際際滷

際際滷Share a Scribd company logo

Introduction to docker security

Walid Ashraf
Walid Ashraf

This document provides an overview of Docker security. It discusses how Docker isolates containers using kernel namespaces and cgroups to limit access to resources. It describes how Docker secures communication with its daemon and stores images cryptographically. It also explains how Linux capabilities and features like AppArmor and Seccomp can restrict container access further.

1 of 19
Downloaded 16 times
Walid Ashraf Researcher , Software Developer, Instructor about.me/WalidAshraf INTRODUCTION TO DOCKER SECURITY
Docker Security- Walid Ashraf Docker Security Explained (How docker is secured ?) Namespaces Cgroups Docker Engine Docker Engine Communication Docker Volumes Docker Images Linux Capabilities Other Features
Docker Security- Walid Ashraf Kernel Namespaces Namespaces provide the most strait forward form of isolation where processes cannot see other processes in other containers or in the host system. Each container also gets its own network stack which means that they are just like physical machines connected through a common Ethernet switch; no more, no less. Except for the case of links which allows in host communication.
Docker Security- Walid Ashraf Cgroups Cgroups are used for resource accounting, limitations and control making sure that a single container cannot bring the system down by exhausting one of those resources. This feature is very useful in DDOS attacks on a certain container from affecting the rest of them which is a very important feature in multitenant datacenters.
Docker Security- Walid Ashraf Cgroup Demo Dockerfile FROM ubuntu:latest RUN apt-get update && apt-get install -y stress CMD stress -c 2 Build Image docker build -t cpu-stress . Run container docker run -d --name stresser cpu-stress Remove Container docker stop stresser && docker rm stresser Run Container With affinity docker run -d --name stresser --cpuset-cpus 0 cpu-stress Remove docker stop stresser && docker rm stresser Run with affinity and shares docker run -d --name stresser-1 -cpuset-cpus 0 --cpu-shares 512 cpu-stress docker run -d --name stresser-2 -cpuset-cpus 0 --cpu-shares 256 cpu-stress
Docker Engine Communication DockerVolumes Docker Images Linux Capabilities THE DOCKER DAEMON SURFACE ITSELF
Docker Security- Walid Ashraf Docker Engine Communication The REST API endpoint (used by the Docker CLI to communicate with the Docker daemon) changed in Docker 0.5.2, and now uses a UNIX socket instead of a TCP socket bound on 127.0.0.1 (the latter being prone to cross-site request forgery attacks if you happen to run Docker directly on your local machine, outside of a VM). And You can then use traditional UNIX permission checks to limit access to the control socket. You can also expose the REST API over HTTP if you explicitly decide to do so. But, you should ensure that it will be reachable only from a trusted network or VPN; or protected with e.g., stunnel and client SSL certificates. You can also secure them with HTTPS and certificates.
Docker Security- Walid Ashraf Docker Volumes Docker allows you to share a directory between the Docker host and a guest container. Nothing prevents you from sharing your root filesystem (or even your root block device) This means that you can start a container where the /host directory will be the / directory on your host and alter any of them (WHAT !!!!!) As a best practice use docker volumes for data sharing https://docs.docker.com/engine/reference/commandline/volume_create/ https://docs.docker.com/engine/tutorials/dockervolumes/
Docker Security- Walid Ashraf Docker Images Docker Images could be altered where a harmful code is injected. As of Docker 1.3.2, images are now extracted in a chrooted sub process on Linux/Unix platforms, being the first-step in a wider effort toward privilege separation. And as of Docker 1.10.0, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
Docker Security- Walid Ashraf The environment it self Docker runs as root and as a standalone application Of course, it is fine to keep your favorite admin tools (probably at least an SSH server), as well as existing monitoring/supervision processes, such as NRPE and collectd.
Linux Capabilities allow you to break apart the power of root into smaller groups of privileges. LINUX CAPABILITIES
Docker Security- Walid Ashraf Why I dont Need all capabilities ? Your average server (bare metal or virtual machine) needs to run a bunch of processes as root. Those typically include SSH, cron, syslogd; hardware management tools (e.g., load modules), network configuration tools (e.g., to handle DHCP, WPA, or VPNs), and much more. A container is very different, because almost all of those tasks are handled by the infrastructure around the container. This means that in most cases, containers will not need real root privileges at all, meaning that root within a container has much less privileges than the real root. For instance, it is possible to: deny all mount operations; deny access to raw sockets (to prevent packet spoofing); deny access to some filesystem operations, like creating new device nodes, changing the owner of files, or altering attributes (including the immutable flag); deny module loading;
Docker Security- Walid Ashraf Docker Default Capabilities "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_FSETID", "CAP_FOWNER", "CAP_MKNOD", "CAP_NET_RAW", "CAP_SETGID", "CAP_SETUID", "CAP_SETFCAP", "CAP_SETPCAP", "CAP_NET_BIND_SERVICE", "CAP_SYS_CHROOT", "CAP_KILL", "CAP_AUDIT_WRITE",
Docker Security- Walid Ashraf OTHER SECURITY FEATURES
Docker Security- Walid Ashraf User Namespaces As of Docker 1.10 User Namespaces are supported directly by the docker daemon. This feature allows for the root user in a container to be mapped to a non uid-0 user outside the container, which can help to mitigate the risks of container breakout. This facility is available but not enabled by default.
Docker Security- Walid Ashraf AppArmor AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). For example, AppArmor can restrict file operations on specified paths.
Docker Security- Walid Ashraf Seccomp Seccomp filtering allows a process to specify a berkeley packet filter to syscalls. In laymans terms, this allows a user to catch a syscall and allow, deny, trap, kill, or trace it via the syscall number and arguments passed. It adds an extra level of granularity in locking down the processes in your containers to only do what they need.
Docker Security- Walid Ashraf References https://docs.docker.com/engine/security/security/ https://linux.die.net/man/7/capabilities https://docs.docker.com/engine/security/apparmor/
Docker Security- Walid Ashraf

More Related Content

Introduction to docker security

  • 1. Walid Ashraf Researcher , Software Developer, Instructor about.me/WalidAshraf INTRODUCTION TO DOCKER SECURITY
  • 2. Docker Security- Walid Ashraf Docker Security Explained (How docker is secured ?) Namespaces Cgroups Docker Engine Docker Engine Communication Docker Volumes Docker Images Linux Capabilities Other Features
  • 3. Docker Security- Walid Ashraf Kernel Namespaces Namespaces provide the most strait forward form of isolation where processes cannot see other processes in other containers or in the host system. Each container also gets its own network stack which means that they are just like physical machines connected through a common Ethernet switch; no more, no less. Except for the case of links which allows in host communication.
  • 4. Docker Security- Walid Ashraf Cgroups Cgroups are used for resource accounting, limitations and control making sure that a single container cannot bring the system down by exhausting one of those resources. This feature is very useful in DDOS attacks on a certain container from affecting the rest of them which is a very important feature in multitenant datacenters.
  • 5. Docker Security- Walid Ashraf Cgroup Demo Dockerfile FROM ubuntu:latest RUN apt-get update && apt-get install -y stress CMD stress -c 2 Build Image docker build -t cpu-stress . Run container docker run -d --name stresser cpu-stress Remove Container docker stop stresser && docker rm stresser Run Container With affinity docker run -d --name stresser --cpuset-cpus 0 cpu-stress Remove docker stop stresser && docker rm stresser Run with affinity and shares docker run -d --name stresser-1 -cpuset-cpus 0 --cpu-shares 512 cpu-stress docker run -d --name stresser-2 -cpuset-cpus 0 --cpu-shares 256 cpu-stress
  • 6. Docker Engine Communication DockerVolumes Docker Images Linux Capabilities THE DOCKER DAEMON SURFACE ITSELF
  • 7. Docker Security- Walid Ashraf Docker Engine Communication The REST API endpoint (used by the Docker CLI to communicate with the Docker daemon) changed in Docker 0.5.2, and now uses a UNIX socket instead of a TCP socket bound on 127.0.0.1 (the latter being prone to cross-site request forgery attacks if you happen to run Docker directly on your local machine, outside of a VM). And You can then use traditional UNIX permission checks to limit access to the control socket. You can also expose the REST API over HTTP if you explicitly decide to do so. But, you should ensure that it will be reachable only from a trusted network or VPN; or protected with e.g., stunnel and client SSL certificates. You can also secure them with HTTPS and certificates.
  • 8. Docker Security- Walid Ashraf Docker Volumes Docker allows you to share a directory between the Docker host and a guest container. Nothing prevents you from sharing your root filesystem (or even your root block device) This means that you can start a container where the /host directory will be the / directory on your host and alter any of them (WHAT !!!!!) As a best practice use docker volumes for data sharing https://docs.docker.com/engine/reference/commandline/volume_create/ https://docs.docker.com/engine/tutorials/dockervolumes/
  • 9. Docker Security- Walid Ashraf Docker Images Docker Images could be altered where a harmful code is injected. As of Docker 1.3.2, images are now extracted in a chrooted sub process on Linux/Unix platforms, being the first-step in a wider effort toward privilege separation. And as of Docker 1.10.0, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
  • 10. Docker Security- Walid Ashraf The environment it self Docker runs as root and as a standalone application Of course, it is fine to keep your favorite admin tools (probably at least an SSH server), as well as existing monitoring/supervision processes, such as NRPE and collectd.
  • 11. Linux Capabilities allow you to break apart the power of root into smaller groups of privileges. LINUX CAPABILITIES
  • 12. Docker Security- Walid Ashraf Why I dont Need all capabilities ? Your average server (bare metal or virtual machine) needs to run a bunch of processes as root. Those typically include SSH, cron, syslogd; hardware management tools (e.g., load modules), network configuration tools (e.g., to handle DHCP, WPA, or VPNs), and much more. A container is very different, because almost all of those tasks are handled by the infrastructure around the container. This means that in most cases, containers will not need real root privileges at all, meaning that root within a container has much less privileges than the real root. For instance, it is possible to: deny all mount operations; deny access to raw sockets (to prevent packet spoofing); deny access to some filesystem operations, like creating new device nodes, changing the owner of files, or altering attributes (including the immutable flag); deny module loading;
  • 13. Docker Security- Walid Ashraf Docker Default Capabilities "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_FSETID", "CAP_FOWNER", "CAP_MKNOD", "CAP_NET_RAW", "CAP_SETGID", "CAP_SETUID", "CAP_SETFCAP", "CAP_SETPCAP", "CAP_NET_BIND_SERVICE", "CAP_SYS_CHROOT", "CAP_KILL", "CAP_AUDIT_WRITE",
  • 14. Docker Security- Walid Ashraf OTHER SECURITY FEATURES
  • 15. Docker Security- Walid Ashraf User Namespaces As of Docker 1.10 User Namespaces are supported directly by the docker daemon. This feature allows for the root user in a container to be mapped to a non uid-0 user outside the container, which can help to mitigate the risks of container breakout. This facility is available but not enabled by default.
  • 16. Docker Security- Walid Ashraf AppArmor AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). For example, AppArmor can restrict file operations on specified paths.
  • 17. Docker Security- Walid Ashraf Seccomp Seccomp filtering allows a process to specify a berkeley packet filter to syscalls. In laymans terms, this allows a user to catch a syscall and allow, deny, trap, kill, or trace it via the syscall number and arguments passed. It adds an extra level of granularity in locking down the processes in your containers to only do what they need.
  • 18. Docker Security- Walid Ashraf References https://docs.docker.com/engine/security/security/ https://linux.die.net/man/7/capabilities https://docs.docker.com/engine/security/apparmor/