introduction to docker security
TRANSCRIPT
Walid AshrafResearcher , Software Developer, Instructor
about.me/WalidAshraf
INTRODUCTION TO DOCKER SECURITY
Docker Security- Walid Ashraf
Docker Security Explained (How docker is secured ?)
Namespaces
Cgroups
Docker EngineDocker Engine Communication
Docker Volumes
Docker Images
Linux Capabilities
Other Features
Docker Security- Walid Ashraf
Kernel Namespaces
Namespaces provide the most strait forward form of isolation where processes cannot see other processes in other containers or in the host system.
Each container also gets its own network stack which means that they are just like physical machines connected through a common Ethernet switch; no more, no less.
• Except for the case of links which allows in host communication.
Docker Security- Walid Ashraf
Cgroups
Cgroups are used for resource accounting, limitations and control making sure that a single container cannot bring the system down by exhausting one of those resources.
This feature is very useful in DDOS attacks on a certain container from affecting the rest of them which is a very important feature in multitenant datacenters.
Docker Security- Walid Ashraf
Cgroup DemoDockerfile
FROM ubuntu:latestRUN apt-get update && apt-get install -y stressCMD stress -c 2
Build Imagedocker build -t cpu-stress .
Run containerdocker run -d --name stresser cpu-stress
Remove Containerdocker stop stresser && docker rm stresser
Run Container With affinitydocker run -d --name stresser --cpuset-cpus 0 cpu-stress
Removedocker stop stresser && docker rm stresser
Run with affinity and sharesdocker run -d --name stresser-1 -cpuset-cpus 0 --cpu-shares 512 cpu-stress docker run -d --name stresser-2 -cpuset-cpus 0 --cpu-shares 256 cpu-stress
Docker Engine Communication
Docker Volumes
Docker Images
Linux Capabilities
THE DOCKER DAEMON
SURFACE ITSELF
Docker Security- Walid Ashraf
Docker Engine CommunicationThe REST API endpoint (used by the Docker CLI to communicate with the Docker daemon) changed in Docker 0.5.2, and now uses a UNIX socket instead of a TCP socket bound on 127.0.0.1 (the latter being prone to cross-site request forgery attacks if you happen to run Docker directly on your local machine, outside of a VM).
And You can then use traditional UNIX permission checks to limit access to the control socket.
You can also expose the REST API over HTTP if you explicitly decide to do so. But, you should ensure that it will be reachable only from a trusted network or VPN; or protected with e.g., stunnel and client SSL certificates. You can also secure them with HTTPS and certificates.
Docker Security- Walid Ashraf
Docker VolumesDocker allows you to share a directory between the Docker host and a guest container.
Nothing prevents you from sharing your root filesystem (or even your root block device)
This means that you can start a container where the /host directory will be the / directory on your host and alter any of them (WHAT !!!!!)
As a best practice use docker volumes for data sharing https://docs.docker.com/engine/reference/commandline/volume_create/
https://docs.docker.com/engine/tutorials/dockervolumes/
Docker Security- Walid Ashraf
Docker ImagesDocker Images could be altered where a harmful code is injected.
As of Docker 1.3.2, images are now extracted in a chrooted sub process on Linux/Unix platforms, being the first-step in a wider effort toward privilege separation.
And as of Docker 1.10.0, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
Docker Security- Walid Ashraf
The environment it selfDocker runs as root and as a standalone application
Of course, it is fine to keep your favorite admin tools (probably at least an SSH server), as well as existing monitoring/supervision processes, such as NRPE and collectd.
Linux Capabilities allow you to break apart
the power of root into smaller groups of
privileges.
LINUX CAPABILITIES
Docker Security- Walid Ashraf
Why I don’t Need all capabilities ? Your average server (bare metal or virtual machine) needs to run a bunch of processes as root. Those typically include SSH, cron, syslogd; hardware management tools (e.g., load modules), network configuration tools (e.g., to handle DHCP, WPA, or VPNs), and much more.
A container is very different, because almost all of those tasks are handled by the infrastructure around the container.
This means that in most cases, containers will not need “real” root privileges at all, meaning that “root” within a container has much less privileges than the real “root”. For instance, it is possible to:
deny all “mount” operations;
deny access to raw sockets (to prevent packet spoofing);
deny access to some filesystem operations, like creating new device nodes, changing the owner of files, or altering attributes (including the immutable flag);
deny module loading;
Docker Security- Walid Ashraf
Docker Default Capabilities"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
Docker Security- Walid Ashraf
OTHER SECURITY FEATURES
Docker Security- Walid Ashraf
User NamespacesAs of Docker 1.10 User Namespaces are supported directly by the docker daemon. This feature allows for the root user in a container to be mapped to a non uid-0 user outside the container, which can help to mitigate the risks of container breakout. This facility is available but not enabled by default.
Docker Security- Walid Ashraf
AppArmorAppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles.
Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).
For example, AppArmor can restrict file operations on specified paths.
Docker Security- Walid Ashraf
SeccompSeccomp filtering allows a process to specify a berkeley packet filter to syscalls.
In layman’s terms, this allows a user to catch a syscall and “allow”, “deny”, “trap”, “kill”, or “trace” it via the syscall number and arguments passed.
It adds an extra level of granularity in locking down the processes in your containers to only do what they need.
Docker Security- Walid Ashraf
Referenceshttps://docs.docker.com/engine/security/security/
https://linux.die.net/man/7/capabilities
https://docs.docker.com/engine/security/apparmor/
Docker Security- Walid Ashraf