docker security configuration
TRANSCRIPT
DOCKER SECURITY CONFIGURATIONReal-World Examples and Troubleshooting
OVERVIEW Capabilities
Seccomp
Demo demo demo!
THEME
None of my demos should “work” the first time.
CAPABILITIESWorst to best:
Run with --privileged=true
Run with –cap-add ALL
Run with --cap-drop ALL --cap-add <only needed>
Run as non-root user, unprivileged
Useful: capabilities section of https://docs.docker.com/engine/reference/run/
DEMO SECTION ONE
REMEMBER THIS?From my Monday talk. Even in dev you should do this. Break the bad habit.
Do as I say, not as I do!
SECCOMP3 sections:
Default Action Target architectures Filter rules
Like firewall rules, but harder to debug!
DEMO SECTION TWO
SECCOMP RETURN VALUES SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW
SECCOMP RETURN VALUES SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
DOCKER SECCOMP ACTIONS SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SCMP_ACT_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW SCMP_ACT_ALLOW
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
HOW TO BUILD A SECCOMP PROFILE?We need to build a list of system calls called by the program…
…that we want to succeed
Guess (preferably educated) RTFM (thanks John!) Capture behavior – maybe /usr/sbin/strace Disassembly?
DEMO SECTION THREE
LAW OF DIMINISHING RETURNSGetting that last 1% can be expensive
DEMO SECTION FOUR
SET IT AND FORGET IT! no-new-privileges
TOOLS Modern OS objdump (from binutils) nm strace auditd (some day…)
RECOMMENDED READING
Study: https://docs.docker.com/engine/reference/run/ https://github.com/docker/docker/blob/master/profiles/seccomp/default.json
WAS THIS USEFUL? @johnlkinsella
http://layeredinsight.com
http://github.com/jlk
REFERENCES https://github.com/docker/docker/blob/master/docs/security/seccomp.md http://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html http://linux.die.net/man/1/capsh https://
github.com/jfrazelle/blog/blob/master/content/post/how-to-use-new-docker-seccomp-profiles.md
http://www.slideshare.net/Docker/docker-security-workshop-slides https://filippo.io/linux-syscall-table/ http://dockersl.im