What's Inside That Container?

(without introducing more risk)
What's Inside That
Container?
Puppet
Gareth Rushgrove
Containers and conﬁg management in the real world

View Slide

@garethr

View Slide

Gareth Rushgrove

View Slide

What we’ll cover
This talk

View Slide

- What is conﬁguration management?
- Docker base image usage
- The problem with containers as black boxes
- Ideas and demos
Gareth Rushgrove

View Slide

Useful background
What is Conﬁguration
Management?

View Slide

- 1950s research
- 1960s 480 series
- 1991 MIL-HDBK-61
- 1998 ANSI-EIA-649
Gareth Rushgrove

View Slide

- Identification
- Control
- Status accounting
- Verification and audit
Gareth Rushgrove
Military Handbook Configuration Management Guidance MIL-HDBK-61B

View Slide

Configuration management verifies
that a system is identified and
documented in sufficient detail
Gareth Rushgrove
National Consensus Standard for Configuration Management EIA-649

View Slide

Configuration management verifies
that a system performs as intended
Gareth Rushgrove
National Consensus Standard for Configuration Management EIA-649

View Slide

NOTE: Not a tool, a practice
Gareth Rushgrove

View Slide

And where to ﬁnd them
Docker Base Images

View Slide

Gareth Rushgrove
Docker Hub API
$ curl -s https://registry.hub.docker.com/v2/...
...repositories/library/ubuntu/ | jq .pull_count

View Slide

Gareth Rushgrove
Image downloads

View Slide

What about other popular ofﬁcial
images? Node (32,523,647), Java
(16,635,049), etc. Currently based
on Debian too
Gareth Rushgrove

View Slide

Gareth Rushgrove
Image size

View Slide

Gareth Rushgrove
Count ﬁles
$ find -maxdepth 1 -type d | while read -r
dir; do printf "%s:\t" "$dir"; find "$dir"
-type f | wc -l; done

View Slide

Gareth Rushgrove
Count packages
$ dpkg -l | grep ^ii | wc -l
$ dnf list installed
$ rpm -qa | wc -l
$ apk info | wc -l

View Slide

Gareth Rushgrove
Image contents

View Slide

Thanks David Gageot

View Slide

Gareth Rushgrove
Popular on GitHub
SELECT RTRIM(LTRIM(SUBSTR(line, 5))) AS line_group.base_image
FROM (
SELECT SPLIT(dockerfile, '\n') AS line
FROM [github.dockerfiles_content]
HAVING LEFT(line, 5) = 'FROM '
)
SELECT image, count(*) AS count
FROM (
SELECT FIRST(SPLIT(line_group.base_image, ':')) AS image
FROM [github.images]
)
GROUP BY image
ORDER BY count DESC

View Slide

Gareth Rushgrove
Image GitHub popularity

View Slide

Gareth Rushgrove
Usage growth

View Slide

Thanks to Microbadger

View Slide

Gareth Rushgrove
Hub image sample

View Slide

Gareth Rushgrove

View Slide

The majority of people using Docker
are using images containing an entire
operating system ﬁlesystem
Gareth Rushgrove

View Slide

Alpine usage is growing more rapidly
than others, but starting from a much
smaller install base
Gareth Rushgrove

View Slide

Scratch, or other approaches like Nix,
appear to occupy a small niche
Gareth Rushgrove

View Slide

Windows and Windows Nano images
will undoubtedly become more
common over the next year or so
Gareth Rushgrove

View Slide

Debian derivatives account for the
majority of images today
Gareth Rushgrove

View Slide

What does this all mean to me?
Problems

View Slide

You don’t know, and that’s a problem

View Slide

Visibility and control are critical

View Slide

What you don’t know can hurt you

View Slide

Vulnerable images on Docker Hub

View Slide

Not quite so simple

View Slide

Can you tell me all the versions of
OpenSSL you have in production
right now?
Gareth Rushgrove

View Slide

Containers are a black box
Gareth Rushgrove

View Slide

Containers are a black box from the
point of view of the scheduler
Gareth Rushgrove

View Slide

Containers are NOT a black box from
the point of view of the operator
Gareth Rushgrove

View Slide

These are all generally configuration
management problems; identification,
control, status accounting, verification
and audit
Gareth Rushgrove

View Slide

Experiments and proof-of-concept work
Ideas

View Slide

Immutability means we need to know
what we put inside the box
Gareth Rushgrove

View Slide

Tangent about immutability

View Slide

It’s not enough to say ubuntu:16.04
Gareth Rushgrove

View Slide

LIVE DEMOS

View Slide

Gareth Rushgrove
Embed inventory in image
$ add-container-inventory centos garethr/centos-inventory
----> Using existing puppet-inventory volume
----> Generating inventory for image centos
----> Saving inventory to temporary image inventory-21042
----> Committing new image to garethr/centos-inventory
sha256:f84b3655252c946dfb888de2d74348afed97ef89d817e469adad3a
----> Cleaning up

View Slide

https://gist.github.com/garethr/
922f6374015b59e0f6cd007f8b34eedf

View Slide

Gareth Rushgrove
Read image inventory data
$ docker run --rm garethr/centos-inventory cat /inventory.json |
{
{
"title": "rpm",
"resource": "package",
"provider": “yum",
"versions": [
"4.11.3-17.el7"
]
},
{
"title": “libuser",
"provider": “yum",

View Slide

Gareth Rushgrove
Runtime and multi-OS
$ docker exec an-opensuse-container cat /inventory.json | jq
{
{
"title": "netcfg",
"provider": "zypper",
"versions": [
"11.5-27.2"
]
},
{
"title": "shadow",
"provider": "zypper",

View Slide

GIVEN all my containers now have an inventory
WHAT things can I do with it?
Gareth Rushgrove

View Slide

Asking the black box what OS
it contains?
Gareth Rushgrove

View Slide

Gareth Rushgrove
Use jq to query inventory
$ docker run --rm garethr/centos-inventory \
cat /inventory.json |
jq '.facts.operatingsystem'
"CentOS"

View Slide

What about a package search engine?
Gareth Rushgrove

View Slide

Gareth Rushgrove
Package search
$ search-inventory rpm
festive_edison rpm 4.11.3-17.el7 yum
optimistic_shockley rpm 4.11.3-17.el7 yum
condescending_swartz rpm 4.11.2-10.1 zypper
festive_edison rpm-libs 4.11.3-17.el7 yum
festive_edison rpm-python 4.11.3-17.el7 yum
optimistic_shockley rpm-libs 4.11.3-17.el7 yum
optimistic_shockley rpm-python 4.11.3-17.el7 yum
festive_edison rpm-build-libs 4.11.3-17.el7 yum
optimistic_shockley rpm-build-libs 4.11.3-17.el7 yum
$ search-inventory package:openssl,provider:yum
festive_edison openssl-libs 1:1.0.1e-51.el7_2.5 yum
optimistic_shockley openssl-libs 1:1.0.1e-51.el7_2.5 yum

View Slide

Search packages across containers

View Slide

Gareth Rushgrove
Search in BigQuery
SELECT
resources.title AS package,
resources.versions AS version,
facts.hostname AS hostname,
facts.operatingsystem AS operatingsystem
FROM
inventory.sample
WHERE
resources.resource="package"
AND resources.title="openssl"

View Slide

checking containers for CVEs?
Gareth Rushgrove

View Slide

Red Hat Security Data API

View Slide

Gareth Rushgrove
CVE scanner
$ scan-containers-for-cves python
---> Scanning package: python
---> CVEs found for python-2.7.5-34.el7 in festive_edison
+---------------+----------+------------+-------------------+
| CVE | Severity | CVSS score | Date |
+---------------+----------+------------+-------------------+
| CVE-2014-4650 | moderate | 5.0 | 23 June 2014 |
| CVE-2013-1752 | moderate | 4.3 | 25 September 2012 |
| CVE-2013-1753 | moderate | 4.3 | 25 September 2012 |
| CVE-2014-7185 | low | 4.0 | 23 June 2014 |
| CVE-2014-4616 | moderate | 4.0 | 19 May 2014 |
+---------------+----------+------------+-------------------+
---> Scanning package: python
---> CVEs found for python-2.7.5-34.el7 in optimistic_shockley
+---------------+----------+------------+-------------------+

View Slide

https://gist.github.com/garethr/
d4f6e23ﬀ19939e4877f441434ede8da

View Slide

If all you remember is
Conclusions

View Slide

Operators treating containers as black
boxes are going to have a bad time
Gareth Rushgrove

View Slide

Beware the difference between
the purity of linux containers and
the pragmatic reality of Docker
base images
Gareth Rushgrove

View Slide

When using containers we
need to reconsider solutions to
previously solved conﬁguration
management problems
Gareth Rushgrove

View Slide

Questions?
And thanks for listening

View Slide

What's Inside That Container?

What's Inside That Container?

Gareth Rushgrove

More Decks by Gareth Rushgrove

Other Decks in Technology

Featured

Transcript