Date post: | 14-Apr-2017 |
Category: |
Technology |
Upload: | stephane-woillez |
View: | 46 times |
Download: | 0 times |
Docker SecuritySecurity of the Docker Platform, and inside Datacenter clusters
Stephane [email protected] Technical Sales Lead
@swoillez
Agenda
• Security & Isolation at the Linux level
• Security of the Docker Production platform
• Security of Dockered applications
Docker leverages Linux Security mechanisms
• Docker uses several mechanisms for security:
– Linux kernel namespaces
– Linux Control Groups (cgroups)
– The Docker daemon
– Linux capabilities (libcap)
– Linux security mechanisms like AppArmor or SELinux
What are Linux kernel NameSpaces ?• Namespaces are a way to make a global resource appear to be
unique and isolated.
• The namespaces that the Linux kernel can manage are:
– Mount namespaces– PID namespaces– UTS namespaces– IPC namespaces– Network namespaces– User namespaces
Examples of Linux NameSpaces• Mount NameSpaces : allow a container to “think” that a directory which is
actually mounted from the host OS is exclusively the container's.
• PID namespaces : let the container think it's a new instance of the OS.
• User NameSpaces : allow a container to think that it really has users rigths (like root) where in fact it has no right on the host OS.
• Network NameSpaces : allow a container to have its own IP addresses, independent of that of the host. These addresses are not available from outside of the host, this is private networking similar to that of virtualization. The Docker service sets up an iptables masquerading rule so that the container can get to the rest of the Internet.
What are Linux Control Groups (Cgroups) ?
• “Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior.”
• This allows Docker to put various system resources into a group, and apply limits to it, like how much disk IO, CPU use, memory use, network use, namespaces
• This ensures that, even if a container is compromised (or just spins out of control), there are limits in place which minimizes the risk of that misbehaved container impacting the host or other containers.
https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt:
The Docker daemon responsabilities• The docker daemon (/usr/bin/docker) is responsible for managing the
control groups, orchestrating the namespaces, and so on so that docker images can be run and secured.
• Because of the need to manage kernel functions, Docker runs with root privileges. Be aware of this!
• Limit the users who have control of the Docker Daemon
Linux Kernel Capabilities (libcap)
• The root user historically had the ability to do anything, once authenticated.
• Linux capabilities is a set of fine grained controls which allow services or even users with root equivalence to be limited in their scope.
• It also allows non-root users to be granted extra privileges.
• By default, Docker disallows many root capabilities, not needed by containers, including the ability to modify logs, change networking, modify kernel memory,…
11
A Container Security assessment by NCC
Source: NCC Group Whitepaper - Understanding and Hardening Linux ContainersUnderstanding and Hardening Linux Containers
Delivering Containers as a ServiceDevelopers IT Operations
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
RUNDeploy, Manage, Scale
13
Universal Control PlaneApp and Cluster management
Docker Trusted Registry Secure image management & distro
Docker EngineContainer Runtime, Orchestration, Networking, volumes, plugins
SecurityContent Trust, RBAC, LDAP/AD
NetworkingOS Volumes Monitoring LoggingConfig MgtImagesCI/CD ..more..
Docker Datacenter Integrated DevOps Platform
Public Cloud Physical/Converged Virtualization
Infrastructure
Control: Orchestration and integrations at scale
Universal Control Plane
High Availability Access Control
3rd Party PluginsSwarm Managed
GUI Management
Docker Native Integration
Monitoring
15
Control: Secure Image Collaboration
Trusted Registry
Log Aggregator
Authorization Server
Registry ServiceContent Trust
16
LDAP/AD
Logs
Storage
Image Repo
Image Repo
Image Repo
Admin Server
Notary Server
Web UI
CLI
• Docker 1.12 with built in orchestration (clustering and scheduling)
• Strong default cluster security
Secure Cluster Management
• Leader acts as CA.
• Any Manager can be promoted to leader.
• Workers and managers identified by their certificate.
• Communications secured with Mutual TLS.
Mutual TLS by default
Control: Integrated Content TrustDevelopers IT Operations
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
RUNDeploy, Manage, Scale
23
Library of signed and trusted images
Enforce use of only trusted images
Threshold signing and gating
25
CI Security Scanning Staging Production
UCP WorkerUCP Worker UCP Worker
UCP Manager
Sign image to “approve” passing of each stage.Policy to check for signatures before deployment