using docker safely
play

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE - PowerPoint PPT Presentation

Nov 15, 2022 •22 likes •502 views

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY "Containers Don't Contain" Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux "... total systemic

  1. USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015

  2. LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

  3. "Containers Don't Contain" Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux "... total systemic failure of all logic related to image security" Jonathan Rudenberg, Flynn.io https://titanous.com/posts/docker-insecurity "... gives the apps root access" Alex Larrson, RedHat https://news.ycombinator.com/item?id=9086751

  4. SO CAN CONTAINERS BE USED SECURELY? YES!

  5. OVERVIEW THINGS TO WORRY ABOUT! PRIMARY DEFENCES TIPS AND TECHNIQUES

  6. KERNEL ATTACKS

  8. DENIAL OF SERVICE

  10. CONTAINER BREAKOUTS

  12. POISONED IMAGES

  13. SNIFFING SECRETS

  14. THINK "DEFENCE IN DEPTH"

  15. MULTIPLE LINES OF DEFENCE

  17. CONTAINERS VMS ENCRYPTION MONITORING AUDITING ...

  18. VIRTUAL MACHINES Use VMs to segregate groups of containers

  19. DOCKER PRIVILEGES == ROOT PRIVILEGES

  20. BE CAREFUL WHO YOU GIVE ACCESS! SECURE REMOTE API

  21. USERS ARE NOT NAMESPACED Root in container is root on host

  22. SET A USER Create a user in your Dockerfile Change to the user via USER or su/sudo/gosu RUN groupadd -r user && useradd -r -g user user USER user

  23. SET CONTAINER FS TO READ-ONLY $ docker run --read-only debian touch x touch: cannot touch 'x': Read-only file system

  24. SET VOLUMES TO READ-ONLY $ docker run -v $(pwd)/secrets:/secrets:ro \ debian touch /secrets/x touch: cannot touch '/secrets/x': Read-only file system

  25. DROP CAPABILITIES $ docker run --cap-drop SETUID --cap-drop SETGID myimage $ docker run --cap-drop ALL --cap-add ...

  26. FINER GRAINED LIMITING SELINUX By NSA! Policy based MAC not DAC File access, sockets, interfaces Also AppArmor

  27. SET CPUSHARES $ docker run -d myimage $ docker run -d -c 512 myimage $ docker run -d -c 512 myimage

  28. SET MEMORY LIMITS $ docker run -m 512m myimage

  29. TURN OFF INTER-CONTAINER COMMUNICATION $ docker -d --icc=false

  30. NOW CONTAINERS CAN'T ATTACK EACH OTHER

  31. PEACE :)

  32. BUT A BIT USELESS

  33. ALLOW LINKED CONTAINERS TO COMMUNICATE $ docker -d --icc=false --iptables

  34. BEWARE BUGS Dependent on Kernel Parameters /proc/sys/net/bridge/bridge-nf-call-iptables /proc/sys/net/bridge/bridge-nf-call-ip6tables https://github.com/docker/docker/pull/11405 Drop Rule Placement https://github.com/docker/docker/pull/11526

  35. VERIFY IMAGES Only use automated builds, check Dockerfile Build yourself Pull by digest $ docker pull debian@sha256:0ecb2ad60

  36. DEFANG SETUID/SETGID BINARIES Applications probably don't need them So don't run them in production

  37. TO FIND THEM $ docker run debian \ find / -perm +6000 -type f -exec ls -ld {} \; 2> /dev/null -rwsr-xr-x 1 root root 10248 Apr 15 00:02 /usr/lib/pt_chown -rwxr-sr-x 1 root shadow 62272 Nov 20 2014 /usr/bin/chage -rwsr-xr-x 1 root root 75376 Nov 20 2014 /usr/bin/gpasswd -rwsr-xr-x 1 root root 53616 Nov 20 2014 /usr/bin/chfn ...

  38. TO DEFANG THEM FROM debian:wheezy RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true

  39. RESULT $ docker build -t defanged-debian . ... Successfully built 526744cf1bc1 $ docker run --rm defanged-debian \ find / -perm +6000 -type f -exec ls -ld {} \; \ 2> /dev/null | wc -l 0 $

  40. SHARING SECRETS

  41. BAKE IT INTO THE IMAGE

  43. ENVIRONMENT VARIABLES $ docker run -e API_TOKEN=MY_SECRET myimage Suggested by 12 factor apps Can be seen too many places linked containers, inspect Can't be deleted

  44. MOUNTED VOLUMES OR DATA VOLUME CONTAINERS $ docker run -v /secretdir/keyfile:/keyfile:ro myimage $ docker run --volumes-from my-secret-container myimage Works, but icky Files can get checked in by accident

  45. KEY-VALUE STORE etcd (plus crypt) https://github.com/coreos/etcd https://github.com/xordataexchange/crypt vault https://hashicorp.com/blog/vault.html keywhiz https://github.com/square/keywhiz/ Can control leases, store encrypted Still requires some sort of authentication token

  46. CONCLUSION Many aspects to container security Get it wrong and you hand over the keys to your host Get it right and you have defence in depth More secure than VMs alone

  47. Chief Scientist @ Container Solutions http://www.container-solutions.com Writing "Using Docker" for O'Reilly @adrianmouat

Recommend

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

674 views • 29 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Eric Holm Skyler Manzanares Yuxin (Kelly) Wang http://gerardable.com/wp-content/uploads/2014/12/docker-whale-home-logo.png Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing this Whale! Free,

997 views • 28 slides
Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me Software engineer at Docker Maintainer on SwarmKit and Docker Engine open source projects Focusing on distributed state, task scheduling,

1.29k views • 62 slides
Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner Data Science Consultant accantec group | Alstertor 17 | 20095 Hamburg | Tel.: +49 (40) 67 59 59 0 | Fax.: +49 (40) 67 59 59 29 | www.accantec.de |

664 views • 29 slides
Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker container ls # list running containers docker run <image_name> # run an image as a container docker exec <container> <command> # run a

1.1k views • 6 slides
Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno cgimeno@bifi.es Instituto de Biocomputacin y Fsica de Sistemas Complejos info@bifi.es http://bifi.es 0. Index Introduction What is Docker? A

401 views • 14 slides
Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the Internet won't shut up about it." (LinuxCon 2014 keynote) *Founder of dotcloud and creator of the Docker project What are Linux containers or

206 views • 19 slides
Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc.

Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc.

Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc. @michael_hrivnak Docker is Popular Deployment gets most of the attention. 1 Developer 1 Laptop 3 Skills Exit Codes $ sudo docker run -it --rm centos:centos7

347 views • 17 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer Devops / Golang artist The Docker ecosystem Docker Engine : run containerized processes (aka: containers) Docker Compose : run multi-container

381 views • 13 slides
The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker developers Work on security, systems software, applications, LinuxKit, containers @justincormack 2 From OS to languages? From OS to

843 views • 39 slides
Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike Goelzer & Victor Vieux Docker Orchestration Overview Mike Goelzer / mgoelzer@docker.com / gh: mgoelzer Orchestration in Docker Orchestration

599 views • 39 slides
Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering 4/20/2016

Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering 4/20/2016

Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering 4/20/2016 Agenda Who is Smartsheet + why we started using Docker Docker fundamentals Demo - creating a service Demo - building service + Docker container Demo

510 views • 29 slides
Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1 About Docker at OVH 2014-2015: Home-made container orchestrator, Sailabove, based on LXC 2016: Switch to Docker & Mesos/Marathon 6

487 views • 19 slides
Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese

Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese

Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese Technical Account Manager Docker, Inc. pvn@docker.com @pvn Agenda Preliminaries Container Security Considerations Containment

585 views • 20 slides
Demystifying Docker JUG Saxony Day 2015 Bernd Fischer Whos that guy? Passionate Java

Demystifying Docker JUG Saxony Day 2015 Bernd Fischer Whos that guy? Passionate Java

Demystifying Docker JUG Saxony Day 2015 Bernd Fischer Whos that guy? Passionate Java Developer (especially Spring) Agile and Devops infected Docker enthusiast berndfischer63@gmail.com @berndfischer63 JUG Saxony, Docker Meetup Dresden

521 views • 41 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use Cases Single-host networking with the Bridge driver Multi-host networking with the Overlay driver Connecting to existing VLANs with the

1.32k views • 93 slides
Java/JVM com Docker em produo: lies das trincheiras Leonardo Zanivan panga@apache.org

Java/JVM com Docker em produo: lies das trincheiras Leonardo Zanivan panga@apache.org

Java/JVM com Docker em produo: lies das trincheiras Leonardo Zanivan panga@apache.org Why Docker Container? Review: Why Docker Container? Environments (dev, test, UAT, prod) Productivity (onboarding, develop, test) Single

530 views • 24 slides
Is Docker Infrastructure or Platform? & Cloud Foundry intro A Lecture for InstallFest 2017

Is Docker Infrastructure or Platform? & Cloud Foundry intro A Lecture for InstallFest 2017

Is Docker Infrastructure or Platform? & Cloud Foundry intro A Lecture for InstallFest 2017 by Ing. Tom Vondra Cloud Architect at Outline Virtualization and IaaS PaaS Docker Problems with Docker Cloud Foundry

956 views • 62 slides
containerization: more than the new virtualization Jrme Petazzoni (@jpetazzo) Grumpy

containerization: more than the new virtualization Jrme Petazzoni (@jpetazzo) Grumpy

containerization: more than the new virtualization Jrme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Runs everything in containers - Docker-in-Docker - VPN-in-Docker -

1.06k views • 61 slides

More recommend