$30 off During Our Annual Pro Sale. View Details »

Check Container Images with Original Rules@GoConference 2019 Autumn

Tomoya Amachi
October 28, 2019
Technology
2
3k

Check Container Images with Original Rules@GoConference 2019 Autumn

Tomoya Amachi

October 28, 2019
Tweet

More Decks by Tomoya Amachi

See All by Tomoya Amachi
Azureで守るマルチクラウド
tomoyamachi
0
440
XDPを利用したエッジデバイスでのネットワーク制御
tomoyamachi
0
390
クラウド時代のセキュリティをふりかえる
tomoyamachi
1
840
Integrating Service Mesh with Kubernetes-based connected vehicle platform
tomoyamachi
1
860
Cloud Native Development Design Patterns
tomoyamachi
2
3.3k
Dockerセキュリティ対策の現状と対策ツールの仕組み&使い方
tomoyamachi
2
1.4k
GAE FEのdeployストレスを軽減する10の方法
tomoyamachi
0
360

Other Decks in Technology

See All in Technology
re:Invent2023で登場した運用開発用の可視化ツールたちを実際に見てみよう
yoshimi0227
0
180
2023-12-01 吉祥寺.pm ベストプラクティスと組織とIaC
masasuzu
1
360
GPT APIを使ったテキスト生成コンペ@YANS2023に参加した話
naohachi89
2
850
コンテナ支部recapをrecapしよう_気になったコンテナの周りのアップデートを紹介.pdf
yoshiitaka
0
120
コロプラ_SRE_LCE_ゲームバックエンド_性能との戦い
colopl
0
160
Japan.R2023_いろんな可視化ツールあるけどggplotて何がいいの?- 複数ツールで比較してみた!-
wakamatsu_takumu
1
530
LLMを活用した爆速アウトプットのすゝめ / bakusoku-outputs-with-llm
yuya4
8
4.1k
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.2k
LINEでのコミュニケーションにマスコットキーホルダーを使ってみる / LINEを使ったLT大会 #5
you
PRO
0
110
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
SOLID Is Dead, Long Live SOLID
lemiorhan
3
200
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
880

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
9
4.1k
Embracing the Ebb and Flow
colly
77
3.9k
Web development in the modern age
philhawksworth
201
9.9k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
Happy Clients
brianwarren
91
6.1k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.7k
A better future with KSS
kneath
230
16k
How to name files
jennybc
59
87k
Become a Pro
speakerdeck
PRO
8
3.6k
The MySQL Ecosystem @ GitHub 2015
samlambert
241
11k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k

Transcript

  1. Copyright Ⓒ 2019 GOODWITH LLC All Rights Reserved.
    Tomoya Amachi
    (@tomoyamachi)
    Check Container Images
    with Original Rules

    View Slide

  2. Today’s (glorious) blather
    Why do I want to check container images? 01
    About Docker image architecture
    How to scan images with our products
    Create original checker
    02
    03
    04
    Who am I? 00

    View Slide

  3. Who am I?
    SECTION 0

    View Slide

  4. Who am I?
    ● Tomoya AMACHI/天地 知也
    ● @tomoyamachi
    ● CEO at GOODWITH LLC.,
    ● Family
    ○ Wife, one daughter and two sons
    ● Language
    ○ JavaScript / Go / Python / PHP
    ● PaaS
    ○ GCP (GAE, GKE, Firebase), AWS (ECS)

    View Slide

  5. OSS
    Author of ...
    Main Committer of ...
    https://github.com/goodwithtech/dockle
    Container Image Linter for Security,
    Helping build the Best-Practice Docker Image
    https://github.com/future-architect/vuls
    Agent-less VULnerable Scanner
    All-round vulnerability scanner
    https://github.com/aquasecurity/trivy
    Simple and Comprehensive Vulnerability
    Scanner for Containers, Suitable for CI

    View Slide

  6. Now on sale!! (CM)

    View Slide

  7. Why do I want to check
    container images?
    SECTION 1

    View Slide

  8. There are some vulnerabilities exist for Docker...
    ● Host OS
    ● Docker Daemon
    ● Container Runtime
    ● Image Registry
    ● Orchestration Tools
    ● Container Image

    View Slide

  9. But if we use GKE...
    https://www.slideshare.net/GoogleCloudPlatformJP/cloud-onair-dive-to-google-kubernetes-engine-201882
    Container-Optimized OS
    gVisor
    GCR
    Image Registry

    View Slide

  10. But if we use GKE...
    ● Host OS : Container OS or Ubuntu
    ● Container Runtime : gVisor
    ● Image Registry : GCR
    ● Docker Daemon : Managed
    ● Orchestration Tool : need to be configured
    ● Container Image : easy to control
    it is difficult to control them except for Container Image.
    Managed

    View Slide

  11. if we use AWS Fargate...
    https://aws.amazon.com/jp/blogs/startup/techblog-container-fargate-1/
    OS
    Docker Engine
    ecs-agent ...
    ECR
    Image Registry

    View Slide

  12. AWS Fargate...
    ● Host OS : cannot choose
    ● Image Registry : ECR
    ● Container Runtime : Managed
    ● Docker Daemon : difficult to control
    ● Orchestration Tool : original tool
    ● Container Image : easy to control
    it is difficult to control them except for Container Image.
    Managed

    View Slide

  13. Wrap-up
    ● Container Image is easy to control and
    can be used in any environment
    (any services)
    ● Container Image can be checked before
    running containers

    View Slide

  14. Wrap-up
    ● Container Image is easy to control and
    can be used in any environment
    (any services)
    ● Container Image can be checked before
    running containers
    More Efficient to check

    View Slide

  15. About Docker image
    architecture
    SECTION 2

    View Slide

  16. Docker use “overlayfs”※
    Source:https://docs.docker.com/storage/storage
    driver/
    Source:https://docs.docker.com/storage/storagedriver/overlayfs-dr
    iver/
    ※ exists other options (AUFS, Btrfs...)
    https://docs.docker.com/storage/storagedriver/select-storage-driver/

    View Slide

  17. And Image is compressed tar.gz file
    https://www.slideshare.net/cr0hn/rootedcon-2017-docker-might-not-be-your-friend-trojanizing-docker-images

    View Slide

  18. DEMO
    $ docker save golang:1.13 -o g.tar.gz
    $ tar zxvf g.tar.gz
    $ tree
    ├── 1070caa1a8d894408
    │ ├── VERSION
    │ ├── json
    │ └── layer.tar
    ├── 6bd93c6873c822f79
    │ ├── VERSION
    │ ├── json
    │ └── layer.tar
    ├── 52b59e9ead8e18faf.json
    ├── manifest.json
    └── repositories
    Docker image
    configured files

    View Slide

  19. DEMO
    $ cat 52b59e9ead8e18faf.json
    "docker_version": "18.06.1-ce",
    "history": [
    {
    "created": "2019-09-12T00:22:xxx",
    "created_by": "/bin/sh -c apt-get
    update && apt-get install -y openssh-client
    subversion procps && rm -rf /var/lib/apt/*"
    }
    ...
    ],
    ...
    Images contain
    built information

    View Slide

  20. How to scan images
    with our products
    SECTION 3

    View Slide

  21. Trivy・Vuls
    OS
    Package
    Library
    Lock file
    Name
    Version
    Arch
    Name
    Version
    Matching
    Vulnerability
    Database
    Parse
    Distribution
    Version
    Analyze
    Analyze
    os-release /var/lib/dpkg/..
    /var/lib/dpkg/..
    os-release
    Analyze
    /var/lib/dpkg/..

    View Slide

  22. Dockle
    Password status
    File privilege
    Command history
    Port
    Mount point
    Built-in Security Rule
    - Empty password
    - Invalid privilege
    Parse
    Built-in Dockerfile Rule
    - Avoid sudo
    - Clear package cache
    Matching
    Check suid, guid
    /etc/shadow
    /etc/shadow
    configuration

    View Slide

  23. How to use
    ● Prepare the target image file
    ○ Download the image if it doesn’t exist in the local image
    ● Check each merged file via Filename or
    Privilege
    ● Analyze the target merged files
    ● Match with the product’s rules

    View Slide

  24. There are many vulnerabilities detected in public images
    https://containers.goodwith.tech

    View Slide

  25. Create original checker
    SECTION 4

    View Slide

  26. How it works
    This is a sample repository.
    The design of the repository
    is very simple.
    https://github.com/tomoyamachi/imagecheck-for-gocon
    If you try to create better
    design, please check
    aquasecurity/trivy and
    goodwithtech/dockle.
    nginx setting Built-in Rule
    - Use LTVS log format
    Matching
    Analyze
    nginx.conf nginx/conf.d/

    View Slide

  27. Filtering files in container images
    https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L25
    import "github.com/goodwithtech/deckoder/analyzer"
    type FileMap map[string]FileData
    type FileData struct {
    Body []byte
    FileMode os.FileMode
    }
    fileMap, err := analyzer.Analyze(
    ctx, imageName,
    func(h *tar.Header) (bool, error){
    ... filter process ...
    }, option
    )

    View Slide

  28. Create original check rules : check log format
    scanner := bufio.NewScanner(bodyBuff)
    for scanner.Scan() {
    line := scanner.Text()
    cmds := splitBySpace(line)
    if len(cmds) >= 3 && cmds[0] == "access_log"{
    if !strings.Contains(cmds[2], "ltsv") {
    return fmt.Errorf(`Expect log format
    contains "ltsv" but %q`, cmds[2])
    }
    }
    }
    return nil
    https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L62-L76

    View Slide

  29. Run scripts
    Run script
    $ go get github.com/tomoyamachi/imagecheck-for-gocon
    $ cd /path/to/project
    $ go run main.go nginx:latest
    2019/10/21 01:49:28 Start assessments...
    2019/10/21 01:49:28 etc/nginx/nginx.conf: Expect log
    format contains "ltsv" but "main;"
    Exit status 1
    Now we can check nginx log format!!

    View Slide

  30. Wrap-up
    SECTION 5

    View Slide

  31. Wrap-up
    ● You can check almost all the files before
    running containers
    ● Easy to check container images with
    “goodwithtech/deckoder” and
    “aquasecurity/fanal”

    View Slide