突き破って学ぶコンテナセキュリティ/container-breakout-cncj-lt

!NPDIJ[VLJ ಥ͖ഁֶͬͯͿίϯςφηΩϡϦςΟ $/$+$MPVE/BUJWF4FDVSJUZ+BQBO-5ࡇΓ

XIPBNJ !NPDIJ[VLJ 🌕,FJUB.PDIJ[VLJ ❤,VCFSOFUFT 🚨"GPY OPUBSBDDPPOEPH

<એ఻>$MPVE/BUJWF%BZT8JOUFS ৐ͬऔΕ,VCFSOFUFTʂʂdϦεΫ͔ΒֶͿ,VCFSOFUFTηΩϡϦςΟͷߟ͑ํd IUUQTFWFOUDMPVEOBUJWFEBZTKQDOEXUBMLT

<એ఻>,VCFSOFUFT#MPH ,VCFSOFUFT#MPH4QPUMJHIUPO,VCFSOFUFT6QTUSFBN5SBJOJOHJO+BQBO IUUQTLVCFSOFUFTJPCMPHLTVQTUSFBNUSBJOJOHKBQBOTQPUMJHIU

஫ҙࣄ߲ ຊൃද͸αΠόʔ߈ܸΛߠఆ͢Δ΋ͷͰ͸͋Γ·ͤΜ ܝࡌ಺༰͸ݸਓͷݟղͰ͋Γɺॴଐ͢Δاۀ΍૊৫ͷཱ৔ɺઓུɺҙݟΛ୅ද͢Δ΋ͷͰ͸͋Γ·ͤΜ هࡌ͞Ε͍ͯΔձ໊ࣾɺ঎඼໊ɺ·ͨ͸αʔϏε໊͸ɺ֤ࣾͷ঎ඪొ࿥·ͨ͸঎ඪͰ͢

ίϯςφηΩϡϦςΟʁ ίϯςφ΍,VCFSOFUFT͸Ϋϥ΢υωΠςΟϒٕज़ͷதͰ΋޿͘׆༻͞ΕΔٕज़ͱͳΓ·ͨ͠ɻ $/$'"//6"-4637&: IUUQTXXXDODGJPSFQPSUTDODGBOOVBMTVSWFZ

ίϯςφηΩϡϦςΟʁ コンテナセキュリティやって。ぶっちゃけよくわからんけどいい感じにね！はいっ !

ίϯςφηΩϡϦςΟʁ ͿͬͪΌ͚΍Γͨ͘ͳ͍ むずそう。。。え、やだえ、待って、何やれば良いの？コンテナセキュリティ is 何？

ίϯςφηΩϡϦςΟʁ ಛʹ1SPEVDUJPO؀ڥͰ,VCFSOFUFTίϯςφΛར༻͢Δ࣌ ηΩϡϦςΟͷݕ౼͸ආ͚ͯ௨Δ͜ͱͷͰ͖ͳ͍՝୊ͷͭ 🛡 🗡 Ͱ΋΍Βͳ͖Ό͍͚ͳ͍

ίϯςφηΩϡϦςΟʁ $/$'"//6"-4637&: IUUQTXXXDODGJPSFQPSUTDODGBOOVBMTVSWFZ

ίϯςφηΩϡϦςΟʁ ຊ೔ͷηογϣϯ͸ίϯςφΛѻ͏্Ͱͷ୅දతͳηΩϡϦςΟϦεΫͰ͋Δ$POUBJOFS#SFBLPVUʹ ͍ͭͯ஌Δ͜ͱͰɺίϯςφηΩϡϦςΟΛҙࣝ͢Δ͖͔͚ͬΛ࡞Δ͜ͱΛ໨తͱ͍ͯ͠·͢ɻ If we had never experienced dropping and
breaking a glass, we would not have needed a glass that doesn’t break when dropped. ΋͠ࢲ͕ͨͪάϥεΛམͱׂͯ͠ΔܦݧΛ͍ͯ͠ͳ͔ͬͨͳΒɺམͱͯ͠΋ׂΕͳ͍άϥεΛඞཁͱ͠ͳ͔ͬͨͰ͠ΐ͏ɻ

8IBUT$POUBJOFS ίϯςφ͸ίϯςφϗετ͔ΒݟΕ͹ͭͷϓϩηεʹա͗·ͤΜɻ ௨ৗͷϓϩηεͱͷҧ͍͸ɺ-JOVYΧʔωϧͷ༷࣋ͭʑͳ࢓૊ΈʹΑΓ ίϯςφϓϩηε͕ଞ͔Βִ཭͞Ε͍ͯΔ఺Ͱ͢ɻ ॾઆ͋Γ $POUBJOFS 1SPDFTT 1SPDFTT" 1SPDFTT# 全て1プロセスに過ぎない
࣮ߦ؀ڥݖݶϦιʔε ͷ؍఺Ͱִ཭ ίϯςφϗετ

$POUBJOFS#SFBLPVU ίϯςφΛѻ͏্Ͱͷ୅දతͳηΩϡϦςΟϦεΫͱͯ͠$POUBJOFS#SFBLPVU͕͋Γ·͢ɻ ίϯςφ͸ִ཭͞Εͨ؀ڥΛ࡞Γग़ٕ͢ज़Ͱ͕͢ɺίϯςφͷઃఆෆඋ΍੬ऑੑ౳͕ཁҼͱͳΓɺ ίϯςφͷִ཭؀ڥ͔Β֎෦ʹӨڹΛٴ΅͢͜ͱ͕ՄೳʹͳΔ৔߹͕͋Γ·͢ɻ ಛʹίϯςφ͸ෳ਺ͷίϯςφ͕ಉҰͷίϯςφϗετͰ࣮ߦ͞ΕΔέʔε͕ҰൠతͰ͋ΔͨΊɺ $POUBJOFS#SFBLPVU͕੒ཱ͢ΔͱͦͷӨڹ͕ଞͷίϯςφʹ೾ٴ͢ΔϦεΫ΋͋Γ·͢ɻ $POUBJOFS 1SPDFTT ίϯςφϗετ $POUBJOFS
1SPDFTT

$POUBJOFS#SFBLPVU 08"41,VCFSOFUFT5PQ5FO 5PQ,VCFSOFUFT3JTLTΑΓ IUUQTPXBTQPSHXXXQSPKFDULVCFSOFUFTUPQUFOFOTSD,JOTFDVSFXPSLMPBEDPO fi HVSBUJPOT

$POUBJOFS#SFBLPVU ຊ೔ͷηογϣϯͰ͸,VCFSOFUFTͰίϯςφΛѻ͏্Ͱɺ $POUBJOFS#SFBLPVU͕ൃੜ͢ΔέʔεΛ͍͔ͭ͘͝঺հ͠·͢ɻ ✅ύλʔϯಛݖίϯςφ ✅ύλʔϯ/BNFTQBDFͷڞ༗ ✅ύλʔϯύλʔϯ

ύλʔϯ ಛݖίϯςφ

ύλʔϯಛݖίϯςφ $POUBJOFS#SFBLPVU͕ൃੜ͢ΔཁҼͱͯ͠࠷΋୅දతͳͷ͕ಛݖίϯςφͰ͢ɻ ௨ৗίϯςφͰ͸$BQBCJMJUZ΍ϑΝΠϧγεςϜ΁ͷΞΫηε੍ޚΛ͸͡Ίͱͨ͠࢓૊ΈʹΑΓ ίϯςφϓϩηε͕ίϯςφϗετʹରͯ͠༗͢Δݖݶ੍͕ݶ͞Ε·͢ɻ ͔͠͠ಛݖίϯςφͰ͸ݪଇͦΕΒͷ੍ݶ͕ߦΘΕͣɺ͋ΒΏΔૢ࡞͕ՄೳʹͳΓ·͢ɻ ίϯςφϗετ /PEF ͋ΒΏΔૢ࡞͕Մೳ $POUBJOFS 1SPDFTT
$POUBJOFS 1SPDFTT ڐՄ͞Εͨૢ࡞ͷΈՄೳ QSJWJMFHFEUSVF -JOVYΧʔωϧʹର͢Δ ੍ݶ͕ແޮԽ͞Εͨঢ়ଶ

ύλʔϯಛݖίϯςφ ҎԼͷϚχϑΣετΛ༻͍ͯ,VCFSOFUFTʹ1PEΛσϓϩΠ͢Δͱɺ 1PE಺ͷίϯςφʹ͸ಛݖ͕෇༩͞Ε·͢ɻ BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFQSJWJMFHFEQPE MBCFMT BQQQSJWJMFHFEQPE TQFD
DPOUBJOFST OBNFVCVOUV JNBHFVCVOUV DPNNBOE<CJOCBTI D TMFFQJO fi OJUZ> TFDVSJUZ$POUFYU QSJWJMFHFEUSVF コンテナに特権を付与 QSJWJMFHFEQPEZBNM

ύλʔϯಛݖίϯςφ SPPU!QSJWJMFHFEQPEDBU&0'DNE CJOTI FDIP)FMMPGSPN$POUBJOFSUNQPVUQVU &0' SPPU!QSJWJMFHFEQPEDINPE YDNE SPPU!QSJWJMFHFEQPENPVOU PWFSMBZPOUZQFPWFSMBZ
SX SFMBUJNF MPXFSEJS VQQFSEJSWBSMJCDPOUBJOFSEJPDPOUBJOFSETOBQTIPUUFSWPWFSMBZGT TOBQTIPUTGT XPSLEJS SPPU!QSJWJMFHFEQPEFDIPcWBSMJCDPOUBJOFSEJPDPOUBJOFSETOBQTIPUUFSWPWFSMBZGTTOBQTIPUTGTDNEa QSPDTZTLFSOFMDPSF@QBUUFSO SPPU!QSJWJMFHFEQPETMFFQJO fi OJUZ SPPU!QSJWJMFHFEQPELJMM4*(4&(7 <> 4FHNFOUBUJPOGBVMU DPSFEVNQFE TMFFQJO fi OJUZ core_patternファイルにパイプで実行したいプログラムを渡す Nodeで実行したいコマンドを記載したプログラムを作成 Nodeから見たときにこのプログラムが配置されるパスを特定(cf overlayfs) コアダンプを出力させる ྫ͑͹ಛݖίϯςφʹ৵ೖͨ͠߈ܸऀ͕-JOVYͷίΞμϯϓͷػೳΛ࢖༻͢Δͱɺ ೚ҙͷίϚϯυΛίϯςφϗετ /PEF Ͱ࣮ߦ͢Δ͜ͱ͕Ͱ͖·͢ɻ ಛݖίϯςφ

ύλʔϯಛݖίϯςφ SPPU!LTDMVTUFSOPEFdDBUUNQPVUQVU )FMMPGSPN$POUBJOFS Nodeで任意のコマンドを実行できた ࢀߟ ͜ͷख๏Ͱ͸ίΞμϯϓग़ྗ࣌ʹύΠϓΛܦ༝ͯ͠೚ҙͷϓϩάϥϜΛ࣮ߦͤ͞Δ࢓૊ΈΛ࢖༻͍ͯ͠·͢ɻ ίϯςφϗετ ίϯςφϗετΛ֬ೝ͢Δͱɺίϯςφ಺Ͱ࡞੒ͨ͠ϓϩάϥϜ͕ίϯςφϗετ্Ͱ ࣮ߦ͞Εͨܗ੻͕֬ೝͰ͖·͢ɻ
͜ͷྫͰ͸ɺಛݖίϯςφ͕QSPDTZTʹରͯ͠ॻ͖ࠐΈΛߦ͑Δ͜ͱΛѱ༻͠ɺ $POUBJOFS#SFBLPVUΛߦ͍·ͨ͠ɻ ௨ৗͷίϯςφͰ͸QSPDTZT͕3FBE0OMZͱͳ͓ͬͯΓॻ͖ࠐΈ͕ېࢭ͞Ε͍ͯ·͢ɻ 1JQJOHDPSFEVNQTUPBQSPHSBN ɹ4JODF-JOVY -JOVYTVQQPSUTBOBMUFSOBUFTZOUBYGPSUIFQSPDTZTLFSOFMDPSF@QBUUFSO fi MF *GUIF fi STUDIBSBDUFSPGUIJT fi MFJTBQJQFTZNCPM c UIFOUIFSFNBJOEFSPGUIFMJOFJT ɹJOUFSQSFUFEBTUIFDPNNBOEMJOFGPSBVTFSTQBDFQSPHSBN PSTDSJQU UIBUJTUPCFFYFDVUFE DPSF -JOVYNBOVBMQBHF ɹIUUQTXXXNBOPSHMJOVYNBOQBHFTNBODPSFIUNM

ύλʔϯ /BNFTQBDFͷڞ༗

ύλʔϯ/BNFTQBDFͷڞ༗ ௨ৗίϯςφͰ͸-JOVY/BNFTQBDFΛ͸͡Ίͱͨ͠࢓૊ΈʹΑΓɺ ίϯςφϓϩηεͷ࣮ߦ؀ڥ͕ίϯςφϗετͰ࣮ߦ͞ΕΔଞͷϓϩηε͔Βִ཭͞Ε·͢ɻ ͔͠͠Ұ෦ͷ࣮ߦ؀ڥ͕ίϯςφϗετͱڞ༗͞Ε͍ͯΔ͜ͱ͕ϦεΫΛҾ͖ى͜͢৔߹͕͋Γ·͢ɻ ྫ͑͹1*%ͷִ཭Λ࣮ݱ͢Δ1*%/BNFTQBDF͕ίϯςφͱίϯςφϗετͰڞ༗͞Ε͍ͯΔ৔߹ɺ ίϯςφ͔ΒίϯςφϗετͰ࣮ߦ͞Ε͍ͯΔશͯͷϓϩηε ଞͷίϯςφϓϩηεؚ Λ ࢀরՄೳͳঢ়ଶʹͳΓ·͢ɻ $POUBJOFS
1SPDFTT 1SPDFTT" 1SPDFTT# IPTU1*%USVF ଞϓϩηεΛ ࢀরՄೳͳঢ়ଶ ίϯςφϗετ /PEF

ࢀߟ /BNFTQBDF෼཭ͷΠϝʔδ

ύλʔϯ/BNFTQBDFͷڞ༗ ҎԼͷϚχϑΣετΛ༻͍ͯ,VCFSOFUFTʹ1PEΛσϓϩΠ͢Δͱɺ 1PE಺ͷίϯςφͱίϯςφϗετؒͰ1*%/BNFTQBDF͕ڞ༗͞Ε·͢ɻ BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFIPTUQJEQPE MBCFMT BQQIPTUQJEQPE TQFD
IPTU1*%USVF DPOUBJOFST OBNFVCVOUV JNBHFVCVOUV DPNNBOE<CJOCBTI D TMFFQJO fi OJUZ> IPTUQJEQPEZBNM PID NamespaceをNodeと共有 ˞-JOVY/BNFTQBDF㱠,VCFSOFUFT/BNFTQBDF

ύλʔϯ/BNFTQBDFͷڞ༗ ίϯςφϗετͱ1*%/BNFTQBDF͕ڞ༗͞Εͨίϯςφ͔Β͸ɺ ίϯςφϗετͰ࣮ߦ͞Ε͍ͯΔશͯͷϓϩηεΛࢀরͰ͖·͢ɻ SPPU!IPTUQJEQPEQTBVYG 64&31*%$16.&.74;34455:45"545"355*.&$0.."/% SPPU 4"VH<LUISFBEE> SPPU 4MVTSMPDBMCJODPOUBJOFSETIJNSVODWOBNFTQBDFLTJPJEE
4Ta@QBVTF SPPU 4Ta@OHJOYNBTUFSQSPDFTTOHJOYHEBFNPOP ff 4a@OHJOYXPSLFSQSPDFTT 4a@OHJOYXPSLFSQSPDFTT SPPU 4MVTSMPDBMCJODPOUBJOFSETIJNSVODWOBNFTQBDFLTJPJEB 4Ta@QBVTF SPPU 4Ta@TMFFQJO fi OJUZ SPPUQUT4Ta@CJOCBTI SPPUQUT3 a@QTBVYG 1*%/BNFTQBDFڞ༗͋Γ SPPU!VCVOUVQTBVYG 64&31*%$16.&.74;34455:45"545"355*.&$0.."/% SPPUQUT4TCJOCBTI SPPUQUT3 QTBVYG 1*%/BNFTQBDFڞ༗ͳ͠ 通常はコンテナ内のプロセスしか参照できないコンテナホストの全てのプロセスを参照できる自分以外のコンテナプロセスも参照できる(Nginx コンテナ)

ύλʔϯ/BNFTQBDFͷڞ༗ ͜ΕΛѱ༻͢Δͱɺ৵ೖͨ͠ίϯςφ͔ΒผͷίϯςφʹӨڹΛٴ΅͢͜ͱ͕Ͱ͖·͢ɻ LVCFDUMMPHTOHJOYG EPDLFSFOUSZQPJOUTIEPDLFSFOUSZQPJOUEJTOPUFNQUZ XJMMBUUFNQUUPQFSGPSNDPO fi HVSBUJPO <OPUJDF>TUBSUXPSLFSQSPDFTT *NTQFBLJOHEJSFDUMZUPZPVSDPOUBJOFS
/HJOY1PEͷϩά SPPU!IPTUQJEQPE1*% SPPU!IPTUQJEQPEMTQSPD1*%SPPU CJOCPPUEFWEPDLFSFOUSZQPJOUEEPDLFSFOUSZQPJOUTIFUD SPPU!IPTUQJEQPEDBUQSPD1*%SPPUVTSTIBSFOHJOYIUNMJOEFYIUNM %0$5:1&IUNM IUNM IFBE UJUMF8FMDPNFUPOHJOYUJUMF IUNM SPPU!IPTUQJEQPEFDIP *NTQFBLJOHEJSFDUMZUPZPVSDPOUBJOFS QSPD1*%GE 先のpsコマンドから対象のコンテナのPIDを特定 (Nginxコンテナ) ファイルシステムを参照コンテナログを汚染 1*%/BNFTQBDFڞ༗͋Γ

ύλʔϯ ύλʔϯ

ύλʔϯύλʔϯ ύλʔϯͷಛݖίϯςφΛύλʔϯͰղઆͨ͠1*%/BNFTQBDFͷڞ༗Λ༗ޮԽͨ͠ঢ়ଶͰ ࣮ߦ͢Δͱɺίϯςφ͔Βίϯςφϗετʹ෼͔Γ΍͘͢৵ೖ͢Δ͜ͱ͕Ͱ͖·͢ɻ BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFQSJWJMFHFEIPTUQJEQPE MBCFMT BQQQSJWJMFHFEIPTUQJEQPE
TQFD IPTU1*%USVF DPOUBJOFST OBNFVCVOUV JNBHFVCVOUV DPNNBOE<CJOCBTI D TMFFQJO fi OJUZ TFDVSJUZ$POUFYU QSJWJMFHFEUSVF QSJWJMFHFEIPTUQJEQPEZBNM SPPU!QSJWJMFHFEIPTUQJEQPEIPTUOBNF QSJWJMFHFEIPTUQJEQPE SPPU!QSJWJMFHFEIPTUQJEQPEOTFOUFSUBCJOCBTI SPPU!LTDMVTUFSOPEFIPTUOBNF LTDMVTUFSOPEF コンテナのホスト名コンテナホストと同じ Namespaceでbashを実行コンテナホストに侵入できたパターン1 コンテナに特権を付与パターン2 PID NamespaceをNodeと共有

ରࡦίϯςφͷִ཭ੑΛҡ࣋ɾ޲্ͤ͞Δ ίϯςφ։ൃऀ͕ίϯςφΛ࣮ߦ͢Δࡍ͸͜ͷΑ͏ͳϦεΫΛ౿·͑ɺ ʮίϯςφͷִ཭ੑΛҡ࣋ɾ޲্ʯͤ͞ΔͨΊͷରࡦΛߦ͏ඞཁ͕͋Γ·͢ɻ ίϯςφ֎ʹӨڹ $POUBJOFS 1SPDFTT $POUBJOFS 1SPDFTT ίϯςφͷִ཭ੑ͕֬อ͞Ε͓ͯΓ ηΩϡϦςΟϨϕϧ͕ߴ͍ঢ়ଶ
ίϯςφͷִ཭ੑ͕֬อ͞Ε͓ͯΒͣ ηΩϡϦςΟϨϕϧ͕௿͍ঢ়ଶ #SFBLPVU ίϯςφϗετ /PEF

✅ෆཁͳઃఆΛߦΘͳ͍ ɹɹίϯςφͱͯ͠࠷௿ݶͷִ཭ੑΛ֬อ͢Δ ✅ִ཭ੑΛߴΊΔઃఆΛߦ͏ ɹɹ௥ՃͷઃఆʹΑΓִ཭ੑΛ͞ΒʹߴΊΔ ɹɹ ྫ͑͹੬ऑੑ౳ʹΑִͬͯ཭ੑͷ௿Լ͕ىͬͯ͜΋ॿ͔ΔՄೳੑ͕͋Δ ✅ίϯςφઃఆͷεΩϟϯ ɹɹίϯςφʹରִͯ͠཭ੑͷ௿Լʹܨ͕Δઃఆ͕ߦΘΕ͍ͯͳ͍͔Λݕ஌ ɹɹFH,VCFSOFUFTͰ͋Ε͹1PEͷઃఆΛεΩϟϯ
5SJWZ LVCFMJOUFSFUD ✅ͦͷଞ ɹɹϙϦγʔ੍ޚɺηΩϡΞͳίϯςφϥϯλΠϜɺৼΔ෣͍؂ࢹFUD ରࡦίϯςφͷִ཭ੑΛҡ࣋ɾ޲্ͤ͞Δ 1PE4FDVSJUZ4UBOEBSET IUUQTLVCFSOFUFTJPEPDTDPODFQUTTFDVSJUZQPETFDVSJUZTUBOEBSET Pod Security Standards*

ରࡦίϯςφͷִ཭ੑΛҡ࣋ɾ޲্ͤ͞Δ ࣍ͷίϯςφηΩϡϦςΟͷ࣌୅6TFS/BNFTQBDF8JUIB1PE IUUQTTQFBLFSEFDLDPNQGODMPVEOBUJWFEBZTVTFSOBNFTQBDFXJUIBQPE

One more things...

0OFNPSFUIJOHT ࣍ͷΑ͏ͳ%PDLFS fi MF͔ΒίϯςφΠϝʔδΛϏϧυ͠ɺ 1PEΛσϓϩΠ͢ΔͨΊͷϚχϑΣετΛ༻ҙ͠·͢ɻ '30.VCVOUV 803,%*3QSPDTFMGGE $.%<CJOCBTI D XIJMFEPCBTIJEFWUDQ*1@"%%3&44TMFFQEPOF>
%PDLFS fi MF DWFVCVOUVSFWFSTF BQJ7FSTJPOW LJOE1PE NFUBEBUB MBCFMT BQQVCVOUVSFWFSTF OBNFVCVOUVSFWFSTF TQFD DPOUBJOFST JNBHF3&(*453:@63-DWFVCVOUVSFWFSTF OBNFVCVOUV VCVOUVSFWFSTFZBNM 特にコンテナの隔離性を低下させるような設定は含まれていない何の変哲もない？Dockerfile (少なくとも脆弱性等は含まれない)

0OFNPSFUIJOHT LVCFDUMBQQMZGVCVOUVSFWFSTFZBNM LVCFDUMHFUQPEVCVOUVPXJEF /".&3&"%:45"5643&45"354"(&*1/0%& VCVOUVSFWFSTF3VOOJOHTLTDMVTUFSOPEF 1PEΛσϓϩΠ ODMQ TIFMMJOJUFSSPSSFUSJFWJOHDVSSFOUEJSFDUPSZHFUDXEDBOOPUBDDFTTQBSFOUEJSFDUPSJFT/PTVDI fi MFPSEJSFDUPSZ
CBTIDBOOPUTFUUFSNJOBMQSPDFTTHSPVQ *OBQQSPQSJBUFJPDUMGPSEFWJDF CBTIOPKPCDPOUSPMJOUIJTTIFMM SPPU!VCVOUVSFWFSTFDISPPUQZUIPODJNQPSUQUZQUZTQBXO CJOCBTI SPPU!VCVOUVSFWFSTFDBUFUDIPTUOBNF LTDMVTUFSOPEF ߈ܸ୺຤Ͱ଴ͪड͚ঢ়ଶΛ࡞Δ ୺຤ͷ*1ΞυϨε͸%PDLFS fi MFͰࢦఆͨ͠*1@"%%3&44 1PEΛσϓϩΠ͠߈ܸ୺຤Ͱ଴ͪड͚ঢ়ଶΛ࡞Δͱɺίϯςφϗετͱηογϣϯཱ͕֬͞Εɺ /PEFʹ৵ೖ SPPUGTʹΞΫηε Ͱ͖ͨ͜ͱ͕֬ೝͰ͖·͢ɻ コンテナホストのrootfsにアクセスできた

$7& -FBLZ7FTTFM ίϯςφϗετ /PEF VCVOUVSFWFSTF ίϯςφͷઃఆ͸໰୊ͳ͔ͬͨ ˞ίϯςφΠϝʔδʹ͸੬ऑੑΛѱ༻͢Δࡉ޻͕͞Ε͍ͯͨ 1SPDFTT ίϯςφ͔ΒίϯςφϗετͷϑΝΠϧγεςϜ΁ͷΞΫηεΛҾ͖ى͜͢SVODͷ੬ऑੑΛѱ༻ɻ ͜ͷΑ͏ʹɺίϯςφͷઃఆʹ໰୊͕ͳͯ͘΋ίϯςφ͕࣮ߦ͞Ε͍ͯΔ؀ڥͷ੬ऑੑʹىҼͯ͠
$POUBJOFS#SFBLPVU͕ൃੜ͢Δ৔߹΋͋ΔͨΊ஫ҙ͕ඞཁͰ͢ɻ ίϯςφϥϯλΠϜ 0$* ͷ੬ऑੑʹΑΓ ίϯςφͷִ཭ੑ͕௿Լͨ͠ SPPUGT $3*3VOUJNF DPOUBJOFSE 0$*3VOUJNF SVODW $7& -FBLZ7FTTFM IUUQTOWEOJTUHPWWVMOEFUBJM$7&

ࢀߟ աڈʹൃݟ͞Εͨ੬ऑੑͷྫ ✅$7&IUUQTOWEOJTUHPWWVMOEFUBJMDWF ɹɹίϯςφ͔ΒSVODͷόΠφϦͷॻ͖׵͑Λߦ͏͜ͱͰಛݖঢ֨ΛҾ͖ى͜͢SVODͷ੬ऑੑ ✅$7&IUUQTOWEOJTUHPWWVMOEFUBJMDWF ɹɹ/PEFͱͷ௨৴Λߦ͏ࡍʹDSFEFOUJBM৘ใ͕ୣऔ͞ΕΔՄೳੑʹܨ͕ΔLVCFBQJTFSWFSͷ੬ऑੑ ✅$7&IUUQTOWEOJTUHPWWVMOEFUBJM$7& ɹɹίϯςφ͔ΒDHSPVQWͷSFMFBTF@BHFOUΛհͯ͠ಛݖঢ֨ΛҾ͖ى͜͢-JOVYΧʔωϧͷ੬ऑੑ ✅$7&
-FBLZ7FTTFMT IUUQTOWEOJTUHPWWVMOEFUBJM$7& ɹɹίϯςφ͔ΒίϯςφϗετͷϑΝΠϧγεςϜ΁ͷΞΫηεΛҾ͖ى͜͢SVODͷ੬ऑੑ ✅$7&IUUQTOWEOJTUHPWWVMOEFUBJM$7& ɹɹඇਪ঑ͷHJU3FQPUZQFWPMVNFΛ࢖༻ͯ͠ಛݖঢ֨ΛҾ͖ى͜͢LVCFMFUͷ੬ऑੑɹɹ ࢀߟ ,VCFSOFUFT0 ff i DJBM$7&'FFE ɹɹɹIUUQTLVCFSOFUFTJPEPDTSFGFSFODFJTTVFTTFDVSJUZP ffi DJBMDWFGFFE

·ͱΊ ✅$POUBJOFS#SFBLPVUͷύλʔϯΛෳ਺ղઆ ɹ✔ίϯςφʹ͓͚Δ୅දతͳηΩϡϦςΟϦεΫ ɹ✔ίϯςφΛར༻͢Δཱ৔ͱͯ͠ίϯςφͷִ཭ੑΛߴΊΔ͜ͱΛҙࣝ ✅࣮ߦ؀ڥͷηΩϡϦςΟରࡦ΋ॏཁ ɹ✔֤ϨΠϠʹηΩϡϦςΟରࡦΛߦ͏ ଟ૚๷ޚ

ࢀߟ ίϯςφʹؔ͢ΔͦͷͦͷଞͷϦεΫͷྫ ✅ίϯςφΠϝʔδ΁ͷϦεΫҼࢠͷࠞೖ ɹ😱ίϯςφ΁ͷ৵ೖ ✅ίϯςφΠϝʔδͷެ։ઃఆͷෆඋ ɹ😱ίϯςφΠϝʔδͷྲྀग़ ✅ίϯςφΠϝʔδͷ৴པੑෆ଍ ɹ😱վ᜵͞ΕͨίϯςφΠϝʔδͷ࢖༻ ✅ίϯςφΠϝʔδ΁ͷൿີ৘ใͷࠞೖ
ɹ😱ίϯςφΠϝʔδ͔Βൿີ৘ใͷୣऔɹ ✅ίϯςφͷϧʔτϑΝΠϧγεςϜ΁ͷॻ͖ࠐΈڐՄ ɹ😱ίϯςφͷվ᜵ ✅ίϯςφͷແ੍ݶͳϦιʔε࢖༻ ɹ😱ίϯςφϗετͷϦιʔεͷա৒ͳ࢖༻ ✅1PE΁ͷա৒ͳݖݶͷ෇༩ ɹ😱,VCFSOFUFTͷෆਖ਼ͳૢ࡞ ✅ίϯςφ͕࢖༻͢Δൿີ৘ใͷෆద੾ͳ؅ཧ ɹ😱ίϯςφͷൿີ৘ใͷྲྀग़ ✅1PEʹର͢Δ௨৴੍ݶͷະ࣮ࢪ ɹ😱1PEʹର͢Δෆਖ਼ͳ௨৴

13 "NB[PO ✅୅දతͳϦεΫΛ࣮ײ͠ରࡦͷߟ͑ํʢجૅʣΛཧղͰ͖Δ ɹɹ✔ϦεΫΛϕʔεͱͨ͠ষߏ੒ʢશέʔεʴЋʣ ɹɹ✔ϦεΫΛ౿·͑ͯରࡦͷجຊݪଇ΍۩ମతख๏ରࡦΛཧղͰ͖Δ ✅ϋϯζΦϯΛ௨ͯ͡۩ମతʹཧղͰ͖Δ ɹɹ✔खΛಈ͔͠ͳ͕Βֶ΂ΔʢϋϯζΦϯ཰͘Β͍ʣ ɹɹ✔,VCFSOFUFT޷͖Ͱ͋Ε͹ͦ͜·ͰηΩϡϦςΟʹڵຯ͕ͳ͍ਓͰ΋ָ͠ΊΔ ϦεΫ͔ΒֶͿ,VCFSOFUFTίϯςφηΩϡϦςΟ ίϯςφ։ൃऀ͕͓͓͑ͯ͘͞΂͖جૅ஌ࣝ
ίϯςφηΩϡϦςΟΛֶͿೖΓޱ 絶賛発売中!!

5IBOL:PV

突き破って学ぶコンテナセキュリティ/container-breakout-cncj-lt

突き破って学ぶコンテナセキュリティ/container-breakout-cncj-lt

mochizuki875

More Decks by mochizuki875

Other Decks in Technology

Featured

Transcript

!NPDIJ[VLJ ಥ͖ഁֶͬͯͿίϯςφηΩϡϦςΟ $/$+$MPVE/BUJWF4FDVSJUZ+BQBO-5ࡇΓ

XIPBNJ !NPDIJ[VLJ 🌕,FJUB.PDIJ[VLJ ❤,VCFSOFUFT 🚨"GPY OPUBSBDDPPOEPH

<એ఻>$MPVE/BUJWF%BZT8JOUFS ৐ͬऔΕ,VCFSOFUFTʂʂdϦεΫ͔ΒֶͿ,VCFSOFUFTηΩϡϦςΟͷߟ͑ํd IUUQTFWFOUDMPVEOBUJWFEBZTKQDOEXUBMLT

<એ఻>,VCFSOFUFT#MPH ,VCFSOFUFT#MPH4QPUMJHIUPO,VCFSOFUFT6QTUSFBN5SBJOJOHJO+BQBO IUUQTLVCFSOFUFTJPCMPHLTVQTUSFBNUSBJOJOHKBQBOTQPUMJHIU

஫ҙࣄ߲ ຊൃද͸αΠόʔ߈ܸΛߠఆ͢Δ΋ͷͰ͸͋Γ·ͤΜ ܝࡌ಺༰͸ݸਓͷݟղͰ͋Γɺॴଐ͢Δاۀ΍૊৫ͷཱ৔ɺઓུɺҙݟΛ୅ද͢Δ΋ͷͰ͸͋Γ·ͤΜ هࡌ͞Ε͍ͯΔձ໊ࣾɺ঎඼໊ɺ·ͨ͸αʔϏε໊͸ɺ֤ࣾͷ঎ඪొ࿥·ͨ͸঎ඪͰ͢

ίϯςφηΩϡϦςΟʁ ίϯςφ΍,VCFSOFUFT͸Ϋϥ΢υωΠςΟϒٕज़ͷதͰ΋޿͘׆༻͞ΕΔٕज़ͱͳΓ·ͨ͠ɻ $/$'"//6"-4637&: IUUQTXXXDODGJPSFQPSUTDODGBOOVBMTVSWFZ

ίϯςφηΩϡϦςΟʁ コンテナセキュリティやって。ぶっちゃけよくわからんけどいい感じにね！はいっ !

ίϯςφηΩϡϦςΟʁ ͿͬͪΌ͚΍Γͨ͘ͳ͍ むずそう。。。え、やだえ、待って、何やれば良いの？コンテナセキュリティ is 何？

ίϯςφηΩϡϦςΟʁ ಛʹ1SPEVDUJPO؀ڥͰ,VCFSOFUFTίϯςφΛར༻͢Δ࣌ ηΩϡϦςΟͷݕ౼͸ආ͚ͯ௨Δ͜ͱͷͰ͖ͳ͍՝୊ͷͭ 🛡 🗡 Ͱ΋΍Βͳ͖Ό͍͚ͳ͍

ίϯςφηΩϡϦςΟʁ $/$'"//6"-4637&: IUUQTXXXDODGJPSFQPSUTDODGBOOVBMTVSWFZ

ίϯςφηΩϡϦςΟʁ $/$'"//6"-4637&: IUUQTXXXDODGJPSFQPSUTDODGBOOVBMTVSWFZ

ίϯςφηΩϡϦςΟʁ ຊ೔ͷηογϣϯ͸ίϯςφΛѻ͏্Ͱͷ୅දతͳηΩϡϦςΟϦεΫͰ͋Δ$POUBJOFS#SFBLPVUʹ ͍ͭͯ஌Δ͜ͱͰɺίϯςφηΩϡϦςΟΛҙࣝ͢Δ͖͔͚ͬΛ࡞Δ͜ͱΛ໨తͱ͍ͯ͠·͢ɻ If we had never experienced dropping and

8IBUT$POUBJOFS ίϯςφ͸ίϯςφϗετ͔ΒݟΕ͹ͭͷϓϩηεʹա͗·ͤΜɻ ௨ৗͷϓϩηεͱͷҧ͍͸ɺ-JOVYΧʔωϧͷ༷࣋ͭʑͳ࢓૊ΈʹΑΓ ίϯςφϓϩηε͕ଞ͔Βִ཭͞Ε͍ͯΔ఺Ͱ͢ɻ ॾઆ͋Γ $POUBJOFS 1SPDFTT 1SPDFTT" 1SPDFTT# 全て1プロセスに過ぎない

$POUBJOFS#SFBLPVU 08"41,VCFSOFUFT5PQ5FO 5PQ,VCFSOFUFT3JTLTΑΓ IUUQTPXBTQPSHXXXQSPKFDULVCFSOFUFTUPQUFOFOTSD,JOTFDVSFXPSLMPBEDPO fi HVSBUJPOT

$POUBJOFS#SFBLPVU ຊ೔ͷηογϣϯͰ͸,VCFSOFUFTͰίϯςφΛѻ͏্Ͱɺ $POUBJOFS#SFBLPVU͕ൃੜ͢ΔέʔεΛ͍͔ͭ͘͝঺հ͠·͢ɻ ✅ύλʔϯಛݖίϯςφ ✅ύλʔϯ/BNFTQBDFͷڞ༗ ✅ύλʔϯύλʔϯ

ύλʔϯ ಛݖίϯςφ

ύλʔϯಛݖίϯςφ ҎԼͷϚχϑΣετΛ༻͍ͯ,VCFSOFUFTʹ1PEΛσϓϩΠ͢Δͱɺ 1PE಺ͷίϯςφʹ͸ಛݖ͕෇༩͞Ε·͢ɻ BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFQSJWJMFHFEQPE MBCFMT BQQQSJWJMFHFEQPE TQFD

ύλʔϯಛݖίϯςφ SPPU!QSJWJMFHFEQPEDBU&0'DNE CJOTI FDIP)FMMPGSPN$POUBJOFSUNQPVUQVU &0' SPPU!QSJWJMFHFEQPEDINPE YDNE SPPU!QSJWJMFHFEQPENPVOU PWFSMBZPOUZQFPWFSMBZ

ύλʔϯ /BNFTQBDFͷڞ༗

ࢀߟ /BNFTQBDF෼཭ͷΠϝʔδ

ύλʔϯ/BNFTQBDFͷڞ༗ ҎԼͷϚχϑΣετΛ༻͍ͯ,VCFSOFUFTʹ1PEΛσϓϩΠ͢Δͱɺ 1PE಺ͷίϯςφͱίϯςφϗετؒͰ1*%/BNFTQBDF͕ڞ༗͞Ε·͢ɻ BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFIPTUQJEQPE MBCFMT BQQIPTUQJEQPE TQFD

ύλʔϯ/BNFTQBDFͷڞ༗ ίϯςφϗετͱ1%/BNFTQBDF͕ڞ༗͞Εͨίϯςφ͔Β͸ɺ ίϯςφϗετͰ࣮ߦ͞Ε͍ͯΔશͯͷϓϩηεΛࢀরͰ͖·͢ɻ SPPU!IPTUQJEQPEQTBVYG 64&31%$16.&.74;34455:45"545"355*.&$0.."/% SPPU 4"VH<LUISFBEE> SPPU 4MVTSMPDBMCJODPOUBJOFSETIJNSVODWOBNFTQBDFLTJPJEE

ύλʔϯ/BNFTQBDFͷڞ༗ ͜ΕΛѱ༻͢Δͱɺ৵ೖͨ͠ίϯςφ͔ΒผͷίϯςφʹӨڹΛٴ΅͢͜ͱ͕Ͱ͖·͢ɻ LVCFDUMMPHTOHJOYG EPDLFSFOUSZQPJOUTIEPDLFSFOUSZQPJOUEJTOPUFNQUZ XJMMBUUFNQUUPQFSGPSNDPO fi HVSBUJPO <OPUJDF>TUBSUXPSLFSQSPDFTT *NTQFBLJOHEJSFDUMZUPZPVSDPOUBJOFS

ύλʔϯ ύλʔϯ

ύλʔϯύλʔϯ ύλʔϯͷಛݖίϯςφΛύλʔϯͰղઆͨ͠1*%/BNFTQBDFͷڞ༗Λ༗ޮԽͨ͠ঢ়ଶͰ ࣮ߦ͢Δͱɺίϯςφ͔Βίϯςφϗετʹ෼͔Γ΍͘͢৵ೖ͢Δ͜ͱ͕Ͱ͖·͢ɻ BQJ7FSTJPOW LJOE1PE NFUBEBUB OBNFQSJWJMFHFEIPTUQJEQPE MBCFMT BQQQSJWJMFHFEIPTUQJEQPE

ରࡦίϯςφͷִ཭ੑΛҡ࣋ɾ޲্ͤ͞Δ ࣍ͷίϯςφηΩϡϦςΟͷ࣌୅6TFS/BNFTQBDF8JUIB1PE IUUQTTQFBLFSEFDLDPNQGODMPVEOBUJWFEBZTVTFSOBNFTQBDFXJUIBQPE

One more things...

0OFNPSFUIJOHT ࣍ͷΑ͏ͳ%PDLFS fi MF͔ΒίϯςφΠϝʔδΛϏϧυ͠ɺ 1PEΛσϓϩΠ͢ΔͨΊͷϚχϑΣετΛ༻ҙ͠·͢ɻ '30.VCVOUV 803,%3QSPDTFMGGE $.%<CJOCBTI D XIJMFEPCBTIJEFWUDQ1@"%%3&44TMFFQEPOF>

0OFNPSFUIJOHT LVCFDUMBQQMZGVCVOUVSFWFSTFZBNM LVCFDUMHFUQPEVCVOUVPXJEF /".&3&"%:45"5643&45"354"(&*1/0%& VCVOUVSFWFSTF3VOOJOHTLTDMVTUFSOPEF 1PEΛσϓϩΠ ODMQ TIFMMJOJUFSSPSSFUSJFWJOHDVSSFOUEJSFDUPSZHFUDXEDBOOPUBDDFTTQBSFOUEJSFDUPSJFT/PTVDI fi MFPSEJSFDUPSZ

·ͱΊ ✅$POUBJOFS#SFBLPVUͷύλʔϯΛෳ਺ղઆ ɹ✔ίϯςφʹ͓͚Δ୅දతͳηΩϡϦςΟϦεΫ ɹ✔ίϯςφΛར༻͢Δཱ৔ͱͯ͠ίϯςφͷִ཭ੑΛߴΊΔ͜ͱΛҙࣝ ✅࣮ߦ؀ڥͷηΩϡϦςΟରࡦ΋ॏཁ ɹ✔֤ϨΠϠʹηΩϡϦςΟରࡦΛߦ͏ ଟ૚๷ޚ

5IBOL:PV