Securing containers

Transcript

1. © 2018 Adobe Systems Incorporated. All Rights Reserved. Securing Containers

   Sathyajith Bhat | Senior DevOps Engineer – Adobe I/O

2. © 2018 Adobe Systems Incorporated. All Rights Reserved. 2 $whoami

   § Sathyajith Bhat § Senior DevOps Engineer - Adobe I/O § Organizer, Bangalore AWS Users’ Group § Author - Practical Docker with Python

3. © 2018 Adobe Systems Incorporated. All Rights Reserved. 3 Run

   this for me. sudo docker run -v /:/app sathyabhat/demo cat /tmp/demo.log

4. © 2018 Adobe Systems Incorporated. All Rights Reserved. 4 Adobe

   I/O § Adobe I/O is the place for developers looking to integrate, extend, or create apps and experiences based on Adobe's products and technologies. § Adobe I/O API Gateway § A performant API Gateway based on Nginx and Openresty § 1.5 billion+ API calls per day § Adobe I/O Events § An event notification service to inform subscribing systems of near real-time events happening in Adobe services. § Adobe I/O Runtime § A serverless platform(currently in private beta) based on Apache OpenWhisk which allows a developer to execute code on Adobe's infrastructure.

5. © 2018 Adobe Systems Incorporated. All Rights Reserved. Containers -

   How We Perceive 5 Photo Courtesy: Sam MacCutchan, Flickr

6. © 2018 Adobe Systems Incorporated. All Rights Reserved. Containers -

   How They Tend to Be 6 Photo Courtesy: Kazuyoshi Kato, Flickr

7. © 2018 Adobe Systems Incorporated. All Rights Reserved. Threats to

   Containers § From Docker Hosts § From noisy neighbours § From within containers § From external world § From within the application 7

8. © 2018 Adobe Systems Incorporated. All Rights Reserved. Different mechanisms

   § Control Groups (cgroups) § Namespaces § Kernel Capabilities § Seccomp § Image Security § Vulnerability Scanning 8

9. © 2018 Adobe Systems Incorporated. All Rights Reserved. cgroups §

   Group, Limit & isolate resource utilization § Resources that can be controlled: CPU, Memory, Disk, Network § cgroups Docker uses: § Memory § HugeTBL § CPU § CPUSet § BlkIO § Devices § /sys/fs/cgroups 9

10. © 2018 Adobe Systems Incorporated. All Rights Reserved. cgroups §

    Applying limits § docker run --cpus=”0.5” § docker run --cpu-shares=512 (weighted CPU distribution, default weight == 1024) § docker run --memory=2g § docker run --oom-kill-disable (!!) § docker run --device-read-iops § docker run --device-write-iops § Custom cgroup? § Yes! docker run --cgroup-parent 10

11. © 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces §

    Abstraction which makes a process appear they are isolated § Controls what processes can see § Different types of namespaces: § Mount § PID § UTS § IPC § Network § User 11

12. © 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces -

    User Namespace Remapping § Remap a user with a container to another user on the Host § Remap privileged user within container to non-privileged one outside host § Enabling remapping: § dockerd --userns-remap=”remap-user:remap-group” § Or, edit daemon.json { userns-remap: “remap-user” } 12

13. © 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces -

    User Namespace Remapping Caveats § Ensure the users/groups are created & associated with your user § Enable/Disable it on a new Docker install than existing one § Can no longer user --pid=host or --network=host 13

14. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp §

    Secure Mode Computing § Kernel feature, restricts syscalls that a process can do § Create custom profiles, pass a different profile for each container § Default seccomp policy for Docker § Disables 44 system calls of 300+ system calls 14

15. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp Pre-requisites:

    § Check for kernel support § grep CONFIG_SECCOMP=/boot/config-$(uname -r) § Apply seccomp § docker run § ??? § Seccomp is applied by default! § Verify with docker info 15

16. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp §

    Create custom profiles as json § docker run --security-opt seccomp=profile.json § How to find what syscalls are in place? § strace (Linux) § dtruss (macOS) 16

17. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp(demo) cat

    seccomp-profile.json { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chown", "action": "SCMP_ACT_ERRNO" }, { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ] } 17

18. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp(demo) /

    # echo "rm -rf" > fluffy_kittens.sh / # chmod u+x fluffy_kittens.sh chmod: fluffy_kittens.sh: Operation not permitted 18

19. © 2018 Adobe Systems Incorporated. All Rights Reserved. Kernel Capabilities

    § Drop unnecessary capabilities from the container § Alternatively, provide necessary ones § Don’t need chown capability? Drop it § docker run --cap-drop=chown 19

20. © 2018 Adobe Systems Incorporated. All Rights Reserved. AppArmor §

    Mandatory Access Control § Why? § Unix permissions allow for R/W/X § No fine grained permissions § Why should your application look at other logs? § Docker expects AppArmor policies to be loaded on Docker host 20

21. © 2018 Adobe Systems Incorporated. All Rights Reserved. Managing Vulnerabilities

    § Images are still software - and old, if not rebuilt § Heartbleed § Vulnerability in openSSL § Ghost § Vulnerability in glibc 21

22. © 2018 Adobe Systems Incorporated. All Rights Reserved. Managing Vulnerabilities

    Vulnerability Scanners § Clair (CoreOS) § Twistlock § Aqua Container Security § Sysdig Falco 22

23. © 2018 Adobe Systems Incorporated. All Rights Reserved. Trusted Images

    § Don’t use images blindly § Host the images in private/self-hosted registry § Publishing to Docker Hub? Enable Docker Content Trust 23

24. © 2018 Adobe Systems Incorporated. All Rights Reserved. Docker Content

    Trust § Enable content trust § export DOCKER_CONTENT_TRUST=1 § Images must have content signatures § Trust is managed by use of signing keys § Offline key: Root of content trust § Repository key for signing tags § Server managed Timestamp key 24

25. © 2018 Adobe Systems Incorporated. All Rights Reserved. References §

    Kernel Capabilities § Tutorial on Creating AppArmor Profiles § Docker Security Docs § Sysadmin Casts - Linux Control Groups § Searchable Syscall Table § Google Chrome Seccomp Sandbox Implementation Doc § User Namespaces in Docker Engine 25

26. © 2018 Adobe Systems Incorporated. All Rights Reserved. Thanks! §

    Twitter - sathyabhat § Email: [email protected] § https://www.adobe.io | @adobeio 26
27. None