Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DockerCon SF 2015: Docker Security


Published on

Least - Privilege Microservices; slides from Diogo Mónica and Nathan McCauley's Docker Security Talk at DockerCon SF 2015.

Published in: Technology

DockerCon SF 2015: Docker Security

  1. 1. Least-privilege Microservices Diogo Mónica Nathan McCauley
  2. 2. Agenda • Why least-privilege • History of least-privilege • Least-privilege with Docker • Ongoing and future work • Conclusions
  3. 3. “Every process must be able to access only the information and resources that are necessary for its legitimate purpose”
  4. 4. Front-end Server Database Auth Service
  5. 5. 1990 Internet All-in-one
  6. 6. 2000 Internet DatabasesServicesFront-end
  7. 7. 2010 Internet
  8. 8. Server Host OS Docker Engine AppA AppB AppC AppD AppE AppF libraries Container One Process
  9. 9. Today Internet
  10. 10. ‣A FE server has a very different security profile than a database or a worker host ‣Imagine that each container only has access exactly to the resources and APIs it needs. No more, no less. Front-end Server Back-end Server ‣Access to a lot of downstream services ‣Most exposed ‣I/O intensive ‣Limited network access Worker Host ‣CPU Intensive ‣Wide range of workloads Profiles
  11. 11. ‣A container is a process. Let’s find out what syscalls it needs. Process Monitoring
  12. 12. ‣Namespaces provide an isolated view of the system (Network, PID, etc) ‣Cgroups limit and isolate the resource usage of a collection of processes ‣Linux Security Modules give us a MAC (AppArmor, SELinux) Fine-grained controls
  13. 13. Fine-grained controls ‣Capabilities divides the privileges of root into distinct units (bind, chown, etc) ‣Per-container ulimit (since 1.6) ‣User-namespaces: root inside is not root outside (remapped root for 1.8) ‣Seccomp: Individual syscall filtering (working on my laptop)
  14. 14. Safer by default ‣Less than half the Linux capabilities by default ‣Copy-on-write ensures immutability ‣No device access by default ‣Default AppArmor and SELinux profiles for an increasing number of containers
  15. 15. Safer by default ‣Smaller footprint ‣Remove all unneeded packages ‣Remove all unneeded users ‣Remove all suid binaries … Debia n
  16. 16. Security Profiles Debia n ‣Producers of containers should be responsible for creating adequate profiles ‣Profile gets shipped with the container ‣Aggregates all of the different isolation mechanisms into one single profile
  17. 17. Securing the Ecosystem Debia n User-namespaces Seccomp Provenance Selinux Kerberos
  18. 18. Intro to Container Security Debia n
  19. 19. Docker Bench Debia n ‣Fully automated ‣Shipped as a container that tests containers
  20. 20. Conclusion ‣Docker is on the path to support least-privilege microservices, since it allows fine-grained control over what access each container should have. ‣We will need easier tooling to define per-container security profiles ‣You can help! #docker-security on Freenode
  21. 21. Thank you