Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing containers

Sathya
June 09, 2018
Technology
0
260

Securing containers

Containers are slowly becoming the standardized units of deployment. As containers become more popular, they also become the focus targets for attacking the system. I talk about the ways in which containers can be attacked and how these attacks can be mitigated

Sathya

June 09, 2018
Tweet

More Decks by Sathya

See All by Sathya
Securing workloads on Azure
sathyabhat
0
270
DVC15: AWS Fargate instead of Amazon EC2 instances for one-off tasks
sathyabhat
2
770
Creating a Kubernetes Cluster on AWS Using Kubernetes Operations
sathyabhat
0
440

Other Decks in Technology

See All in Technology
可能な限り確実にmkdirを成功させるには / Make mkdir
oogfranz
PRO
0
120
AstroNvim を使おう!
ybrliiu
0
210
計測できるレガシーさを捉え、コード改善に対処する / phperkaigi2023
blue_goheimochi
0
320
Win Testing Trophy Easily / テスティングトロフィーを獲得する / PHPerKaigi 2023
k1low
2
340
IBM Cloud PLUS - #3 IBM PowerVS 入門と最新情報
6onoda
0
110
パブリッククラウド特有の脅威の向き合い方
lhazy
2
2.4k
作って理解するバックドア
ad5jp
0
490
テスト技法を使ったテストケースの表現方法/How to express test cases using test techniques
shimashima35
0
380
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
230
関数型で表現するイベントソーシングの実装とその教育
tomohisa
0
200
チームで定期的にブログを書けるようにした / Tips for writing regular technical blog posts with your team
nttcom
0
160
Cloudflare WorkersとKVで キャッシュを非同期に更新する | Cloudflare Meetup Nagoya
aiji42
0
150

Featured

See All Featured
The Web Native Designer (August 2011)
paulrobertlloyd
77
2.3k
Adopting Sorbet at Scale
ufuk
66
7.9k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
GraphQLの誤解/rethinking-graphql
sonatard
40
8k
Practical Orchestrator
shlominoach
178
9k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
Clear Off the Table
cherdarchuk
80
290k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
8
680
Building an army of robots
kneath
300
41k
Atom: Resistance is Futile
akmur
256
24k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
32
9k

Transcript

  1. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Securing Containers
    Sathyajith Bhat | Senior DevOps Engineer – Adobe I/O

    View Slide

  2. © 2018 Adobe Systems Incorporated. All Rights Reserved. 2
    $whoami
    § Sathyajith Bhat
    § Senior DevOps Engineer - Adobe I/O
    § Organizer, Bangalore AWS Users’ Group
    § Author - Practical Docker with Python

    View Slide

  3. © 2018 Adobe Systems Incorporated. All Rights Reserved. 3
    Run this for me.
    sudo docker run -v /:/app sathyabhat/demo
    cat /tmp/demo.log

    View Slide

  4. © 2018 Adobe Systems Incorporated. All Rights Reserved. 4
    Adobe I/O
    § Adobe I/O is the place for developers looking to integrate, extend, or create apps and
    experiences based on Adobe's products and technologies.
    § Adobe I/O API Gateway
    §
    A performant API Gateway based on Nginx and Openresty
    §
    1.5 billion+ API calls per day
    § Adobe I/O Events
    §
    An event notification service to inform subscribing systems of near real-time events happening in Adobe
    services.
    § Adobe I/O Runtime
    §
    A serverless platform(currently in private beta) based on Apache OpenWhisk which allows a developer to
    execute code on Adobe's infrastructure.

    View Slide

  5. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Containers - How We Perceive
    5
    Photo Courtesy: Sam
    MacCutchan, Flickr

    View Slide

  6. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Containers - How They Tend to Be
    6
    Photo Courtesy:
    Kazuyoshi Kato, Flickr

    View Slide

  7. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Threats to Containers
    § From Docker Hosts
    § From noisy neighbours
    § From within containers
    § From external world
    § From within the application
    7

    View Slide

  8. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Different mechanisms
    § Control Groups (cgroups)
    § Namespaces
    § Kernel Capabilities
    § Seccomp
    § Image Security
    § Vulnerability Scanning
    8

    View Slide

  9. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    cgroups
    § Group, Limit & isolate resource utilization
    § Resources that can be controlled: CPU, Memory, Disk, Network
    § cgroups Docker uses:
    §
    Memory
    §
    HugeTBL
    §
    CPU
    §
    CPUSet
    §
    BlkIO
    §
    Devices
    § /sys/fs/cgroups
    9

    View Slide

  10. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    cgroups
    § Applying limits
    § docker run --cpus=”0.5”
    § docker run --cpu-shares=512 (weighted CPU distribution, default weight == 1024)
    § docker run --memory=2g
    § docker run --oom-kill-disable (!!)
    § docker run --device-read-iops
    § docker run --device-write-iops
    § Custom cgroup?
    §
    Yes! docker run --cgroup-parent
    10

    View Slide

  11. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Namespaces
    § Abstraction which makes a process appear they are isolated
    § Controls what processes can see
    § Different types of namespaces:
    §
    Mount
    §
    PID
    §
    UTS
    §
    IPC
    §
    Network
    §
    User
    11

    View Slide

  12. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Namespaces - User Namespace Remapping
    § Remap a user with a container to another user on the Host
    § Remap privileged user within container to non-privileged one outside host
    § Enabling remapping:
    § dockerd --userns-remap=”remap-user:remap-group”
    §
    Or, edit daemon.json
    {
    userns-remap: “remap-user”
    }
    12

    View Slide

  13. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Namespaces - User Namespace Remapping
    Caveats
    § Ensure the users/groups are created & associated with your user
    § Enable/Disable it on a new Docker install than existing one
    § Can no longer user --pid=host or --network=host
    13

    View Slide

  14. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    seccomp
    § Secure Mode Computing
    § Kernel feature, restricts syscalls that a process can do
    § Create custom profiles, pass a different profile for each container
    § Default seccomp policy for Docker
    §
    Disables 44 system calls of 300+ system calls
    14

    View Slide

  15. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    seccomp
    Pre-requisites:
    § Check for kernel support
    § grep CONFIG_SECCOMP=/boot/config-$(uname -r)
    § Apply seccomp
    § docker run
    §
    ???
    §
    Seccomp is applied by default!
    §
    Verify with docker info
    15

    View Slide

  16. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    seccomp
    § Create custom profiles as json
    § docker run --security-opt seccomp=profile.json
    § How to find what syscalls are in place?
    § strace (Linux)
    § dtruss (macOS)
    16

    View Slide

  17. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    seccomp(demo)
    cat seccomp-profile.json
    {
    "defaultAction": "SCMP_ACT_ALLOW",
    "syscalls": [
    {
    "name": "chown",
    "action": "SCMP_ACT_ERRNO"
    },
    {
    "name": "chmod",
    "action": "SCMP_ACT_ERRNO"
    }
    ]
    }
    17

    View Slide

  18. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    seccomp(demo)
    / # echo "rm -rf" > fluffy_kittens.sh
    / # chmod u+x fluffy_kittens.sh
    chmod: fluffy_kittens.sh: Operation not permitted
    18

    View Slide

  19. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Kernel Capabilities
    § Drop unnecessary capabilities from the container
    §
    Alternatively, provide necessary ones
    § Don’t need chown capability? Drop it
    § docker run --cap-drop=chown
    19

    View Slide

  20. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    AppArmor
    § Mandatory Access Control
    § Why?
    §
    Unix permissions allow for R/W/X
    §
    No fine grained permissions
    §
    Why should your application look at other logs?
    § Docker expects AppArmor policies to be loaded on Docker host
    20

    View Slide

  21. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Managing Vulnerabilities
    § Images are still software - and old, if not rebuilt
    § Heartbleed
    §
    Vulnerability in openSSL
    § Ghost
    §
    Vulnerability in glibc
    21

    View Slide

  22. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Managing Vulnerabilities
    Vulnerability Scanners
    § Clair (CoreOS)
    § Twistlock
    § Aqua Container Security
    § Sysdig Falco
    22

    View Slide

  23. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Trusted Images
    § Don’t use images blindly
    § Host the images in private/self-hosted registry
    § Publishing to Docker Hub? Enable Docker Content Trust
    23

    View Slide

  24. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Docker Content Trust
    § Enable content trust
    § export DOCKER_CONTENT_TRUST=1
    § Images must have content signatures
    § Trust is managed by use of signing keys
    § Offline key: Root of content trust
    § Repository key for signing tags
    § Server managed Timestamp key
    24

    View Slide

  25. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    References
    § Kernel Capabilities
    § Tutorial on Creating AppArmor Profiles
    § Docker Security Docs
    § Sysadmin Casts - Linux Control Groups
    § Searchable Syscall Table
    § Google Chrome Seccomp Sandbox Implementation Doc
    § User Namespaces in Docker Engine
    25

    View Slide

  26. © 2018 Adobe Systems Incorporated. All Rights Reserved.
    Thanks!
    § Twitter - sathyabhat
    § Email: [email protected]
    § https://www.adobe.io | @adobeio
    26

    View Slide

  27. View Slide