USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE - - PowerPoint PPT Presentation

using docker safely
SMART_READER_LITE
LIVE PREVIEW

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE - - PowerPoint PPT Presentation

Nov 15, 2022 22 likes •506 views

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY "Containers Don't Contain" Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux "... total systemic

slide-1
SLIDE 1

USING DOCKER SAFELY

ADRIAN MOUAT

NLUUG 28 MAY 2015

slide-2
SLIDE 2

LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

slide-3
SLIDE 3

"Containers Don't Contain" Daniel Walsh, RedHat "... total systemic failure of all logic related to image security" Jonathan Rudenberg, Flynn.io "... gives the apps root access" Alex Larrson, RedHat https://opensource.com/business/14/7/docker- security-selinux https://titanous.com/posts/docker-insecurity https://news.ycombinator.com/item?id=9086751

slide-4
SLIDE 4

SO CAN CONTAINERS BE USED SECURELY? YES!

slide-5
SLIDE 5

OVERVIEW

THINGS TO WORRY ABOUT! PRIMARY DEFENCES TIPS AND TECHNIQUES

slide-6
SLIDE 6

KERNEL ATTACKS

slide-7
SLIDE 7
slide-8
SLIDE 8

DENIAL OF SERVICE

slide-9
SLIDE 9
slide-10
SLIDE 10

CONTAINER BREAKOUTS

slide-11
SLIDE 11
slide-12
SLIDE 12

POISONED IMAGES

slide-13
SLIDE 13

SNIFFING SECRETS

slide-14
SLIDE 14

THINK "DEFENCE IN DEPTH"

slide-15
SLIDE 15

MULTIPLE LINES OF DEFENCE

slide-16
SLIDE 16
slide-17
SLIDE 17

CONTAINERS VMS ENCRYPTION MONITORING AUDITING

...

slide-18
SLIDE 18

VIRTUAL MACHINES

Use VMs to segregate groups of containers

slide-19
SLIDE 19

DOCKER PRIVILEGES == ROOT PRIVILEGES

slide-20
SLIDE 20

BE CAREFUL WHO YOU GIVE ACCESS! SECURE REMOTE API

slide-21
SLIDE 21

USERS ARE NOT NAMESPACED

Root in container is root on host

slide-22
SLIDE 22

SET A USER

Create a user in your Dockerfile Change to the user via USER or su/sudo/gosu

RUN groupadd -r user && useradd -r -g user user USER user

slide-23
SLIDE 23

SET CONTAINER FS TO READ-ONLY

$ docker run --read-only debian touch x touch: cannot touch 'x': Read-only file system

slide-24
SLIDE 24

SET VOLUMES TO READ-ONLY

$ docker run -v $(pwd)/secrets:/secrets:ro \ debian touch /secrets/x touch: cannot touch '/secrets/x': Read-only file system

slide-25
SLIDE 25

DROP CAPABILITIES

$ docker run --cap-drop SETUID --cap-drop SETGID myimage $ docker run --cap-drop ALL --cap-add ...

slide-26
SLIDE 26

FINER GRAINED LIMITING

SELINUX

By NSA! Policy based MAC not DAC File access, sockets, interfaces Also AppArmor

slide-27
SLIDE 27

SET CPUSHARES

$ docker run -d myimage $ docker run -d -c 512 myimage $ docker run -d -c 512 myimage

slide-28
SLIDE 28

SET MEMORY LIMITS

$ docker run -m 512m myimage

slide-29
SLIDE 29

TURN OFF INTER-CONTAINER COMMUNICATION

$ docker -d --icc=false

slide-30
SLIDE 30

NOW CONTAINERS CAN'T ATTACK EACH OTHER

slide-31
SLIDE 31

PEACE :)

slide-32
SLIDE 32

BUT A BIT USELESS

slide-33
SLIDE 33

ALLOW LINKED CONTAINERS TO COMMUNICATE

$ docker -d --icc=false --iptables

slide-34
SLIDE 34

BEWARE BUGS

Dependent on Kernel Parameters /proc/sys/net/bridge/bridge-nf-call-iptables /proc/sys/net/bridge/bridge-nf-call-ip6tables Drop Rule Placement https://github.com/docker/docker/pull/11405 https://github.com/docker/docker/pull/11526

slide-35
SLIDE 35

VERIFY IMAGES

Only use automated builds, check Dockerfile Build yourself Pull by digest

$ docker pull debian@sha256:0ecb2ad60

slide-36
SLIDE 36

DEFANG SETUID/SETGID BINARIES

Applications probably don't need them So don't run them in production

slide-37
SLIDE 37

TO FIND THEM

$ docker run debian \ find / -perm +6000 -type f -exec ls -ld {} \; 2> /dev/null

  • rwsr-xr-x 1 root root 10248 Apr 15 00:02 /usr/lib/pt_chown
  • rwxr-sr-x 1 root shadow 62272 Nov 20 2014 /usr/bin/chage
  • rwsr-xr-x 1 root root 75376 Nov 20 2014 /usr/bin/gpasswd
  • rwsr-xr-x 1 root root 53616 Nov 20 2014 /usr/bin/chfn

...

slide-38
SLIDE 38

TO DEFANG THEM

FROM debian:wheezy RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true

slide-39
SLIDE 39

RESULT

$ docker build -t defanged-debian . ... Successfully built 526744cf1bc1 $ docker run --rm defanged-debian \ find / -perm +6000 -type f -exec ls -ld {} \; \ 2> /dev/null | wc -l $

slide-40
SLIDE 40

SHARING SECRETS

slide-41
SLIDE 41

BAKE IT INTO THE IMAGE

slide-42
SLIDE 42
slide-43
SLIDE 43

ENVIRONMENT VARIABLES

$ docker run -e API_TOKEN=MY_SECRET myimage

Suggested by 12 factor apps Can be seen too many places linked containers, inspect Can't be deleted

slide-44
SLIDE 44

MOUNTED VOLUMES OR DATA VOLUME CONTAINERS

$ docker run -v /secretdir/keyfile:/keyfile:ro myimage $ docker run --volumes-from my-secret-container myimage

Works, but icky Files can get checked in by accident

slide-45
SLIDE 45

KEY-VALUE STORE

etcd (plus crypt) vault keywhiz Can control leases, store encrypted Still requires some sort of authentication token https://github.com/coreos/etcd https://github.com/xordataexchange/crypt https://hashicorp.com/blog/vault.html https://github.com/square/keywhiz/

slide-46
SLIDE 46

CONCLUSION

Many aspects to container security Get it wrong and you hand over the keys to your host Get it right and you have defence in depth More secure than VMs alone

slide-47
SLIDE 47

Chief Scientist @ Container Solutions Writing "Using Docker" for O'Reilly @adrianmouat http://www.container-solutions.com

slide-48
SLIDE 48