docker security: rolling out trust in your container
TRANSCRIPT
![Page 1: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/1.jpg)
Ronak Kogta
Docker SecurityRolling out trust in your container
![Page 2: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/2.jpg)
Buzz is catching on, and so is technology
Neatly packs multiple applications on one operating system
Gives you way to compose clusters, manage them and play with them at the scale of 100,000
Docker Docker Docker
![Page 3: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/3.jpg)
A very secure system which is not user-friendly will not be secure for long. (because people will find a way to go around it)
Usable Security is a principle of building security systems while considering human workflows.
Speed
Efficiency
Learnability
Memorability
User Preference
Idea of Usable Security
![Page 4: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/4.jpg)
Its going to be everywhere
Your Desktop, Workstation & Cloud Infrastructure.
Your Production, Development & Testing Cycles.
It is going to be used by everyone
Your team, clients, and partners.
Independent developers and teams who are using your images.
We should definitely think about #docker-security
Docker Space
![Page 5: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/5.jpg)
How safe is docker isolation ?
If some malicious user has docker daemon access, what to do ?
Can I use security policies over docker ?
SELINUX,APPARMOR,GRSEC
Can I really trust docker image I install ?
Can i ssh to docker container ?
Lets think..
![Page 6: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/6.jpg)
Every process must be able to access only the information and resources that are necessary for its legitimate purpose
- Diogo Mónica, Docker
Linux namespaces (isolated view of system.)
Cgroups (limit and isolate the resource usage.)
Linux Security Modules (Apparmor,SELINUX)
Capabilities
Per-container ulimit
User-namespaces: root inside is not root outside
Seccomp: Individual syscall filtering (like chrome sandbox)
Enter Least Privilege
![Page 7: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/7.jpg)
Linux Namespaces
![Page 8: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/8.jpg)
Linux Namespaces
![Page 9: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/9.jpg)
Cgroups, ulimit & User Namespaces
Docker root is not real root. (User Namespaces)
Docker ulimit
With cgroups, you can control on the resource usage of container
docker run --lxc-conf=lxc.cgroup.cpuset.cpus = 0,1 ..
![Page 10: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/10.jpg)
Root has certain capabilities, but we don’t want our container to have all those capabilities
Each container can have some of the capabilities of root, but not all.
Mounting operations
Access to raw sockets (prevent opening privileged ports, spoofing)
Some file system operations (mkdev, chown, chattrs)
Loading kernel modules
Capabilites
![Page 11: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/11.jpg)
man 7 capabilities
Docker by default drops some capabilities
sys_admin, sys_time, sys_nice,.....
Capabilites
docker run –cap-drop=CHOWN ...
docker run –cap-add=MKNOD ...
![Page 12: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/12.jpg)
Seccomp & Syscalls
System Calls
OS Utilities
IP Tables
Other User
Programs
Device
Drivers
NetFilter
Other Kernel Components
![Page 13: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/13.jpg)
Seccomp & Syscalls
![Page 14: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/14.jpg)
Seccomp & Syscalls
You can block system calls from seccomp. Quite like sandboxing.
Supports syscall filtering by using BPF
SIGKILL signal to process, who made blocked syscall
docker run –lxc-conf=common.seccomp ...
![Page 15: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/15.jpg)
More...
Combine Docker with AppArmor/SELinux/TOMOYO Profiles
These profiles help you in deciding minimal privilege for each application.
Preventing permission escalation and unauthorized information disclosure (or worse).
Within the container configuration the related AppArmor profile can be defined with lxc.aa_profile.
docker run –security-opt label:type:svirt_apche ...
![Page 16: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/16.jpg)
GRSEC and PaX
Use a hardened Linux kernel for host, with kernel patches.
User Mappings
Map user/group ids
lxc.id_map = u 0 1000000 65536
lxc.id_map = g 0 1000000 65536
Couple it with docker run –lxc-conf=
More...
![Page 17: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/17.jpg)
Can you really trust your images ?
Docker Notary
![Page 18: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/18.jpg)
Trusted Cross Platform content distribution
Trusted Client – Server Interaction
Publisher signed content
Publisher Key validates integrity of content
Platform Agnostic to distribute any content
https://github.com/docker/notary
Docker Notary
![Page 19: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/19.jpg)
Docker Content Trust
Publisher Registry
User
User
User
![Page 20: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/20.jpg)
Two keys are generated when publisher first pushes image.
Tagging Key
Exists for each new repository that publisher owns
Can be shared with collaborators easily.
Offline Key
Users see this key as official publisher’s key
Important in establishing trust.
Only needed when creating new repository or rotating existing repository
Publisher’s View
![Page 21: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/21.jpg)
Once Images are signed, TUF maintains ensures
Integrity
& Freshness of Content
Notion of Timestamp Key
Needed to ensure freshness guarantees
Generated at remote server.
Docker maintains it for you
http://theupdateframework.com/
Trust Update Framework
![Page 22: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/22.jpg)
Lets Attack ?
![Page 23: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/23.jpg)
Lets Attack ?
![Page 24: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/24.jpg)
Lets Attack ?
![Page 25: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/25.jpg)
export DOCKER_CONTENT_TRUST=1
Docker Content Trust
![Page 26: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/26.jpg)
Security Script that checks for dozens of common best-practices around deploying Docker containers in produtions.
https://dockerbench.com
DockerBench
![Page 27: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/27.jpg)
Thanks
![Page 28: Docker security: Rolling out Trust in your container](https://reader034.vdocuments.us/reader034/viewer/2022051501/58a314711a28ab1d068b5557/html5/thumbnails/28.jpg)
Questions ??
IRC: #docker #docker-security
Google Group: Hyderabad Docker Users
Join Docker Movement