Operating Docker Securely
@fun_cuddles / jenpire.com /
co-‐founder @threatstack, formerly
researcher @Mandiant, engineering /
security analyst @Symantce
Come to our launch happy hour!
Sign up at hacksecure.org/events
what is ?
“Docker containers wrap up a piece of
soMware in a complete ﬁlesystem that
contains everything it needs to run: code,
runPme, system tools, system libraries –
anything you can install on a server. This
guarantees that it will always run the same,
regardless of the environment it is running in.”
docker is ‘virtualization’
• “process” vs “system” virtualizaPon
• the kernel is your hypervisor
• the isolaPon properPes are not the same.
how it works
benefits and features
• speed of provisioning
• startup 1me in seconds, not minutes
• “build once, deploy anywhere”
• speedy builds and deployments
• image layering
• resolves tension between “build” vs. “bake” to facilitate
• image repository facilitates reuse
It’s real and it’s here.
is docker secure?
this is the wrong question.
1. How does proposed Docker usage change my threat
2. How do I ensure I can trust the code running in my
3. How do I know if I’ve conﬁgured my Docker host +
containers in a way that minimizes my risk?
4. How do containers change my security pracPces, e.g.
questions for the security
but also consider
the consistency of applicaPon environments in Docker
containers provides for interesPng opportuni1es for
new automaPon around security hardening, audiPng,
issues with trust
docker images are binaries (opaque)
who am I trusPng?
who is updaPng these things when there is a criPcal
The problem of patch management is a
always be updating!
• Do perform security upgrades (debian example
• sudo docker exec -‐it apt-‐get update
• sudo docker exec -‐it apt-‐get upgrade
-‐s | grep -‐i security # dry run
• sudo docker exec -‐it apt-‐get upgrade
# commit changes when done
who are you
what if someone
replaced libc with a
automate policy audiPng +
for a given container, tell me who/what
I am trusPng
build from a trusted base image
be aware of who you are trusPng
don’t overrely on Docker hub
tooling to apply and
validate security updates
• “The best opPon is to block index.docker.io locally, and
download and verify images manually before imporPng
them into Docker using docker load.”
• Use a private docker registry
on-‐ubuntu-‐14-‐04 , hcps:/
• Use RedHat cerPﬁed containers
• trust, but verify: build an binary audiPng tool for Docker
• e.g., scan images, validate installed libraries and binaries do
not have criPcal security issues and align with signed package
/github.com/banyanops/collector +`cruM’ but for containers?
/github.com/OpenSCAP/container-‐compliance -‐ RHEL only
• contribute to the packaging/distribuPon trust conversaPon!
• references: hcp:/
Docker released a
…it’s 118 pages of material!
the good!: can we automate these
github.com/dockersecuritytools/bacen github to contribute!
the problem of isolation
container hardening: the good
there’s actually a lot of knobs to turn!
• “give root without all of root”
• use ﬂags on Docker command line: —cap-‐add, —
• control resource alloca1on (e.g. memory, cpus)
• prevent one container from sucking all of the
resources (DoS) another container on the same host
• $ docker run -it --rm -m 128m fedora
• user namespaces (soon!) so you don’t have to run
id=0 processes as root!
• seccomp ﬁltering to permit or block individual
system calls (soon!)
AppArmor + SELinux
• SELinux / AppArmor policies (—security-‐opt)
using apparmor with
1. Create the custom proﬁle: vim my_container_profile
2. Load it into app armor: cat my_container_profile |
sudo apparmor_parser -‐r
4. Run it with your docker container: docker run —
5. $$$ Proﬁt?
• Docker’s default capabiliPes are
set by app armor! (and turned
oﬀ when you docker run —
• be careful: when you supply
your own apparmor proﬁle,
your are essenPally resetng
• copy or inherit these when you create a
new proﬁle for your containers.
this looks familiar…
there’s a lot of knobs to turn :(
we can do better.
• IF in the future…
• DockerHub registry becomes your go-‐to trusted
distribuPon source for applicaPons.…
• Why not
• Have a registry for apparmor and SELinux proﬁles
geared for oﬃcial dockerized app containers?
• …Include seccomp ﬁlters and other security conﬁgs?
• Share your polices & reduce the burden of having to
harden your own apps/containers.
docker security-‐profile fetch wordpress:latest
# you can even fetch by image / tag
docker security-‐profile fetch
# allow users to submit/push their own app armor
docker security-‐profile push —-‐profile=“apparmor:/
• we need more automaPon around security audiPng,
hardening, tesPng, and monitoring
• InnovaPon here should come not just from the
• The consistency of Docker containers enables us to
be innovaPve in how we automate the above ^^
is this interesting to you?
• contact me! [email protected]
• follow @securedocker for Docker security news
• Visit me at hacksecure.org