+ All Categories
Home > Technology > SW Docker Security

SW Docker Security

Date post: 14-Apr-2017
Category:
Upload: stephane-woillez
View: 46 times
Download: 0 times
Share this document with a friend
26
Docker Security Security of the Docker Platform, and inside Datacenter clusters Stephane Woillez [email protected] SEMEA Technical Sales Lead @swoillez
Transcript

Docker SecuritySecurity of the Docker Platform, and inside Datacenter clusters

Stephane [email protected] Technical Sales Lead

@swoillez

Agenda

• Security & Isolation at the Linux level

• Security of the Docker Production platform

• Security of Dockered applications

Security at the Linux KernelHow Docker leverages Linux capabilities for security

Docker provides Containers, not VMs

Docker leverages Linux Security mechanisms

• Docker uses several mechanisms for security:

– Linux kernel namespaces

– Linux Control Groups (cgroups)

– The Docker daemon

– Linux capabilities (libcap)

– Linux security mechanisms like AppArmor or SELinux

What are Linux kernel NameSpaces ?• Namespaces are a way to make a global resource appear to be

unique and isolated.

• The namespaces that the Linux kernel can manage are:

– Mount namespaces– PID namespaces– UTS namespaces– IPC namespaces– Network namespaces– User namespaces

Examples of Linux NameSpaces• Mount NameSpaces : allow a container to “think” that a directory which is

actually mounted from the host OS is exclusively the container's.

• PID namespaces : let the container think it's a new instance of the OS.

• User NameSpaces : allow a container to think that it really has users rigths (like root) where in fact it has no right on the host OS.

• Network NameSpaces : allow a container to have its own IP addresses, independent of that of the host. These addresses are not available from outside of the host, this is private networking similar to that of virtualization. The Docker service sets up an iptables masquerading rule so that the container can get to the rest of the Internet.

What are Linux Control Groups (Cgroups) ?

• “Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior.”

• This allows Docker to put various system resources into a group, and apply limits to it, like how much disk IO, CPU use, memory use, network use, namespaces

• This ensures that, even if a container is compromised (or just spins out of control), there are limits in place which minimizes the risk of that misbehaved container impacting the host or other containers.

https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt:

The Docker daemon responsabilities• The docker daemon (/usr/bin/docker) is responsible for managing the

control groups, orchestrating the namespaces, and so on so that docker images can be run and secured.

• Because of the need to manage kernel functions, Docker runs with root privileges. Be aware of this!

• Limit the users who have control of the Docker Daemon

Linux Kernel Capabilities (libcap)

• The root user historically had the ability to do anything, once authenticated.

• Linux capabilities is a set of fine grained controls which allow services or even users with root equivalence to be limited in their scope.

• It also allows non-root users to be granted extra privileges.

• By default, Docker disallows many root capabilities, not needed by containers, including the ability to modify logs, change networking, modify kernel memory,…

11

A Container Security assessment by NCC

Source: NCC Group Whitepaper - Understanding and Hardening Linux ContainersUnderstanding and Hardening Linux Containers

Security of the Docker ProductionAccess Control and Isolation in production clusters

Delivering Containers as a ServiceDevelopers IT Operations

BUILDDevelopment Environments

SHIPSecure Content & Collaboration

RUNDeploy, Manage, Scale

13

Universal Control PlaneApp and Cluster management

Docker Trusted Registry Secure image management & distro

Docker EngineContainer Runtime, Orchestration, Networking, volumes, plugins

SecurityContent Trust, RBAC, LDAP/AD

NetworkingOS Volumes Monitoring LoggingConfig MgtImagesCI/CD ..more..

Docker Datacenter Integrated DevOps Platform

Public Cloud Physical/Converged Virtualization

Infrastructure

Control: Orchestration and integrations at scale

Universal Control Plane

High Availability Access Control

3rd Party PluginsSwarm Managed

GUI Management

Docker Native Integration

Monitoring

15

Control: Secure Image Collaboration

Trusted Registry

Log Aggregator

Authorization Server

Registry ServiceContent Trust

16

LDAP/AD

Logs

Storage

Image Repo

Image Repo

Image Repo

Admin Server

Notary Server

Web UI

CLI

• Docker 1.12 with built in orchestration (clustering and scheduling)

• Strong default cluster security

Secure Cluster Management

• Leader acts as CA.

• Any Manager can be promoted to leader.

• Workers and managers identified by their certificate.

• Communications secured with Mutual TLS.

Mutual TLS by default

• Managers support BYO CA.

• Forwards CSRs to external CA.

Support for External CAs

UCP delivers RBAC with Permission Levels

Security of Dockered ApplicationsProduction Ready, Containers as a Service solution

Layers used by a container are readonly !!!

Control: Integrated Content TrustDevelopers IT Operations

BUILDDevelopment Environments

SHIPSecure Content & Collaboration

RUNDeploy, Manage, Scale

23

Library of signed and trusted images

Enforce use of only trusted images

Docker Security Scanning Architecture

Threshold signing and gating

25

CI Security Scanning Staging Production

UCP WorkerUCP Worker UCP Worker

UCP Manager

Sign image to “approve” passing of each stage.Policy to check for signatures before deployment

THANK YOU


Recommended