docker security workshop goals of this workshop
play

Docker Security Workshop Goals of this Workshop Understand and - PowerPoint PPT Presentation

Sep 12, 2023 •457 likes •1.94k views

Docker Security Workshop Goals of this Workshop Understand and get Understand and get comfortable with Docker comfortable with Linux security technologies security technologies Swarm Mode Security AppArmor Secrets Management seccomp

  1. Security Scanning: Summary Binary level scans pick Official repos/images up statically linked automatically scanned bins Provides Checks against CVE comprehensive bill of databases materials (BOM)

  2. Q&A

  3. Lab Testing Security Scanning

  4. Secure Orchestration by Default With Swarm Mode

  5. Swarm Mode: Overview Native clustering of Docker Hosts Swarm (cluster) • One or more Ma Managers Docker host Docker host Docker host (control plane) Manager Manager Manager • One or more Wo Work rkers rs (data plane) Docker host Docker host Docker host Worker Worker Worker – Run user workloads • Strong default security (out-of-the-box)

  6. Swarm Mode: Client Certificates Every node gets a Client Swarm (cluster) cert that identifies: Docker host Name : Na manager manager1 The node 1 ID : ofcm6bd… ID sha256 :a3ef… Swarm : 3acc2… Role : manager The Swarm that it’s a member of Expires : 2018… Its role in the Swarm

  7. Swarm Mode: Cryptographic Guarantees Swarm Docker host Docker host Na Name : manager1 Na Name : manager manager ID: 3acc2… ID ID : ofcm6bd… manager2 1 2 ID : bd550f… ID sha256 :a3ef… Swarm : 3acc2… sha256 :hxi3… CA Role : manager Swarm : 3acc2… Expires : 2018… Role : manager Expires : 2018… Docker host Docker host Name : worker1 Na Na Name : worker2 ID ID : 237b3e… ID : 5f99ae1… ID worker1 worker2 sha256 :39ock… sha256 :md66c… Swarm : 3acc2… Swarm : 3acc2… Role : worker Role : worker Expires : 2018… Expires : 2018…

  8. Creating a New Swarm $ docker swarm init Raft Consensus Group Swarm initialized: current node (ofcm6bdy5qcrlievawsw9wqfp) is now a manager. Distributed Cluster Store To add a worker to this swarm, run the following command: Docker host docker swarm join \ Manager --token SWMTKN-1- 31fxss83n3puc6bd11wm8vxged2ul94fxfbckjdy0rj37agk C CA CA ko-bz14m6jyeakhzvccs7wnbmmof \ A 172.31.45.44:2377 To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

  9. Using and External Root CA CA • Swarm supports using external CAs Manager Manager Manager • Pass the --external-ca flag to the docker swarm init command Worker Worker Worker

  10. Adding More Managers $ docker swarm join-token manager Raft Consensus Group To add a manager to this swarm, run the following command: Distributed Cluster Store docker swarm join \ --token SWMTKN-1-31fx-8z0l... \ Docker host Docker host Docker host 172.31.45.44:2377 Manager Manager Manager CA $ docker swarm join \ > --token SWMTKN-1-31fx-8z0l... \ > 172.31.45.44:2377 This node joined a swarm as a manager.

  11. Adding Workers Raft Consensus Group $ docker swarm join-token worker To add a worker to this swarm, run the Distributed Cluster Store following command: Docker host Docker host Docker host docker swarm join \ Manager Manager Manager --token SWMTKN-1-31fx-bz14... \ 172.31.45.44:2377 CA Docker host Docker host Docker host $ docker swarm join \ Worker Worker Worker > --token SWMTKN-1-31fx-bz14... \ > 172.31.45.44:2377 This node joined a swarm as a worker.

  12. Protect your Join Tokens Only approved nodes should be allowed $ docker swarm join \ > --token SWMTKN-1-31fx-bz14... \ to join your Swarm! > 172.31.45.44:2377 To join a Swarm as a manager , a node This node joined a swarm as a worker. must specify the manager join token. Keep it safe! To join a Swarm as a worker , a node must specify the worker join token. Keep it safe! You can rotate join tokens with: $ docker swarm join-token --rotate worker|manager

  13. Swarm Mode: Client Certificates All nodes get a client $ openssl x509 -in certificate /var/lib/docker/swarm/certificates/swarm-node.crt -text O = Swarm ID Certificate: Swarm ID ... Issuer: CN=swarm-ca Node Role OU = Role Node ID Validity Not Before: Mar 9 15:21:00 2017 GMT CN = Node ID Not After : Jun 7 16:21:00 2017 GMT Subject: O=lgz5xj1eqg..., OU=swarm-manager, CN=ofcm6bdy... ... Client certificates are used X509v3 Subject Alternative Name: for mutual authentication DNS:swarm-manager, DNS:ofcm6bdy..., DNS:swarm-ca and encryption. ... -----BEGIN CERTIFICATE----- MIICNDCCAdugAwIBAgIUCoRaj23j4h5 ...

  14. Swarm Mode: Client Certificates Certificate: ... Issuer: CN=swarm-ca Validity Not Before: Mar 9 15:21:00 2017 GMT Not After : Jun 7 16:21:00 2017 GMT Subject: O=lgz5xj1eqg4pcd0bib75i4fhd, OU=swarm-manager, CN=ofcm6bdy5qcrlievawsw9wqfp X509v3 Subject Alternative Name: DNS:swarm-manager, DNS:ofcm6bdy..., DNS:swarm-ca ... $ docker node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS 4ckd17z0uk6fzi0tfwyxbra1g ip-172-31-34-195 Ready Active ofcm6bdy5qcrlievawsw9wqfp * ip-172-31-45-44 Ready Active Leader p73dypqeyeg9p7iab9d0qzns5 ip-172-31-46-1 Ready Active Reachable ubt37ywh3j171f6lpv3n5et4u ip-172-31-43-107 Ready Active Reachable uf7y3ap5qdyrwmxt9upnctxws ip-172-31-46-102 Ready Active

  15. Swarm Info The docker info command $ docker info ... can be used to display Swarm: active NodeID: ofcm6bdy5qcrlievawsw9wqfp Is Manager: true information about the Swarm ClusterID: lgz5xj1eqg4pcd0bib75i4fhd Managers: 3 that a node belongs to. Nodes: 5 Orchestration: Task History Retention Limit: 5 Raft: Snapshot Interval: 10000 Some security related items Number of Old Snapshots to Retain: 0 Heartbeat Tick: 1 Election Tick: 3 are shown in yellow Dispatcher: Heartbeat Period: 5 seconds CA Configuration: Expiry Duration: 3 months Node Address: 172.31.45.44 Manager Addresses: 172.31.43.107:2377 172.31.45.44:2377 172.31.46.1:2377

  16. Simple Certificate Rotation Automatic client certificate rotation Name: manager1 • defaults to 90 days ID (CN): ofcm6bdy5qcrlievawsw9wqfp • Customizable Swarm (O): lgz5xj1eqg4pcd0bib75i4fhd Role (OU): swarm-manager Swarm operates a whitelist of Not before: Mar 9 15:21:00 2017 GMT valid certificates Not after: Jun 7 16:21:00 2017 GMT sha256: hxi3 … Renewal times are randomized to prevent overloading the CA

  17. Certificate Rotation Only client certificates can be rotated* Use the --cert-expiry flag to change the rotation period The following command will build a Swarm that rotates client certificates every 30 days docker swarm init --cert-expiry 720h0m0s The following command updates a Swarm to rotate client certificates every 60 days docker swarm update --cert-expiry 1440h

  18. Docker Swarm: Secure Cluster Store The cluster store is encrypted Raft Consensus Group • Anything stored in the cluster store is encrypted (secrets Distributed Cluster Store etc.) Docker host Docker host Docker host Manager Manager Manager The cluster store is distributed/replicated across all CA managers

  19. Docker Swarm Security: Recap Secure Join Tokens Client Certificates Docke r Swarm Encrypted Cluster Certificate Rotation Store

  20. Docker Swarm: Workload Placement Constraints Limit the nodes that service tasks can run on

  21. Constraints Constraints use the following: Built-in node attributes node.id | node.hostname | node.role | … Built-in Engine labels engine.labels.operatingsystem | … User-define node labels node.labels.zone | node.labels.pcidss …

  22. Constraints: Only Run Tasks on Worker Nodes $ docker service create \ --name svc1 \ --constraint ‘node.role == worker’ \ redis:latest

  23. Constraints: Only Run Tasks on Nodes Running Ubuntu $ docker service create \ --name svc1 \ --constraint ‘engine.labels.operatingsystem == ubuntu 16.04’ \ redis:latest 72

  24. Constraints: User-defined Labels $ docker node update \ --label-add zone=prod1 \ node1 $ docker service create \ --name svc1 \ --constraint ‘node.labels.zone == prod1’ \ redis:latest

  25. Constraints: User-defined Labels $ docker node update \ --label-add zone=prod1 \ node1 $ docker service create \ --name svc1 \ --constraint ‘node.labels.zone != prod1’ \ redis:latest

  26. User-defined Labels Swarm ID: xah78sba9m228… $ docker node update --label-add Manager Manager Manager Simple key/value pairs zone=prod1 zone=prod1 zone=prod2 Worker Worker Worker Great way to organize nodes zone=prod2 zone=prod2 zone=prod1 Only apply within the Swarm

  27. PCI-DSS Example docker service create \ Swarm ID: xah78sba9m228… --name web-fe \ --constraint ‘node.labels.pcidss == yes’ \ mgr1 mgr2 mgr3 --replicas=3 corp1/nginx:hardened pcidss=no pcidss=no pcidss=yes • Single Swarm with 6 nodes wrkr1 wrkr2 wrkr3 • 3 nodes with label pcidss=yes • 3 nodes with label pcidss=no pcidss=yes pcidss=yes pcidss=no • Service deployed with constraint: • node.labels.pcidss == yes • Service tasks can only be scheduled on nodes with label pcidss=yes

  28. Q&A

  29. Lab Building A Secure Swarm

  30. Secure App-centric Networks with Swarm Mode

  31. Background: Networking is Important! Networking is integral to distributed applications But networking is hard, vast, and complex! Goal: Make Docker networking SIMPLE and SECURE!

  32. Docker Networking Architecture Libnetwork (CNM) Native Network Driver Load Balancing Native IPAM Driver Service Discovery Remote Network Driver Network Control Plane Remote IPAM Driver Docker Engine

  33. • Multihost Networking • Aliases • Plugins Libnetwork • DNS Round Robin • IPAM (CNM) LB • Network UX/API 1.7 1.8 1.9 1.10 1.11 1.12 • Secure out-of-the-box Service Distributed • Encrypted distributed KV Discovery DNS store for network config and state • Encrypted control plane • Encrypted data plane • Built-in routing mesh • Overlay…

  34. PCI-DSS Example Swarm Every Swarm gets a distributed Distributed Cluster Store (Network config and state) cluster store • Encrypted by default Manager Manager Manager • Stores network config and CA state Worker Worker Worker All node-to-node communication is secured by mutual TLS

  35. Secure Networking: Container to Container Control Plane Data Plane Encrypted by default Can be easily encrypted • AES (GCM) • --opt encrypted • Keys rotated every 12 • AES (GCM) hours • Keys rotated every 12 hours

  36. Secure Container Networking: Example $ docker network create -d overlay --opt encrypted my-net Control Plane encrypted Data Plane encrypted Config in secure cluster Keys automatically rotated store

  37. Secure Container Networking: Lazy Creation Newly created networks are only created on nodes that need them Nodes that do not need them do not get them (more secure) Reduces network chatter (more secure)

  38. Secure Container Networking: Isolation RethinkDB Internal nginx service RethinkDB RethinkDB my_app Proxy RethinkDB load_balancer_net app_net db_net

  39. Secure Container Networking: Isolation Internal nginx RethinkDB service load_balancer_net db_net my_app RethinkDB Proxy app_net

  40. Secure Container Networking: Isolation Internal nginx RethinkDB service • Micro segmentation • By default, containers can only talk to other containers on the same network my_app RethinkDB Proxy • Service Discovery is network-scoped load_balancer_net app_net db_net – Containers cannot automatically discover services and containers on other networks

  41. Networking Gotcha Starting a container with the --net=host will allow the container to see all networking traffic on the Docker host! $ docker container run --rm -it \ --net=host \ alpine sh Avoid at all costs!

  42. Q&A

  43. Container Native Secrets Management Docker 1.13 Introduced Native Docker Secrets Management

  44. What is a Secret Humans: Applications: Passwords Secrets Plugin API Design Batteries included but removable

  45. The Three Pillars of Docker Security Secrets Infrastructure Usable Security Trusted delivery Independent

  46. Secrets Management: Usable Security Standardized interface for developers Standardized interface for operations teams Us Usable Fits most existing methods of accessing secrets Sec Security Leverages existing security features of Swarm Mode

  47. Secrets Management: Usable Security (Devs) • Compose and services support for secrets • Define services, secrets, networks and volumes in a single file

  48. Secrets Management: Usable Security (Ops) • Integrated secrets and app management in Docker Datacenter • Deploy Compose file directly with no code changes • Add granular access control to secrets and services

  49. Secrets Management: Simplified Workflow (example) Development Test Production environment environment environment /run/secrets/app-sec /run/secrets/app-sec /run/secrets/app-sec Secret: password Secret: Password123 Secret: @e~£.#$$e…

  50. Secrets Management: Trusted Delivery Secrets encrypted at rest in the cluster store Secrets encrypted in-flight over the network Secrets only available to authorized apps/services Secrets never persisted to disk in containers or on nodes

  51. Secrets Management: Trusted Delivery Raft Consensus Group Internal Distributed Store Web Manager Manager Manager UI Worker 1 Worker 2 Worker 3

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use Cases Single-host networking with the Bridge driver Multi-host networking with the Overlay driver Connecting to existing VLANs with the

1.32k views • 93 slides
USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY "Containers Don't Contain" Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux "... total systemic

502 views • 48 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
SES, Moving security messages throughout the ether. Workshop on GENI and Security

SES, Moving security messages throughout the ether. Workshop on GENI and Security

SES, Moving security messages throughout the ether. Workshop on GENI and Security UC-Davis, January 2009 Doug Pearson / Wes Young Addressing the Workshop question: How can GENI itself be adequately secured and protected from

471 views • 16 slides
CDI Communications Strategy Workshop Goals of workshop: 1.Understand our audiences/target groups

CDI Communications Strategy Workshop Goals of workshop: 1.Understand our audiences/target groups

CDI Communications Strategy Workshop Goals of workshop: 1.Understand our audiences/target groups 2.Gain insights into where communication leads and does not lead to behavioural change 3.Examine best methods and messaging to reach different

691 views • 28 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
ESD Regional Workshop Year 2 Workshop 1 WSLA Year 2 u u Workshop 1 WSLA Curriculum

ESD Regional Workshop Year 2 Workshop 1 WSLA Year 2 u u Workshop 1 WSLA Curriculum

ESD Regional Workshop Year 2 Workshop 1 WSLA Year 2 u u Workshop 1 WSLA Curriculum Strands GOALS for the day: Refresh the leadership focus needed for the implementation of the Academy work in Year 2 Continue to examine the

307 views • 30 slides
PDA: A Global Workshop Introduction and Goals of the Association Workshop Georges FRANCE

PDA: A Global Workshop Introduction and Goals of the Association Workshop Georges FRANCE

Joint Regulators-Industry Quality by Design PDA: A Global Workshop Introduction and Goals of the Association Workshop Georges FRANCE External Relation Head for quality Novartis Joint Regulators/Industry QbD Workshop 28-29 January 2014

156 views • 15 slides
Applications Area Architecture Workshop 11/12 February 2008 1 Workshop Goals Examine

Applications Area Architecture Workshop 11/12 February 2008 1 Workshop Goals Examine

Applications Area Architecture Workshop 11/12 February 2008 1 Workshop Goals Examine architectural gaps in applications standards Explore sensible reuse of existing standards Brainstorm share and develop ideas for solutions

204 views • 6 slides
The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker developers Work on security, systems software, applications, LinuxKit, containers @justincormack 2 From OS to languages? From OS to

843 views • 39 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

674 views • 29 slides
Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to

Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to

The Bro Network Security Monitor Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to Medium-term Roadmap Current Research Projects Workshop Wrap-Up 2 Bro Workshop 2011 Version 2.0 Final 3 Bro

620 views • 57 slides
Job Search Techniques Career Services Workshop Series Workshop Goals Preparing Yourself for

Job Search Techniques Career Services Workshop Series Workshop Goals Preparing Yourself for

WELCOME! Job Search Techniques Career Services Workshop Series Workshop Goals Preparing Yourself for the Job Search The Job Search Cycle Review CareerXroads statistics Where Are the Jobs? What Talents Are Needed?

403 views • 25 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
KPart: A Hybrid Cache Sharing-Partitioning Technique for Commodity Multicores Nosayba EI-Sayed

KPart: A Hybrid Cache Sharing-Partitioning Technique for Commodity Multicores Nosayba EI-Sayed

KPart: A Hybrid Cache Sharing-Partitioning Technique for Commodity Multicores Nosayba EI-Sayed Anurag Mukkara Po-An Tsai Harshad Kasture Xiaosong Ma Daniel Sanchez Cache partitioning in commodity multicores 2 Partitioning

682 views • 28 slides
Stability for the electromagnetic scattering problem Luca R ONDI Universit di Trieste Joint

Stability for the electromagnetic scattering problem Luca R ONDI Universit di Trieste Joint

Stability for the electromagnetic scattering problem Luca R ONDI Universit di Trieste Joint work with Hongyu L IU and Jingni X IAO (Hong Kong Baptist University) Workshop Analysis and Numerics of Acoustic and Electromagnetic Problems Linz, 17

449 views • 20 slides
Global stability Giovanni Alessandrini for coupled physics inverse problems. Introduction A

Global stability Giovanni Alessandrini for coupled physics inverse problems. Introduction A

STABILITY FOR COUPLED PHYSICS IPs Global stability Giovanni Alessandrini for coupled physics inverse problems. Introduction A case study An example A priori assumptions Main Theorem Giovanni Alessandrini Stability for |u|

905 views • 59 slides
Introduction to Mosek Modern Optimization in Energy, 28 June 2018 Micha l Adamaszek

Introduction to Mosek Modern Optimization in Energy, 28 June 2018 Micha l Adamaszek

Introduction to Mosek Modern Optimization in Energy, 28 June 2018 Micha l Adamaszek www.mosek.com MOSEK package overview Started in 1999 by Erling Andersen Convex conic optimization package + MIP LP, QP, SOCP, SDP, other

712 views • 11 slides
A change of variable formula with It o correction term* Jason Swanson Department of

A change of variable formula with It o correction term* Jason Swanson Department of

Introduction and setup Results Proof methods A change of variable formula with It o correction term* Jason Swanson Department of Mathematics University of Central Florida Isaac Newton Institute, May 24, 2010 *Joint work with Chris Burdzy

849 views • 43 slides
Socket Programming Rohan Murty Hitesh Ballani Last Modified: 2/8/2004 8:31:51 AM Slides

Socket Programming Rohan Murty Hitesh Ballani Last Modified: 2/8/2004 8:31:51 AM Slides

Socket Programming Rohan Murty Hitesh Ballani Last Modified: 2/8/2004 8:31:51 AM Slides adapted from Prof. Matthews slides from 2003SP Socket programming Goal: learn how to build client/server application that communicate using sockets

1.06k views • 48 slides
1 Example: Java client (TCP) Example: Java client (TCP), cont. import java.io.*; import

1 Example: Java client (TCP) Example: Java client (TCP), cont. import java.io.*; import

Socket-programming using TCP Socket: a door between application process and end- end-transport protocol (UCP or TCP) TCP service: reliable transfer of bytes from one Socket Programming process to another controlled by controlled by process

453 views • 3 slides
An Adaptive Bloom Filter Cache Partitioning Scheme for Multicore Architectures Konstantinos

An Adaptive Bloom Filter Cache Partitioning Scheme for Multicore Architectures Konstantinos

An Adaptive Bloom Filter Cache Partitioning Scheme for Multicore Architectures Konstantinos Nikas Computing Systems Laboratory NTU Athens, Greece Matthew Horsnell, Jim Garside Advanced Processor Technologies Group University of Manchester

692 views • 32 slides

More recommend