building trustworthy containers
TRANSCRIPT
Matthew Garrett@mjg59 | [email protected] | coreos.com
Building trustworthy containers
Security is a tough sell
Convenience often beats security
How can we ensure security wins?
Make the secure solution the better solution
Telnet
rsh
ssh
or increase social pressure
Lets Encrypt
Many other security stories have been failures
SELinux
Seccomp
Trusted Computing
So, why do people want containers?
Ease of deployment
Ease of development
Containers let us think differently
Containers give us well-defined interfaces
Containers let us treat different code differently
Containers move much security to the runtime
SELinux today:
Write some software
Ship it
Discover SELinux blocks it on RHEL
Write SELinux policy
Discover SuSE ship different SELinux policy
sudo setenforce 0
SELinux with containers:
Write software
Package container
Thats it
No, really, thats it
Container runtime does the rest
But what about bundled libraries?
Static analysis works
Paradoxically, may be easier
Not all OpenSSL use is equally security critical
More aggressive updates of each container
Containers are better than the status quo
but can we do even more?
You cant build security on shaky foundations
Container security depends on OS security
General purpose operating systems are hard
Without defined use-cases, security is difficult
Lets build specific-purpose operating systems
A truly immutable OS
Cryptographically verified filesystem
Trusted Computing
A trustworthy base to build on
But what next?
Signed container images
Measure the container images into the TPM
Verifiable audit trail
Taking things even further
Not all containers are equal
Can we isolate further?
(We can isolate further)
VM-based isolation
Deploy and manage identically
All the security benefits of full VMs
We can build secure container infrastructure
We can place trust in our containers
Thank you!
Matthew Garrett@mjg59 | [email protected] Were hiring in all departments! Email: [email protected] Positions: coreos.com/ careers