Book Review : Container Security (Oreilly) by Liz Rice
Advice for DevOps friendly software engineers (like me), if you are into docker and containers I would add this book to my must-read list on the subject. In case you are kind of new into the field you better start with at least one of the following.
I wish some years ago, I had this book around to guide me through all the different technologies and dimensions of container security, because let's be honest, it can be overwhelming and if you don't have some kind of structured guide or serious exposure (experience), you can easily get distracted or fall into the trap on blindingly following a single opinion. I think that's the first strong point of this book, it provides a very well-rounded cover on the subject, jumping from the basics to more advanced cases, while trying not to overwhelm the less experienced readers - and not disappoint the experienced audience. If you are an experienced SysAdmin / SRE I guess some topics discussed in the book will already be known to u, especially if you are too deep into container security, or you have attempted to secure containerised workloads. It's always handy to have a book that kind of goes through so much relevant stuff and you could consider it a reference, maybe throw it to your less experienced colleagues to read it over and catch up.
My favourite chapters were 1 to 6, most probably because they were covering core Linux features (namespaces, cgroups), Linux system calls, virtualization. The author on each chapter was building up on the technicalities and in some cases, I was kind of prompted to escape the book and start searching on my own, but I never felt that I have lost track. I also found fascinating chapter 8 that was about the different tools around available for strengthening a container (Secomp, AppArmor etc). Chapter 9 was also a must-read on examples on how to break container isolation, while Chapter 10 made me go back a bit and read again about Networking or clear some more advance Docker networking features that were not clear to me in the past.
I liked that the book has a single chapter covering a very taboo topic on container orchestration - which is Passing secrets to a container. I don't know about you but from the moment I got involved with containers in production - secrets were the subject to talk to.
A great book, I enjoyed it, it made me understand stuff that I was missing in the past and made my knowledge around the matter better and helped me realise that there are several dimensions and solutions (or concerns), rather than blanket solutions and 1 to fit them all opinions. I wish had all this accumulated knowledge in the past, it would have been handy in some meetings I have attended in the past. If you are a DevOps (friendly) software engineer I think it's more than a must go-to through such a book. Containers are part of our dev life, we use them to develop code, to test code, to deploy in production. Securing containers should start to be embedded in our craft, after all, that is all about DevOps :) - trying to accumulate skills and knowledge from different fields and combine them accordingly so that you can be more effective!
I would be keen on reading another book by Liz Rice, really enjoyed her approach and structure.