Ronak Kogta

Docker SecurityRolling out trust in your container

Buzz is catching on, and so is technology

Neatly packs multiple applications on one operating system

Gives you way to compose clusters, manage them and play with them at the scale of 100,000

Docker Docker Docker

A very secure system which is not user-friendly will not be secure for long. (because people will find a way to go around it)

Usable Security is a principle of building security systems while considering human workflows.

Speed

Efficiency

Learnability

Memorability

User Preference

Idea of Usable Security

Its going to be everywhere

Your Desktop, Workstation & Cloud Infrastructure.

Your Production, Development & Testing Cycles.

It is going to be used by everyone

Your team, clients, and partners.

Independent developers and teams who are using your images.

We should definitely think about #docker-security

Docker Space

How safe is docker isolation ?

If some malicious user has docker daemon access, what to do ?

Can I use security policies over docker ?

SELINUX,APPARMOR,GRSEC

Can I really trust docker image I install ?

Can i ssh to docker container ?

Lets think..

Every process must be able to access only the information and resources that are necessary for its legitimate purpose

- Diogo Mónica, Docker

Linux namespaces (isolated view of system.)

Cgroups (limit and isolate the resource usage.)

Linux Security Modules (Apparmor,SELINUX)

Capabilities

Per-container ulimit

User-namespaces: root inside is not root outside

Seccomp: Individual syscall filtering (like chrome sandbox)

Enter Least Privilege

Linux Namespaces

Linux Namespaces

Cgroups, ulimit & User Namespaces

Docker root is not real root. (User Namespaces)

Docker ulimit

With cgroups, you can control on the resource usage of container

docker run --lxc-conf=lxc.cgroup.cpuset.cpus = 0,1 ..

Root has certain capabilities, but we don’t want our container to have all those capabilities

Each container can have some of the capabilities of root, but not all.

Mounting operations

Access to raw sockets (prevent opening privileged ports, spoofing)

Some file system operations (mkdev, chown, chattrs)

Loading kernel modules

Capabilites

man 7 capabilities

Docker by default drops some capabilities

sys_admin, sys_time, sys_nice,.....

Capabilites

docker run –cap-drop=CHOWN ...

docker run –cap-add=MKNOD ...

Seccomp & Syscalls

System Calls

OS Utilities

IP Tables

Other User

Programs

Device

Drivers

NetFilter

Other Kernel Components

Seccomp & Syscalls

Seccomp & Syscalls

You can block system calls from seccomp. Quite like sandboxing.

Supports syscall filtering by using BPF

SIGKILL signal to process, who made blocked syscall

docker run –lxc-conf=common.seccomp ...

More...

Combine Docker with AppArmor/SELinux/TOMOYO Profiles

These profiles help you in deciding minimal privilege for each application.

Preventing permission escalation and unauthorized information disclosure (or worse).

Within the container configuration the related AppArmor profile can be defined with lxc.aa_profile.

docker run –security-opt label:type:svirt_apche ...

GRSEC and PaX

Use a hardened Linux kernel for host, with kernel patches.

User Mappings

Map user/group ids

lxc.id_map = u 0 1000000 65536

lxc.id_map = g 0 1000000 65536

Couple it with docker run –lxc-conf=

More...

Can you really trust your images ?

Docker Notary

Trusted Cross Platform content distribution

Trusted Client – Server Interaction

Publisher signed content

Publisher Key validates integrity of content

Platform Agnostic to distribute any content

https://github.com/docker/notary

Docker Notary

Docker Content Trust

Publisher Registry

User

User

User

Two keys are generated when publisher first pushes image.

Tagging Key

Exists for each new repository that publisher owns

Can be shared with collaborators easily.

Offline Key

Users see this key as official publisher’s key

Important in establishing trust.

Only needed when creating new repository or rotating existing repository

Publisher’s View

Once Images are signed, TUF maintains ensures

Integrity

& Freshness of Content

Notion of Timestamp Key

Needed to ensure freshness guarantees

Generated at remote server.

Docker maintains it for you

http://theupdateframework.com/

Trust Update Framework

Lets Attack ?

Lets Attack ?

Lets Attack ?

export DOCKER_CONTENT_TRUST=1

Docker Content Trust

Security Script that checks for dozens of common best-practices around deploying Docker containers in produtions.

https://dockerbench.com

DockerBench

Thanks

Questions ??

IRC: #docker #docker-security

Google Group: Hyderabad Docker Users

Join Docker Movement