Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Containers - Sathyajit Bhat - Adobe - Container Conference 18

4,183 views

Published on

This presentation was made by Sathyajith Bhat, Senior DevOps Engineer, Adobe as part of Container Conference 2018.

Securing Containers: "Containers have almost become the ubiquitous method of packaging and deploying applications. While containers are perceived to be completed isolated and secure methods of running your application, the reality is that containers are not completely foolproof and are susceptible to many attack vectors. This session takes a look at the attack vectors and different ways to mitigate them."

www.containerconf.in

Published in: Software
  • Be the first to comment

Securing Containers - Sathyajit Bhat - Adobe - Container Conference 18

  1. 1. © 2018 Adobe Systems Incorporated. All Rights Reserved. Securing Containers Sathyajith Bhat | Senior DevOps Engineer – Adobe I/O
  2. 2. © 2018 Adobe Systems Incorporated. All Rights Reserved. 2 $whoami § Sathyajith Bhat § Senior DevOps Engineer - Adobe I/O § Organizer, Bangalore AWS Users’ Group § Author - Practical Docker with Python
  3. 3. © 2018 Adobe Systems Incorporated. All Rights Reserved. 3 Run this for me. sudo docker run -v /:/app sathyabhat/demo cat /tmp/demo.log
  4. 4. © 2018 Adobe Systems Incorporated. All Rights Reserved. 4 Adobe I/O § Adobe I/O is the place for developers looking to integrate, extend, or create apps and experiences based on Adobe's products and technologies. § Adobe I/O API Gateway § A performant API Gateway based on Nginx and Openresty § 1.5 billion+ API calls per day § Adobe I/O Events § An event notification service to inform subscribing systems of near real-time events happening in Adobe services. § Adobe I/O Runtime § A serverless platform(currently in private beta) based on Apache OpenWhisk which allows a developer to execute code on Adobe's infrastructure.
  5. 5. © 2018 Adobe Systems Incorporated. All Rights Reserved. Containers - How We Perceive 5 Photo Courtesy: Sam MacCutchan, Flickr
  6. 6. © 2018 Adobe Systems Incorporated. All Rights Reserved. Containers - How They Tend to Be 6 Photo Courtesy: Kazuyoshi Kato, Flickr
  7. 7. © 2018 Adobe Systems Incorporated. All Rights Reserved. Threats to Containers § From Docker Hosts § From noisy neighbours § From within containers § From external world § From within the application 7
  8. 8. © 2018 Adobe Systems Incorporated. All Rights Reserved. Different mechanisms § Control Groups (cgroups) § Namespaces § Kernel Capabilities § Seccomp § Image Security § Vulnerability Scanning 8
  9. 9. © 2018 Adobe Systems Incorporated. All Rights Reserved. cgroups § Group, Limit & isolate resource utilization § Resources that can be controlled: CPU, Memory, Disk, Network § cgroups Docker uses: § Memory § HugeTBL § CPU § CPUSet § BlkIO § Devices § /sys/fs/cgroups 9
  10. 10. © 2018 Adobe Systems Incorporated. All Rights Reserved. cgroups § Applying limits § docker run --cpus=”0.5” § docker run --cpu-shares=512 (weighted CPU distribution, default weight == 1024) § docker run --memory=2g § docker run --oom-kill-disable (!!) § docker run --device-read-iops § docker run --device-write-iops § Custom cgroup? § Yes! docker run --cgroup-parent 10
  11. 11. © 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces § Abstraction which makes a process appear they are isolated § Controls what processes can see § Different types of namespaces: § Mount § PID § UTS § IPC § Network § User 11
  12. 12. © 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces - User Namespace Remapping § Remap a user with a container to another user on the Host § Remap privileged user within container to non-privileged one outside host § Enabling remapping: § dockerd --userns-remap=”remap-user:remap-group” § Or, edit daemon.json { userns-remap: “remap-user” } 12
  13. 13. © 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces - User Namespace Remapping Caveats § Ensure the users/groups are created & associated with your user § Enable/Disable it on a new Docker install than existing one § Can no longer user --pid=host or --network=host 13
  14. 14. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp § Secure Mode Computing § Kernel feature, restricts syscalls that a process can do § Create custom profiles, pass a different profile for each container § Default seccomp policy for Docker § Disables 44 system calls of 300+ system calls 14
  15. 15. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp Pre-requisites: § Check for kernel support § grep CONFIG_SECCOMP=/boot/config-$(uname -r) § Apply seccomp § docker run § ??? § Seccomp is applied by default! § Verify with docker info 15
  16. 16. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp § Create custom profiles as json § docker run --security-opt seccomp=profile.json § How to find what syscalls are in place? § strace (Linux) § dtruss (macOS) 16
  17. 17. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp(demo) cat seccomp-profile.json { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chown", "action": "SCMP_ACT_ERRNO" }, { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ] } 17
  18. 18. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp(demo) / # echo "rm -rf" > fluffy_kittens.sh / # chmod u+x fluffy_kittens.sh chmod: fluffy_kittens.sh: Operation not permitted 18
  19. 19. © 2018 Adobe Systems Incorporated. All Rights Reserved. Kernel Capabilities § Drop unnecessary capabilities from the container § Alternatively, provide necessary ones § Don’t need chown capability? Drop it § docker run --cap-drop=chown 19
  20. 20. © 2018 Adobe Systems Incorporated. All Rights Reserved. AppArmor § Mandatory Access Control § Why? § Unix permissions allow for R/W/X § No fine grained permissions § Why should your application look at other logs? § Docker expects AppArmor policies to be loaded on Docker host 20
  21. 21. © 2018 Adobe Systems Incorporated. All Rights Reserved. Managing Vulnerabilities § Images are still software - and old, if not rebuilt § Heartbleed § Vulnerability in openSSL § Ghost § Vulnerability in glibc 21
  22. 22. © 2018 Adobe Systems Incorporated. All Rights Reserved. Managing Vulnerabilities Vulnerability Scanners § Clair (CoreOS) § Twistlock § Aqua Container Security § Sysdig Falco 22
  23. 23. © 2018 Adobe Systems Incorporated. All Rights Reserved. Trusted Images § Don’t use images blindly § Host the images in private/self-hosted registry § Publishing to Docker Hub? Enable Docker Content Trust 23
  24. 24. © 2018 Adobe Systems Incorporated. All Rights Reserved. Docker Content Trust § Enable content trust § export DOCKER_CONTENT_TRUST=1 § Images must have content signatures § Trust is managed by use of signing keys § Offline key: Root of content trust § Repository key for signing tags § Server managed Timestamp key 24
  25. 25. © 2018 Adobe Systems Incorporated. All Rights Reserved. References § Kernel Capabilities § Tutorial on Creating AppArmor Profiles § Docker Security Docs § Sysadmin Casts - Linux Control Groups § Searchable Syscall Table § Google Chrome Seccomp Sandbox Implementation Doc § User Namespaces in Docker Engine 25
  26. 26. © 2018 Adobe Systems Incorporated. All Rights Reserved. Thanks! § Twitter - sathyabhat § Email: sabhat@adobe.com § https://www.adobe.io | @adobeio 26

×