Download - Docker security configuration
![Page 1: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/1.jpg)
DOCKER SECURITY CONFIGURATIONReal-World Examples and Troubleshooting
![Page 2: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/2.jpg)
OVERVIEW Capabilities
Seccomp
Demo demo demo!
![Page 3: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/3.jpg)
THEME
None of my demos should “work” the first time.
![Page 4: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/4.jpg)
CAPABILITIESWorst to best:
Run with --privileged=true
Run with –cap-add ALL
Run with --cap-drop ALL --cap-add <only needed>
Run as non-root user, unprivileged
Useful: capabilities section of https://docs.docker.com/engine/reference/run/
![Page 5: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/5.jpg)
DEMO SECTION ONE
![Page 6: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/6.jpg)
REMEMBER THIS?From my Monday talk. Even in dev you should do this. Break the bad habit.
Do as I say, not as I do!
![Page 7: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/7.jpg)
SECCOMP3 sections:
Default Action Target architectures Filter rules
Like firewall rules, but harder to debug!
![Page 8: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/8.jpg)
DEMO SECTION TWO
![Page 9: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/9.jpg)
SECCOMP RETURN VALUES SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW
![Page 10: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/10.jpg)
SECCOMP RETURN VALUES SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
![Page 11: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/11.jpg)
DOCKER SECCOMP ACTIONS SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SCMP_ACT_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW SCMP_ACT_ALLOW
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
![Page 12: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/12.jpg)
HOW TO BUILD A SECCOMP PROFILE?We need to build a list of system calls called by the program…
…that we want to succeed
Guess (preferably educated) RTFM (thanks John!) Capture behavior – maybe /usr/sbin/strace Disassembly?
![Page 13: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/13.jpg)
DEMO SECTION THREE
![Page 14: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/14.jpg)
LAW OF DIMINISHING RETURNSGetting that last 1% can be expensive
![Page 15: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/15.jpg)
DEMO SECTION FOUR
![Page 16: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/16.jpg)
SET IT AND FORGET IT! no-new-privileges
![Page 17: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/17.jpg)
TOOLS Modern OS objdump (from binutils) nm strace auditd (some day…)
![Page 18: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/18.jpg)
RECOMMENDED READING
Study: https://docs.docker.com/engine/reference/run/ https://github.com/docker/docker/blob/master/profiles/seccomp/default.json
![Page 19: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/19.jpg)
WAS THIS USEFUL? @johnlkinsella
http://layeredinsight.com
http://github.com/jlk
![Page 20: Docker security configuration](https://reader035.vdocuments.us/reader035/viewer/2022062503/58a314711a28ab1d068b5555/html5/thumbnails/20.jpg)
REFERENCES https://github.com/docker/docker/blob/master/docs/security/seccomp.md http://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html http://linux.die.net/man/1/capsh https://
github.com/jfrazelle/blog/blob/master/content/post/how-to-use-new-docker-seccomp-profiles.md
http://www.slideshare.net/Docker/docker-security-workshop-slides https://filippo.io/linux-syscall-table/ http://dockersl.im