Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Docker Security

Ronak Kogta
September 19, 2015

Docker Security

#dockermeetup #TrustImages #SecurityOverview

Ronak Kogta

September 19, 2015
Tweet

More Decks by Ronak Kogta

Other Decks in Technology

Transcript

  1. Ronak Kogta
    Docker Security
    Rolling out trust in your container

    View full-size slide

  2. Buzz is catching on, and so is technology
    Neatly packs multiple applications on one
    operating system
    Gives you way to compose clusters, manage them
    and play with them at the scale of 100,000
    Docker Docker Docker

    View full-size slide

  3.  A very secure system which is not user-friendly will not be
    secure for long. (because people will find a way to go around it)
     Usable Security is a principle of building security systems
    while considering human workflows.
     Speed
     Efficiency
     Learnability
     Memorability
     User Preference
    Idea of Usable Security

    View full-size slide

  4. Its going to be everywhere
     Your Desktop, Workstation & Cloud Infrastructure.
     Your Production, Development & Testing Cycles.
    It is going to be used by everyone
     Your team, clients, and partners.
     Independent developers and teams who are using your images.
    We should definitely think about #docker-security
    Docker Space

    View full-size slide

  5.  How safe is docker isolation ?
     If some malicious user has docker daemon access, what
    to do ?
     Can I use security policies over docker ?
     SELINUX,APPARMOR,GRSEC
     Can I really trust docker image I install ?
     Can i ssh to docker container ?
    Lets think..

    View full-size slide

  6. Every process must be able to access only the information and
    resources that are necessary for its legitimate purpose
    - Diogo Mónica, Docker
     Linux namespaces (isolated view of system.)
     Cgroups (limit and isolate the resource usage.)
     Linux Security Modules (Apparmor,SELINUX)
     Capabilities
     Per-container ulimit
     User-namespaces: root inside is not root outside
     Seccomp: Individual syscall filtering (like chrome sandbox)
    Enter Least Privilege

    View full-size slide

  7. Linux Namespaces

    View full-size slide

  8. Linux Namespaces

    View full-size slide

  9. Cgroups, ulimit & User Namespaces
     Docker root is not real root. (User Namespaces)
     Docker ulimit
     With cgroups, you can control on the resource usage of
    container
    docker run --lxc-conf=lxc.cgroup.cpuset.cpus = 0,1 ..

    View full-size slide

  10.  Root has certain capabilities, but we don’t want our
    container to have all those capabilities
     Each container can have some of the capabilities of root,
    but not all.
     Mounting operations
     Access to raw sockets (prevent opening privileged ports,
    spoofing)
     Some file system operations (mkdev, chown, chattrs)
     Loading kernel modules
    Capabilites

    View full-size slide

  11.  man 7 capabilities
     Docker by default drops some capabilities
     sys_admin, sys_time, sys_nice,.....
    Capabilites
    docker run –cap-drop=CHOWN ...
    docker run –cap-add=MKNOD ...

    View full-size slide

  12. Seccomp & Syscalls
    System Calls
    OS Utilities
    IP Tables
    Other User
    Programs
    Device
    Drivers
    NetFilter
    Other Kernel
    Components

    View full-size slide

  13. Seccomp & Syscalls

    View full-size slide

  14. Seccomp & Syscalls
     You can block system calls from seccomp. Quite like sandboxing.
     Supports syscall filtering by using BPF
     SIGKILL signal to process, who made blocked syscall
    docker run –lxc-conf=common.seccomp ...

    View full-size slide

  15. More...
     Combine Docker with AppArmor/SELinux/TOMOYO Profiles
     These profiles help you in deciding minimal privilege for each
    application.
     Preventing permission escalation and unauthorized information
    disclosure (or worse).
     Within the container configuration the related AppArmor profile
    can be defined with lxc.aa_profile.
    docker run –security-opt label:type:svirt_apche ...

    View full-size slide

  16.  GRSEC and PaX
     Use a hardened Linux kernel for host, with kernel patches.
     User Mappings
     Map user/group ids
     lxc.id_map = u 0 1000000 65536
     lxc.id_map = g 0 1000000 65536
     Couple it with docker run –lxc-conf=
    More...

    View full-size slide

  17. Can you really trust your images ?
    Docker Notary

    View full-size slide

  18.  Trusted Cross Platform content distribution
     Trusted Client – Server Interaction
     Publisher signed content
     Publisher Key validates integrity of content
     Platform Agnostic to distribute any content
    https://github.com/docker/notary
    Docker Notary

    View full-size slide

  19. Docker Content Trust
    Publisher Registry
    User
    User
    User

    View full-size slide

  20. Two keys are generated when publisher first pushes image.
     Tagging Key
     Exists for each new repository that publisher owns
     Can be shared with collaborators easily.
     Offline Key
     Users see this key as official publisher’s key
     Important in establishing trust.
     Only needed when creating new repository or rotating existing
    repository
    Publisher’s View

    View full-size slide

  21.  Once Images are signed, TUF maintains ensures
     Integrity
     & Freshness of Content
     Notion of Timestamp Key
     Needed to ensure freshness guarantees
     Generated at remote server.
     Docker maintains it for you
    http://theupdateframework.com/
    Trust Update Framework

    View full-size slide

  22. Lets Attack ?

    View full-size slide

  23. Lets Attack ?

    View full-size slide

  24. Lets Attack ?

    View full-size slide

  25.  export DOCKER_CONTENT_TRUST=1
    Docker Content Trust

    View full-size slide

  26.  Security Script that checks for dozens of common best-
    practices around deploying Docker containers in produtions.
    https://dockerbench.com
    DockerBench

    View full-size slide

  27. Questions ??
    IRC: #docker #docker-security
    Google Group: Hyderabad Docker Users
    Join Docker Movement

    View full-size slide

  28. My Hack
    Publisher Registry
    User
    User
    User

    View full-size slide

  29. My Hack
    Publisher Registry
    User
    User
    User
    DockLock

    View full-size slide

  30. Unified profiles, security requirements, security needs of
    application
    Runc – all isolation profiles in one file, what apparmor,
    selinux profiles, seccomp , whitelisting and blacklisting,
    mount lables
    Bootchain, selinux, authentication
    Dockersecurity,
    dockerbench,sharethebestpracticesnotjustnameit
    Usable security usable signing, secure system distribution
    survivable key compromise, freshest gurantees,

    View full-size slide

  31. Key distribution at large scale
    Fuse filesystems certificate to the server. And server has all
    acls
    Distributed key management problem, encrypted storage
    at rest
    Managing security, certificates
    Batteries included removable, jet spring attacks, runtime
    integrity
    docker run -p 80:80 --rm registry:5000/dolly

    View full-size slide

  32. Docker –d –e lxc

    View full-size slide