Docker File System Isolation By Darrin Schmitz David Huff - - PowerPoint PPT Presentation

docker file system isolation
SMART_READER_LITE
LIVE PREVIEW

Docker File System Isolation By Darrin Schmitz David Huff - - PowerPoint PPT Presentation

Jan 08, 2023 273 likes •529 views

Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911 Specifications HP ProLiant DL380p Gen8 servers Head node has 32 cores and 32 GB RAM 10 child nodes have 24 cores and 24 GB RAM

slide-1
SLIDE 1

Docker File System Isolation

By Darrin Schmitz David Huff Destiny Velasquez

1

LA-UR-15-25911

slide-2
SLIDE 2

Specifications

  • HP ProLiant DL380p Gen8 servers
  • Head node has 32 cores and 32 GB RAM
  • 10 child nodes have 24 cores and 24 GB RAM
  • Operating system: CentOS 6.6
  • Containers: Docker version 1.6

2

LA-UR-15-25911

slide-3
SLIDE 3

Abstract Overview

  • Our goal
  • Technical difficulties
  • Overall, we believe Docker is a good

security option, even though there are some security risks involved

3

LA-UR-15-25911

slide-4
SLIDE 4

What is a Container?

  • Between a virtual

machine and a chroot

  • Native hardware

utilization

  • Able to run different
  • perating systems

4

LA-UR-15-25911

slide-5
SLIDE 5

Why use Docker?

  • 1. Pre-configures its network bridges
  • 2. Available documentation
  • 3. Portable and recoverable images

5

LA-UR-15-25911

slide-6
SLIDE 6

Docker Normal Setup

  • Docker bridge directly connected to node
  • IP forwarding use
  • The IP ranges for the containers are

172.17.0.0/20

  • Daemon configures iptables

6

LA-UR-15-25911

slide-7
SLIDE 7

Docker Normal Setup Diagram

7

LA-UR-15-25911

slide-8
SLIDE 8

Problems With Default Setup

  • Same IP addresses are assigned to different

containers on different nodes

  • Iptables and bridges are not cleaned up by

Docker

8

LA-UR-15-25911

slide-9
SLIDE 9

Steps to Create a Docker Network With OpenMPI

  • 1. Install Docker
  • 2. Set up the bridge

manually

  • 3. Set up SSH-keys
  • 4. Set up OpenMPI

9

  • 5. Set up the Docker daemon to give out

unique IP-addresses

https://www.linkedin.com/pulse/docker-containers-kubernetes-smart-ecosystem-solution-yasser-emam

LA-UR-15-25911

slide-10
SLIDE 10

Bridge

10

LA-UR-15-25911

slide-11
SLIDE 11

SSH-Keys & OpenMPI & Mounting

  • Generate the SSH-keys and place the public

key into the authorized-keys file

  • Set up the /etc/openmpi/default-openmpi -

hostnames file, and set the path to the OpenMPI libraries

  • Mounting is as simple as using Dockers –v

flag

11

LA-UR-15-25911

slide-12
SLIDE 12

Docker Daemon

  • The Docker Daemon sets up the bridge
  • The IP range for the containers is set up by

the daemon

  • There is a flag to assign a custom bridge to

the daemon

12

LA-UR-15-25911

slide-13
SLIDE 13

Docker Hub

13

http://jenkins-ci.org/content/official-jenkins-lts-docker-image

LA-UR-15-25911

slide-14
SLIDE 14

Problems With Docker

  • Docker’s bridge needs to connect to the

switch directly

  • Services do not start at the start of the

terminal

  • Environment variables are not permanent
  • IP-addresses cannot be statically set
  • /etc/hosts file is constantly being overwritten

14

LA-UR-15-25911

slide-15
SLIDE 15

Benchmarks

Write

dd if=/dev/urandom of=/Yellow/File bs=1024 count=1024000 dd if=/dev/urandom of=/home/File bs=1024 count=1024000

Read

dd if=/Yellow/File of=/dev/null bs=1024 dd if=/home/File of=/dev/null bs=1024

15

LA-UR-15-25911

slide-16
SLIDE 16

Benchmark Results

16

0.60 0.65 0.70 0.75 0.80 0.85 0.90 0.95 1.00 1.05

Dir on Host Dir mounted in Cont File in /home using NFS Mounted file in / home using NFS

Relative Read Performance

LA-UR-15-25911

slide-17
SLIDE 17

Benchmark Results

17

0.60 0.65 0.70 0.75 0.80 0.85 0.90 0.95 1.00 1.05

Dir on Host Dir mounted in Cont File in /home using NFS Mounted file in / home using NFS

Relative Write Performance

LA-UR-15-25911

slide-18
SLIDE 18

CVE’s

  • Insecure opening of file-descriptor 1 leading to

privilege escalation (CVE-2015-3627)

  • Symlink traversal on container respawn allows

local privilege escalation (CVE-2015-3629)

  • Read/write proc paths allow host modification

& information disclosure (CVE-2015-3630)

18

LA-UR-15-25911

slide-19
SLIDE 19

Security Risks

  • The current version of Docker fixes these

security holes

  • As of the 14th of July, 1.7.1 is compatible with

CentOS 6.6

  • The isolation provided by Docker is not as

robust as the segregation established by hypervisors for virtual machines

19

LA-UR-15-25911

slide-20
SLIDE 20

Security Recommendations

  • Use containers only on unclassified data/file

systems

  • Containers run with a whitelisted root
  • Access control via SSH Keys
  • Set up a password between data locations
  • Don’t give root to the user
  • Set up user account in the container

20

LA-UR-15-25911

slide-21
SLIDE 21

Future Research

  • Write a launch script that

works with SLURM/Moab to automatically provision the container environment.

  • Investigate bind mounts

using Lustre and Panasas.

21

  • Investigate using containers in an SELinux

environment.

https://docs.docker.com/

LA-UR-15-25911

slide-22
SLIDE 22

Conclusion

22

  • We met the goal of our project by proving

Docker is a lightweight security option

  • Although there are some security holes to be

concerned about, we’ve provided some security recommendations for Docker

  • Docker would be a useful option for

separating Yellow and Turquoise data

LA-UR-15-25911

slide-23
SLIDE 23

References

  • 1. https://sites.google.com/a/

probe.newmexicoconsortium.org/cscnsi-2015- vermilion/

  • 2. https://www.docker.com/
  • 3. https://hub.docker.com/
  • 4. https://nvd.nist.gov/

23

LA-UR-15-25911

slide-24
SLIDE 24

24

Questions?

LA-UR-15-25911