Slide 1

Slide 1 text

Ronak Kogta Docker Security Rolling out trust in your container

Slide 2

Slide 2 text

Buzz is catching on, and so is technology Neatly packs multiple applications on one operating system Gives you way to compose clusters, manage them and play with them at the scale of 100,000 Docker Docker Docker

Slide 3

Slide 3 text

 A very secure system which is not user-friendly will not be secure for long. (because people will find a way to go around it)  Usable Security is a principle of building security systems while considering human workflows.  Speed  Efficiency  Learnability  Memorability  User Preference Idea of Usable Security

Slide 4

Slide 4 text

Its going to be everywhere  Your Desktop, Workstation & Cloud Infrastructure.  Your Production, Development & Testing Cycles. It is going to be used by everyone  Your team, clients, and partners.  Independent developers and teams who are using your images. We should definitely think about #docker-security Docker Space

Slide 5

Slide 5 text

 How safe is docker isolation ?  If some malicious user has docker daemon access, what to do ?  Can I use security policies over docker ?  SELINUX,APPARMOR,GRSEC  Can I really trust docker image I install ?  Can i ssh to docker container ? Lets think..

Slide 6

Slide 6 text

Every process must be able to access only the information and resources that are necessary for its legitimate purpose - Diogo Mónica, Docker  Linux namespaces (isolated view of system.)  Cgroups (limit and isolate the resource usage.)  Linux Security Modules (Apparmor,SELINUX)  Capabilities  Per-container ulimit  User-namespaces: root inside is not root outside  Seccomp: Individual syscall filtering (like chrome sandbox) Enter Least Privilege

Slide 7

Slide 7 text

Linux Namespaces

Slide 8

Slide 8 text

Linux Namespaces

Slide 9

Slide 9 text

Cgroups, ulimit & User Namespaces  Docker root is not real root. (User Namespaces)  Docker ulimit  With cgroups, you can control on the resource usage of container docker run --lxc-conf=lxc.cgroup.cpuset.cpus = 0,1 ..

Slide 10

Slide 10 text

 Root has certain capabilities, but we don’t want our container to have all those capabilities  Each container can have some of the capabilities of root, but not all.  Mounting operations  Access to raw sockets (prevent opening privileged ports, spoofing)  Some file system operations (mkdev, chown, chattrs)  Loading kernel modules Capabilites

Slide 11

Slide 11 text

 man 7 capabilities  Docker by default drops some capabilities  sys_admin, sys_time, sys_nice,..... Capabilites docker run –cap-drop=CHOWN ... docker run –cap-add=MKNOD ...

Slide 12

Slide 12 text

Seccomp & Syscalls System Calls OS Utilities IP Tables Other User Programs Device Drivers NetFilter Other Kernel Components

Slide 13

Slide 13 text

Seccomp & Syscalls

Slide 14

Slide 14 text

Seccomp & Syscalls  You can block system calls from seccomp. Quite like sandboxing.  Supports syscall filtering by using BPF  SIGKILL signal to process, who made blocked syscall docker run –lxc-conf=common.seccomp ...

Slide 15

Slide 15 text

More...  Combine Docker with AppArmor/SELinux/TOMOYO Profiles  These profiles help you in deciding minimal privilege for each application.  Preventing permission escalation and unauthorized information disclosure (or worse).  Within the container configuration the related AppArmor profile can be defined with lxc.aa_profile. docker run –security-opt label:type:svirt_apche ...

Slide 16

Slide 16 text

 GRSEC and PaX  Use a hardened Linux kernel for host, with kernel patches.  User Mappings  Map user/group ids  lxc.id_map = u 0 1000000 65536  lxc.id_map = g 0 1000000 65536  Couple it with docker run –lxc-conf= More...

Slide 17

Slide 17 text

Can you really trust your images ? Docker Notary

Slide 18

Slide 18 text

 Trusted Cross Platform content distribution  Trusted Client – Server Interaction  Publisher signed content  Publisher Key validates integrity of content  Platform Agnostic to distribute any content https://github.com/docker/notary Docker Notary

Slide 19

Slide 19 text

Docker Content Trust Publisher Registry User User User

Slide 20

Slide 20 text

Two keys are generated when publisher first pushes image.  Tagging Key  Exists for each new repository that publisher owns  Can be shared with collaborators easily.  Offline Key  Users see this key as official publisher’s key  Important in establishing trust.  Only needed when creating new repository or rotating existing repository Publisher’s View

Slide 21

Slide 21 text

 Once Images are signed, TUF maintains ensures  Integrity  & Freshness of Content  Notion of Timestamp Key  Needed to ensure freshness guarantees  Generated at remote server.  Docker maintains it for you http://theupdateframework.com/ Trust Update Framework

Slide 22

Slide 22 text

Lets Attack ?

Slide 23

Slide 23 text

Lets Attack ?

Slide 24

Slide 24 text

Lets Attack ?

Slide 25

Slide 25 text

 export DOCKER_CONTENT_TRUST=1 Docker Content Trust

Slide 26

Slide 26 text

 Security Script that checks for dozens of common best- practices around deploying Docker containers in produtions. https://dockerbench.com DockerBench

Slide 27

Slide 27 text

Thanks

Slide 28

Slide 28 text

Questions ?? IRC: #docker #docker-security Google Group: Hyderabad Docker Users Join Docker Movement

Slide 29

Slide 29 text

My Hack Publisher Registry User User User

Slide 30

Slide 30 text

My Hack Publisher Registry User User User DockLock

Slide 31

Slide 31 text

Unified profiles, security requirements, security needs of application Runc – all isolation profiles in one file, what apparmor, selinux profiles, seccomp , whitelisting and blacklisting, mount lables Bootchain, selinux, authentication Dockersecurity, dockerbench,sharethebestpracticesnotjustnameit Usable security usable signing, secure system distribution survivable key compromise, freshest gurantees,

Slide 32

Slide 32 text

Key distribution at large scale Fuse filesystems certificate to the server. And server has all acls Distributed key management problem, encrypted storage at rest Managing security, certificates Batteries included removable, jet spring attacks, runtime integrity docker run -p 80:80 --rm registry:5000/dolly

Slide 33

Slide 33 text

Docker –d –e lxc