I have 2 physical machines in a co location data center and want to make best ue of it. I am thinking of using Docker, Weave to run a high secure Web Application (Tomcat, Mysql, Mongodb) and want to be extra careful abt security. The below is my architecture. Can people with docker deployment experience provide feedback?
a) Create a centos 6 OS on both physical machines with SSH and install Shorewall. Shorewall FW will restrict ssh and port 80,443 only and 80,443 will forward to the VMs running tomcat container. No docker is installed on this physical machine.
b) Install Virtualbox on both physical machines and launch multiple VMs and each VM is accessible via SSH tunnel on the physical machine , thus providing an extra layer of security
c) Have docker and weave network built on each VM and hence build weave network on VMs as hosts
d) All tomcat,mysql, mongodb containers being launched on VMs only.
the advantage with this config is that my physical machines and Docker is separated and adds an additional layer of security.
I am planning on building this up. I would like to know if anyone anticipates any issues or challenges or suggestions for a more secure /robust way of utilising 2 servers.
any guidance, or links for further reading is highly appreciated.
Thanks UK.
Your infrastructure is a good start, but only a start.
You would need to configure properly those applications in order to be more secure (no matter how or where they are running, in docker containers or not): for instance, make sure your header responses don't include the name of the application and its version (see Apache Tomcat 8 Security considerations or "Improving Apache Tomcat Security" for much more)
Plus, the issue with docker container is processes running as root within those containers and make system calls directly to the kernel (without scope limitation by default, meaning all system calls are allowed).
That is what docker 1.9 started to do with PR 12648 (Phase 1 implementation of user namespaces as a remapped container root) and issue 15187
--net=host or --net=container:<id>).root user for all containers.