeername", "getpgrp", "getpid",
"getppid", "getpriority", "getrandom", "getresgid", "getresuid",
"getrlimit", "get_robust_list", "getrusage", "getsid", "getsockname",
"getsockopt", "get_thread_area", "gettid", "gettimeofday", "getuid",
"getxattr", "inotify_add_watch", "inotify_init", "inotify_init1",
"inotify_rm_watch", "io_cancel", "ioctl", "io_destroy", "io_getevents",
"ioprio_get", "ioprio_set", "io_setup", "io_submit", "ipc", "kill",
"lchown", "lgetxattr", "link", "linkat", "listen", "listxattr",
"llistxattr", "lremovexattr", "lseek", "lsetxattr", "lstat", "madvise",
"memfd_create", "mincore", "mkdir", "mkdirat", "mknod", "mknodat",
"mlock", "mlock2", "mlockall", "mmap", "mount", "mprotect", "mq_getsetattr",
"mq_notify", "mq_open", "mq_timedreceive", "mq_timedsend", "mq_unlink",
"mremap", "msgctl", "msgget", "msgrcv", "msgsnd", "msync", "munlock",
"munlockall", "munmap", "nanosleep", "newfstatat", "open", "openat",
"pause", "pipe", "pipe2", "poll", "ppoll", "prctl", "pread64", "preadv",
"prlimit64", "pselect6", "ptrace", "pwrite64", "pwritev", "read",
"readahead", "readlink", "readlinkat", "readv", "recv", "recvfrom",
"recvmmsg", "recvmsg", "remap_file_pages", "removexattr", "rename",
"renameat", "renameat2", "restart_syscall", "rmdir", "rt_sigaction",
"rt_sigpending", "rt_sigprocmask", "rt_sigqueueinfo", "rt_sigreturn",
"rt_sigsuspend", "rt_sigtimedwait", "rt_tgsigqueueinfo", "sched_getaffinity",
"sched_getattr", "sched_getparam", "sched_get_priority_max",
"sched_get_priority_min", "sched_getscheduler", "sched_rr_get_interval",
"sched_setaffinity", "sched_setattr", "sched_setparam", "sched_setscheduler",
"sched_yield", "seccomp", "select", "semctl", "semget", "semop",
"semtimedop", "send", "sendfile", "sendmmsg", "sendmsg", "sendto",
"setfsgid", "setfsuid", "setgid", "setgroups", "setitimer", "setpgid",
"setpriority", "setregid", "setresgid", "setresuid", "setreuid",
"setrlimit", "set_robust_list", "setsid", "setsockopt", "set_thread_area",
"set_tid_address", "setuid", "setxattr", "shmat", "shmctl", "shmdt",
"shmget", "shutdown", "sigaltstack", "signalfd", "signalfd4", "sigreturn",
"socket", "socketcall", "socketpair", "splice", "stat", "statfs",
"symlink", "symlinkat", "sync", "sync_file_range", "syncfs", "sysinfo",
"tee", "tgkill", "time", "timer_create", "timer_delete", "timerfd_create",
"timerfd_gettime", "timerfd_settime", "timer_getoverrun", "timer_gettime",
"timer_settime", "times", "tkill", "truncate", "umask", "uname",
"unlink", "unlinkat", "utime", "utimensat", "utimes", "vfork", "vmsplice",
"wait4", "waitid", "waitpid", "write", "writev"
],
"action": "SCMP_ACT_ALLOW"
}
]
}
Container Image Security
# Multi-stage secure build
FROM node:16-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM gcr.io/distroless/nodejs16-debian11 AS production
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY --chown=nonroot:nonroot . .
USER nonroot
EXPOSE 3000
CMD ["server.js"]
Runtime Security Policies
# Pod Security Policy (Kubernetes)
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
Performance Optimization Strategies
CPU and Memory Optimization
# CPU affinity and scheduling
docker run -d \
--cpuset-cpus="0,1" \
--cpu-shares=1024 \
--cpu-quota=50000 \
--cpu-period=100000 \
--cpu-rt-period=1000000 \
--cpu-rt-runtime=950000 \
myapp
# Memory optimization
docker run -d \
--memory=2g \
--memory-swap=4g \
--memory-reservation=1g \
--memory-swappiness=10 \
--oom-kill-disable=false \
--kernel-memory=500m \
myapp
# NUMA optimization
docker run -d \
--cpuset-mems="0" \
--memory=4g \
myapp
Storage Performance Tuning
# docker-compose.yml with optimized storage
version: '3.8'
services:
database:
image: postgres:14
volumes:
# Separate data and WAL volumes
- type: volume
source: postgres-data
target: /var/lib/postgresql/data
volume:
driver: local
driver_opts:
type: ext4
o: noatime,nodiratime
- type: volume
source: postgres-wal
target: /var/lib/postgresql/wal
volume:
driver: local
driver_opts:
type: ext4
o: noatime,sync
# tmpfs for temporary operations
- type: tmpfs
target: /tmp
tmpfs:
size: 1G
mode: 1777
# Shared memory for PostgreSQL
- type: tmpfs
target: /dev/shm
tmpfs:
size: 2G
environment:
- POSTGRES_INITDB_WALDIR=/var/lib/postgresql/wal
command: |
postgres
-c shared_buffers=1GB
-c effective_cache_size=3GB
-c maintenance_work_mem=256MB
-c checkpoint_completion_target=0.9
-c wal_buffers=16MB
-c default_statistics_target=100
-c random_page_cost=1.1
-c effective_io_concurrency=200
volumes:
postgres-data:
postgres-wal:
Network Performance Optimization
# Network performance tuning
docker run -d \
--sysctl net.core.somaxconn=65535 \
--sysctl net.ipv4.tcp_max_syn_backlog=65535 \
--sysctl net.core.rmem_max=134217728 \
--sysctl net.core.wmem_max=134217728 \
--sysctl net.ipv4.tcp_rmem="4096 65536 134217728" \
--sysctl net.ipv4.tcp_wmem="4096 65536 134217728" \
--sysctl net.ipv4.tcp_congestion_control=bbr \
--sysctl net.core.netdev_max_backlog=5000 \
--sysctl net.core.netdev_budget=600 \
myapp
# Container with optimized networking
docker run -d \
--network=host \
--ulimit nofile=65536:65536 \
--sysctl net.ipv4.ip_local_port_range="1024 65535" \
--sysctl net.ipv4.tcp_tw_reuse=1 \
high-performance-app
Comprehensive Monitoring Solutions
Security Monitoring Stack
# docker-compose.security-monitoring.yml
version: '3.8'
services:
# Falco for runtime security
falco:
image: falcosecurity/falco:latest
privileged: true
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- /dev:/host/dev
- /proc:/host/proc:ro
- /boot:/host/boot:ro
- /lib/modules:/host/lib/modules:ro
- /usr:/host/usr:ro
- ./falco/falco_rules.yaml:/etc/falco/falco_rules.local.yaml:ro
environment:
- FALCO_GRPC_ENABLED=true
- FALCO_GRPC_BIND_ADDRESS=0.0.0.0:5060
# OSSEC for host intrusion detection
ossec:
image: wazuh/wazuh:latest
volumes:
- ossec-data:/var/ossec/data
- ./ossec/ossec.conf:/var/ossec/etc/ossec.conf:ro
- /var/log:/host/var/log:ro
ports:
- "1514:1514/udp"
- "1515:1515"
# Suricata for network intrusion detection
suricata:
image: jasonish/suricata:latest
network_mode: host
cap_add:
- NET_ADMIN
- SYS_NICE
volumes:
- suricata-logs:/var/log/suricata
- ./suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
command: -i eth0
# ELK Stack for log analysis
elasticsearch:
image: elasticsearch:7.17.0
environment:
- discovery.type=single-node
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
volumes:
- elasticsearch-data:/usr/share/elasticsearch/data
logstash:
image: logstash:7.17.0
volumes:
- ./logstash/pipeline:/usr/share/logstash/pipeline:ro
- ./logstash/config:/usr/share/logstash/config:ro
depends_on:
- elasticsearch
kibana:
image: kibana:7.17.0
ports:
- "5601:5601"
environment:
- ELASTICSEARCH_HOSTS=http://elasticsearch:9200
depends_on:
- elasticsearch
volumes:
ossec-data:
suricata-logs:
elasticsearch-data:
Performance Monitoring
# docker-compose.performance-monitoring.yml
version: '3.8'
services:
# Prometheus for metrics collection
prometheus:
image: prom/prometheus:latest
ports:
- "9090:9090"
volumes:
- ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
- ./prometheus/rules:/etc/prometheus/rules:ro
- prometheus-data:/prometheus
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.retention.time=30d'
- '--web.enable-lifecycle'
# Node Exporter for host metrics
node-exporter:
image: prom/node-exporter:latest
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
command:
- '--path.procfs=/host/proc'
- '--path.sysfs=/host/sys'
- '--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|host|etc)($$|/)'
# cAdvisor for container metrics
cadvisor:
image: gcr.io/cadvisor/cadvisor:latest
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
ports:
- "8080:8080"
# Grafana for visualization
grafana:
image: grafana/grafana:latest
ports:
- "3000:3000"
volumes:
- grafana-data:/var/lib/grafana
- ./grafana/provisioning:/etc/grafana/provisioning:ro
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin
# Jaeger for distributed tracing
jaeger:
image: jaegertracing/all-in-one:latest
ports:
- "16686:16686"
- "14268:14268"
environment:
- COLLECTOR_ZIPKIN_HTTP_PORT=9411
volumes:
prometheus-data:
grafana-data:
Advanced Security Patterns
Zero-Trust Container Security
#!/usr/bin/env python3
# zero-trust-enforcer.py
import docker
import json
import subprocess
from typing import Dict, List
class ZeroTrustEnforcer:
def __init__(self):
self.client = docker.from_env()
self.policies = self.load_policies()
def load_policies(self) -> Dict:
return {
"network_policies": {
"default_deny": True,
"allowed_connections": [
{"from": "web-tier", "to": "app-tier", "port": 8080},
{"from": "app-tier", "to": "db-tier", "port": 5432}
]
},
"container_policies": {
"required_labels": ["security.level", "security.owner"],
"forbidden_capabilities": ["SYS_ADMIN", "NET_ADMIN"],
"required_user": "nonroot"
}
}
def enforce_container_policies(self):
"""Enforce security policies on running containers"""
for container in self.client.containers.list():
violations = self.check_container_compliance(container)
if violations:
self.handle_violations(container, violations)
def check_container_compliance(self, container) -> List[str]:
"""Check container against security policies"""
violations = []
# Check required labels
for label in self.policies["container_policies"]["required_labels"]:
if label not in container.labels:
violations.append(f"Missing required label: {label}")
# Check user
config = container.attrs["Config"]
if not config.get("User"):
violations.append("Container running as root")
# Check capabilities
host_config = container.attrs["HostConfig"]
cap_add = host_config.get("CapAdd", [])
forbidden_caps = self.policies["container_policies"]["forbidden_capabilities"]
for cap in cap_add:
if cap in forbidden_caps:
violations.append(f"Forbidden capability: {cap}")
return violations
def handle_violations(self, container, violations: List[str]):
"""Handle policy violations"""
print(f"Policy violations in container {container.name}:")
for violation in violations:
print(f" - {violation}")
# Log violation
self.log_security_event({
"container_id": container.id,
"container_name": container.name,
"violations": violations,
"action": "quarantine"
})
# Quarantine container (stop networking)
self.quarantine_container(container)
def quarantine_container(self, container):
"""Isolate container by removing from networks"""
networks = container.attrs["NetworkSettings"]["Networks"]
for network_name in networks:
if network_name != "none":
network = self.client.networks.get(network_name)
network.disconnect(container)
# Connect to quarantine network
quarantine_net = self.get_or_create_quarantine_network()
quarantine_net.connect(container)
def get_or_create_quarantine_network(self):
"""Get or create quarantine network"""
try:
return self.client.networks.get("quarantine")
except docker.errors.NotFound:
return self.client.networks.create(
"quarantine",
driver="bridge",
internal=True,
labels={"purpose": "security-quarantine"}
)
def log_security_event(self, event: Dict):
"""Log security events"""
with open("/var/log/security-events.json", "a") as f:
json.dump(event, f)
f.write("\n")
if __name__ == "__main__":
enforcer = ZeroTrustEnforcer()
enforcer.enforce_container_policies()
Summary
This section covered core security and optimization concepts:
Advanced Security
- Kernel Security: AppArmor, SELinux, and seccomp profile configuration
- Image Security: Distroless images and multi-stage secure builds
- Runtime Policies: Pod Security Policies and runtime enforcement
- Zero-Trust: Automated policy enforcement and violation handling
Performance Optimization
- Resource Tuning: Advanced CPU, memory, and NUMA optimization
- Storage Performance: Optimized volume configurations and database tuning
- Network Optimization: Kernel parameter tuning and high-performance networking
Monitoring Excellence
- Security Monitoring: Falco, OSSEC, and Suricata integration
- Performance Monitoring: Comprehensive metrics collection with Prometheus and Grafana
- Distributed Tracing: Jaeger for application performance monitoring
Operational Patterns
- Policy Enforcement: Automated compliance checking and remediation
- Incident Response: Security event logging and container quarantine
- Continuous Monitoring: Real-time security and performance assessment
Next Steps: Part 3 explores practical applications including real-world security implementations, performance optimization case studies, and enterprise monitoring deployments.