SlideShare a Scribd company logo

Container BoM Inspection with TERN

Download as PPTX, PDF
Open Source Technology Center MeetUps
Open Source Technology Center MeetUps

Nisha introduces Tern, a utility for software package introspection in containers. This tool allows administrators to have the same level of confidence on what's in their containers as they currently do with VM images, including compliance audits, bill of materials, and exploit detection. Nisha is the primary author of Tern. https://github.com/vmware/tern

Technology
1 of 27
©2019 VMware, Inc. Container BoM Inspection with Tern Nisha Kumar Open Source Engineer @ VMware CloudNativePDX Apr 2019
©2019 VMware, Inc. Agenda 2 Automating Compliance for Container Images - CoW Filesystems - FROM and RUN in Dockerfiles - Shrinking Container Images Tern - What it does - How it does - Features and Future Work
3©2019 VMware, Inc. The first step in OSS Compliance is finding the Bill of Materials (BoM) for the artifact (container image)
4©2019 VMware, Inc. By knowing the BoM, you also know about dependencies, build variations and vulnerable packages
5©2019 VMware, Inc. Automating Compliance for Containers The Implications of using CoW Filesystems
©2019 VMware, Inc. 6 Building Container Image Layers Reference: https://docs.docker.com/storage/storagedriver/ BaseOS: bin boot etc home lib opt root tmp usr var Read Only Layer R/W layer: Add new files or remove existing files Image apt-get install ca-certificates… Copy on Write
©2019 VMware, Inc. 7 Building Container Image Layers Reference: https://docs.docker.com/storage/storagedriver/ BaseOS: bin boot etc home lib opt root tmp usr var Read Only Layer R/W layer: Add new files or remove existing files Diff Files: etc/ca-certificates/* usr/share/ca-certificates/* Read Only Layer Image Copy on Write wget -O go.tgz “$url”; tar -C /usr/local -xzf go.tgz; rm go.tgz
©2019 VMware, Inc. 8 An image consists of directory trees - one for each layer Reference: https://docs.docker.com/storage/storagedriver/ BaseOS: bin boot etc home lib opt root tmp usr var Read Only Layer Diff Files: etc/ca-certificates/* usr/share/ca-certificates/* Read Only Layer Diff Files: /usr/local/go Read Only Layer Image
©2019 VMware, Inc. 9 What layers look like on disk
10©2019 VMware, Inc. Automating Compliance for Containers Base images and shell scripts
©2019 VMware, Inc. 11 Containerizing Apps Using Docker and Dockerfiles COPY . . BaseOS: bin boot etc home lib opt root tmp usr var Debian, Photon, Alpine Diff files: install app dependencies and extra modifications Diff Files: etc/ca-certificates/* usr/share/ca-certificates/* OS & language package manager dependencies Diff Files: Copy app into container Somebody else’s Image Your Changes FROM <image> RUN <script>
©2019 VMware, Inc. 12 The downside of FROM golang:1.11 buildpack-deps:stretch-scm buildpack-deps:stretch-curl debian:stretch https://github.com/docker-library/golang/blob/ed78459fac108dab72556146b759516cc65ee109/1.11/stretch/Dockerfile https://github.com/docker-library/buildpack-deps/blob/1845b3f918f69b4c97912b0d4d68a5658458e84f/stretch/scm/Dockerfile https://github.com/docker-library/buildpack-deps/blob/1845b3f918f69b4c97912b0d4d68a5658458e84f/stretch/curl/Dockerfile https://github.com/debuerreotype/docker-debian-artifacts/blob/ed15c6a0b511d2985ca252f59f4318b1fe2a7a59/stretch/Dockerfile
13©2019 VMware, Inc. Automating Compliance for Containers The Implications of shrinking container images
©2019 VMware, Inc. 14 o Remove “unwanted” files (often source files, build artifacts, license and copyright info) o Remove everything except the runtime dependencies o The Builder Pattern Ways to shrink a container image
©2019 VMware, Inc. 15 FROM golang:1.11 as builder WORKDIR /go/src/github.com/domain/repo COPY ./ . RUN go build -v -o bin/executable ./repo/cmd/ FROM photon:2.0 RUN tdnf update -y WORKDIR /bin/ COPY --from=builder /go/src/github.com/domain/repo/bin/executable . ENTRYPOINT [ "/bin/executable" ] CMD [ "8080" ] EXPOSE 8080 Multistage Docker Builds App’s Build Dependencies App compiled with dependencies copied over to new container
©2019 VMware, Inc. 16 o Container Images are tarballs containing tarballs with JSON data on how to assemble them o Container Images are built by running (often times non-reproducible) scripts in a chroot environment o Information about the base image used at each reuse is not maintained o Shrinking the container image by removing files or the build environment makes the resulting container unreproducible Recap
17©2019 VMware, Inc. Tern Automates investigation of each container layer
©2019 VMware, Inc. 18
©2019 VMware, Inc. 19
20©2019 VMware, Inc. Tern How it gets its results
©2019 VMware, Inc. 21 o sudo mount -t overlay overlay -o lowerdir=layer2:layer1,upperdir=emptydir,workdir=workdir mergedir o sudo mount -t proc /proc /path/to/rootfs/proc o sudo mount -o bind /sys /path/to/rootfs/sys o sudo mount -o bind /dev /path/to/rootfs/dev o sudo cp /etc/resolv.conf /path/to/rootfs/etc/resolv.conf o sudo chroot rootfs /bin/bash -c “dpkg --get-selections” Step though a container image
©2019 VMware, Inc. 22
23©2019 VMware, Inc. Tern Features (that I like) and Future work
©2019 VMware, Inc. 24 o It’s delightfully easy to enable support for any package manager (even if that package manager doesn’t support some of the metadata) o Currently supported package managers: dpkg, apt, rpm, tdnf, pacman, apk o Once enabling a package manager, it will list the full dependency list for each layer for components installed with that package manager o You can define your own keys for the metadata reported (coming soon!) o If you want to hook up to an external service (say a license scanner or security scanner) you can as long as that scanner can provide the metadata in a list o If you want to hardcode the metadata for your one off binary that you have 100% confidence in, you can Features I like
©2019 VMware, Inc. 25 o Release 0.3.0 o Custom templates o SPDX format o Release 0.4.0 o Enable npm o Future releases o Enable pip o Enable GitHub repositories o SPDX license identifiers o Call out to external tools o Source retrieval… Future work
©2019 VMware, Inc. 26 https://github.com/vmware/tern o It’s not boring (even though the word “compliance” is boring) o It’s young - there’s a lot of work to be done o It’s in a space that is largely neglected by the cloud native community o I care about contributor/maintainer diversity o I care more about enabling contributors to submit code than submitting code myself Contribute!
©2019 VMware, Inc. Thank You

Recommended

Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for Containers
All Things Open
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPN
All Things Open
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
EricBrown328
 
Building a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesBuilding a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York Times
Maxwell Dayvson Da Silva
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
Maciej Lasyk
 
Building a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesBuilding a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York Times
Flávio Ribeiro
 
AppSec USA 2014 talk by Chris Swan "Implications & Opportunities at the Bleed...
AppSec USA 2014 talk by Chris Swan "Implications & Opportunities at the Bleed...AppSec USA 2014 talk by Chris Swan "Implications & Opportunities at the Bleed...
AppSec USA 2014 talk by Chris Swan "Implications & Opportunities at the Bleed...
Cohesive Networks
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Cohesive Networks
 

Recommended

Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for Containers
All Things Open
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPN
All Things Open
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
EricBrown328
 
Building a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesBuilding a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York Times
Maxwell Dayvson Da Silva
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
Maciej Lasyk
 
Building a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesBuilding a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York Times
Flávio Ribeiro
 
AppSec USA 2014 talk by Chris Swan "Implications & Opportunities at the Bleed...
AppSec USA 2014 talk by Chris Swan "Implications & Opportunities at the Bleed...AppSec USA 2014 talk by Chris Swan "Implications & Opportunities at the Bleed...
AppSec USA 2014 talk by Chris Swan "Implications & Opportunities at the Bleed...
Cohesive Networks
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Cohesive Networks
 
DCSF19 Dockerfile Best Practices
DCSF19 Dockerfile Best PracticesDCSF19 Dockerfile Best Practices
DCSF19 Dockerfile Best Practices
Docker, Inc.
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et Rancher
SUSE
 
What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017
What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017
What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017
Ranjith Rajaram
 
Open Source in the Era of 5G
Open Source in the Era of 5GOpen Source in the Era of 5G
Open Source in the Era of 5G
All Things Open
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Docker, Inc.
 
SPFx Team based Development using Docker
SPFx Team based Development using DockerSPFx Team based Development using Docker
SPFx Team based Development using Docker
Jenkins NS
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Docker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHPDocker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHP
Chris Tankersley
 
Wonderful World of Maven
Wonderful World of MavenWonderful World of Maven
Wonderful World of Maven
Justin J. Moses
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
 
Open shift 4-update
Open shift 4-updateOpen shift 4-update
Open shift 4-update
SaeidVarmazyar
 
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
Docker, Inc.
 
Advanced Container Security - AWS Summit Sydney 2018
Advanced Container Security - AWS Summit Sydney 2018Advanced Container Security - AWS Summit Sydney 2018
Advanced Container Security - AWS Summit Sydney 2018
Amazon Web Services
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network View
NeuVector
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
Michael Cherny
 
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationDEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
Felipe Prado
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Integrating Apache Web Server with Tomcat Application Server
Integrating Apache Web Server with Tomcat Application ServerIntegrating Apache Web Server with Tomcat Application Server
Integrating Apache Web Server with Tomcat Application Server
webhostingguy
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
Sreenivas Makam
 
IPexpo - What is DevOps, and why should infrastructure operations care?
IPexpo - What is DevOps, and why should infrastructure operations care?IPexpo - What is DevOps, and why should infrastructure operations care?
IPexpo - What is DevOps, and why should infrastructure operations care?
Chris Swan
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Custom Buildpacks and Data Services
Custom Buildpacks and Data ServicesCustom Buildpacks and Data Services
Custom Buildpacks and Data Services
Tom Kranz
 

More Related Content

What's hot

What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017
What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017
What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017
Ranjith Rajaram
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Docker, Inc.
 
SPFx Team based Development using Docker
SPFx Team based Development using DockerSPFx Team based Development using Docker
SPFx Team based Development using Docker
Jenkins NS
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network View
NeuVector
 
Integrating Apache Web Server with Tomcat Application Server
Integrating Apache Web Server with Tomcat Application ServerIntegrating Apache Web Server with Tomcat Application Server
Integrating Apache Web Server with Tomcat Application Server
webhostingguy
 

What's hot (20)

DCSF19 Dockerfile Best Practices
DCSF19 Dockerfile Best PracticesDCSF19 Dockerfile Best Practices
DCSF19 Dockerfile Best Practices
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et Rancher
 
What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017
What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017
What should be PID 1 in a container ? by Ranjith Rajaram for #rootConf 2017
 
Open Source in the Era of 5G
Open Source in the Era of 5GOpen Source in the Era of 5G
Open Source in the Era of 5G
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
 
SPFx Team based Development using Docker
SPFx Team based Development using DockerSPFx Team based Development using Docker
SPFx Team based Development using Docker
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Docker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHPDocker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHP
 
Wonderful World of Maven
Wonderful World of MavenWonderful World of Maven
Wonderful World of Maven
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...
 
Open shift 4-update
Open shift 4-updateOpen shift 4-update
Open shift 4-update
 
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
On-Demand Image Resizing from Part of the monolith to Containerized Microserv...
 
Advanced Container Security - AWS Summit Sydney 2018
Advanced Container Security - AWS Summit Sydney 2018Advanced Container Security - AWS Summit Sydney 2018
Advanced Container Security - AWS Summit Sydney 2018
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network View
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationDEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Integrating Apache Web Server with Tomcat Application Server
Integrating Apache Web Server with Tomcat Application ServerIntegrating Apache Web Server with Tomcat Application Server
Integrating Apache Web Server with Tomcat Application Server
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
IPexpo - What is DevOps, and why should infrastructure operations care?
IPexpo - What is DevOps, and why should infrastructure operations care?IPexpo - What is DevOps, and why should infrastructure operations care?
IPexpo - What is DevOps, and why should infrastructure operations care?
 

Similar to Container BoM Inspection with TERN

Part 4: Custom Buildpacks and Data Services (Pivotal Cloud Platform Roadshow)
Part 4: Custom Buildpacks and Data Services (Pivotal Cloud Platform Roadshow)Part 4: Custom Buildpacks and Data Services (Pivotal Cloud Platform Roadshow)
Part 4: Custom Buildpacks and Data Services (Pivotal Cloud Platform Roadshow)
VMware Tanzu
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 

Similar to Container BoM Inspection with TERN (20)

Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Custom Buildpacks and Data Services
Custom Buildpacks and Data ServicesCustom Buildpacks and Data Services
Custom Buildpacks and Data Services
 
Part 4: Custom Buildpacks and Data Services (Pivotal Cloud Platform Roadshow)
Part 4: Custom Buildpacks and Data Services (Pivotal Cloud Platform Roadshow)Part 4: Custom Buildpacks and Data Services (Pivotal Cloud Platform Roadshow)
Part 4: Custom Buildpacks and Data Services (Pivotal Cloud Platform Roadshow)
 
Using Docker For Development
Using Docker For DevelopmentUsing Docker For Development
Using Docker For Development
 
Kubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesKubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slides
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
The Reality of DIY Kubernetes vs. PKS
The Reality of DIY Kubernetes vs. PKSThe Reality of DIY Kubernetes vs. PKS
The Reality of DIY Kubernetes vs. PKS
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]
 
No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!
 
GitOps & the deployment branching models - DevOps D-day Marseille 2021
GitOps & the deployment branching models - DevOps D-day Marseille 2021GitOps & the deployment branching models - DevOps D-day Marseille 2021
GitOps & the deployment branching models - DevOps D-day Marseille 2021
 
BBL Premiers pas avec Docker
BBL Premiers pas avec DockerBBL Premiers pas avec Docker
BBL Premiers pas avec Docker
 
Aleksandr Kutsan "Managing Dependencies in C++"
Aleksandr Kutsan "Managing Dependencies in C++"Aleksandr Kutsan "Managing Dependencies in C++"
Aleksandr Kutsan "Managing Dependencies in C++"
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in Kubernetes
 
Radiomic Features.pdf
Radiomic Features.pdfRadiomic Features.pdf
Radiomic Features.pdf
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - Adobe
 
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
 
Develop with docker 2014 aug
Develop with docker 2014 augDevelop with docker 2014 aug
Develop with docker 2014 aug
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 

More from Open Source Technology Center MeetUps

Platform Observability and Infrastructure Closed Loops
Platform Observability and Infrastructure Closed LoopsPlatform Observability and Infrastructure Closed Loops
Platform Observability and Infrastructure Closed Loops
Open Source Technology Center MeetUps
 
Road to Cloud Native Orchestration
Road to Cloud Native Orchestration Road to Cloud Native Orchestration
Road to Cloud Native Orchestration
Open Source Technology Center MeetUps
 

More from Open Source Technology Center MeetUps (7)

Clear Linux Overview and Engagement
Clear Linux Overview and EngagementClear Linux Overview and Engagement
Clear Linux Overview and Engagement
 
Clear Linux OS - Introduction
Clear Linux OS - IntroductionClear Linux OS - Introduction
Clear Linux OS - Introduction
 
Clear Linux OS - Architecture Overview
Clear Linux OS - Architecture OverviewClear Linux OS - Architecture Overview
Clear Linux OS - Architecture Overview
 
Platform Observability and Infrastructure Closed Loops
Platform Observability and Infrastructure Closed LoopsPlatform Observability and Infrastructure Closed Loops
Platform Observability and Infrastructure Closed Loops
 
Road to Cloud Native Orchestration
Road to Cloud Native Orchestration Road to Cloud Native Orchestration
Road to Cloud Native Orchestration
 
Tungsten Fabric and DPDK vRouter Architecture
Tungsten Fabric and DPDK vRouter ArchitectureTungsten Fabric and DPDK vRouter Architecture
Tungsten Fabric and DPDK vRouter Architecture
 
Painless Cache Allocation in Cloud
Painless Cache Allocation in CloudPainless Cache Allocation in Cloud
Painless Cache Allocation in Cloud
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Container BoM Inspection with TERN

  • 1. ©2019 VMware, Inc. Container BoM Inspection with Tern Nisha Kumar Open Source Engineer @ VMware CloudNativePDX Apr 2019
  • 2. ©2019 VMware, Inc. Agenda 2 Automating Compliance for Container Images - CoW Filesystems - FROM and RUN in Dockerfiles - Shrinking Container Images Tern - What it does - How it does - Features and Future Work
  • 3. 3©2019 VMware, Inc. The first step in OSS Compliance is finding the Bill of Materials (BoM) for the artifact (container image)
  • 4. 4©2019 VMware, Inc. By knowing the BoM, you also know about dependencies, build variations and vulnerable packages
  • 5. 5©2019 VMware, Inc. Automating Compliance for Containers The Implications of using CoW Filesystems
  • 6. ©2019 VMware, Inc. 6 Building Container Image Layers Reference: https://docs.docker.com/storage/storagedriver/ BaseOS: bin boot etc home lib opt root tmp usr var Read Only Layer R/W layer: Add new files or remove existing files Image apt-get install ca-certificates… Copy on Write
  • 7. ©2019 VMware, Inc. 7 Building Container Image Layers Reference: https://docs.docker.com/storage/storagedriver/ BaseOS: bin boot etc home lib opt root tmp usr var Read Only Layer R/W layer: Add new files or remove existing files Diff Files: etc/ca-certificates/* usr/share/ca-certificates/* Read Only Layer Image Copy on Write wget -O go.tgz “$url”; tar -C /usr/local -xzf go.tgz; rm go.tgz
  • 8. ©2019 VMware, Inc. 8 An image consists of directory trees - one for each layer Reference: https://docs.docker.com/storage/storagedriver/ BaseOS: bin boot etc home lib opt root tmp usr var Read Only Layer Diff Files: etc/ca-certificates/* usr/share/ca-certificates/* Read Only Layer Diff Files: /usr/local/go Read Only Layer Image
  • 9. ©2019 VMware, Inc. 9 What layers look like on disk
  • 10. 10©2019 VMware, Inc. Automating Compliance for Containers Base images and shell scripts
  • 11. ©2019 VMware, Inc. 11 Containerizing Apps Using Docker and Dockerfiles COPY . . BaseOS: bin boot etc home lib opt root tmp usr var Debian, Photon, Alpine Diff files: install app dependencies and extra modifications Diff Files: etc/ca-certificates/* usr/share/ca-certificates/* OS & language package manager dependencies Diff Files: Copy app into container Somebody else’s Image Your Changes FROM <image> RUN <script>
  • 12. ©2019 VMware, Inc. 12 The downside of FROM golang:1.11 buildpack-deps:stretch-scm buildpack-deps:stretch-curl debian:stretch https://github.com/docker-library/golang/blob/ed78459fac108dab72556146b759516cc65ee109/1.11/stretch/Dockerfile https://github.com/docker-library/buildpack-deps/blob/1845b3f918f69b4c97912b0d4d68a5658458e84f/stretch/scm/Dockerfile https://github.com/docker-library/buildpack-deps/blob/1845b3f918f69b4c97912b0d4d68a5658458e84f/stretch/curl/Dockerfile https://github.com/debuerreotype/docker-debian-artifacts/blob/ed15c6a0b511d2985ca252f59f4318b1fe2a7a59/stretch/Dockerfile
  • 13. 13©2019 VMware, Inc. Automating Compliance for Containers The Implications of shrinking container images
  • 14. ©2019 VMware, Inc. 14 o Remove “unwanted” files (often source files, build artifacts, license and copyright info) o Remove everything except the runtime dependencies o The Builder Pattern Ways to shrink a container image
  • 15. ©2019 VMware, Inc. 15 FROM golang:1.11 as builder WORKDIR /go/src/github.com/domain/repo COPY ./ . RUN go build -v -o bin/executable ./repo/cmd/ FROM photon:2.0 RUN tdnf update -y WORKDIR /bin/ COPY --from=builder /go/src/github.com/domain/repo/bin/executable . ENTRYPOINT [ "/bin/executable" ] CMD [ "8080" ] EXPOSE 8080 Multistage Docker Builds App’s Build Dependencies App compiled with dependencies copied over to new container
  • 16. ©2019 VMware, Inc. 16 o Container Images are tarballs containing tarballs with JSON data on how to assemble them o Container Images are built by running (often times non-reproducible) scripts in a chroot environment o Information about the base image used at each reuse is not maintained o Shrinking the container image by removing files or the build environment makes the resulting container unreproducible Recap
  • 17. 17©2019 VMware, Inc. Tern Automates investigation of each container layer
  • 20. 20©2019 VMware, Inc. Tern How it gets its results
  • 21. ©2019 VMware, Inc. 21 o sudo mount -t overlay overlay -o lowerdir=layer2:layer1,upperdir=emptydir,workdir=workdir mergedir o sudo mount -t proc /proc /path/to/rootfs/proc o sudo mount -o bind /sys /path/to/rootfs/sys o sudo mount -o bind /dev /path/to/rootfs/dev o sudo cp /etc/resolv.conf /path/to/rootfs/etc/resolv.conf o sudo chroot rootfs /bin/bash -c “dpkg --get-selections” Step though a container image
  • 23. 23©2019 VMware, Inc. Tern Features (that I like) and Future work
  • 24. ©2019 VMware, Inc. 24 o It’s delightfully easy to enable support for any package manager (even if that package manager doesn’t support some of the metadata) o Currently supported package managers: dpkg, apt, rpm, tdnf, pacman, apk o Once enabling a package manager, it will list the full dependency list for each layer for components installed with that package manager o You can define your own keys for the metadata reported (coming soon!) o If you want to hook up to an external service (say a license scanner or security scanner) you can as long as that scanner can provide the metadata in a list o If you want to hardcode the metadata for your one off binary that you have 100% confidence in, you can Features I like
  • 25. ©2019 VMware, Inc. 25 o Release 0.3.0 o Custom templates o SPDX format o Release 0.4.0 o Enable npm o Future releases o Enable pip o Enable GitHub repositories o SPDX license identifiers o Call out to external tools o Source retrieval… Future work
  • 26. ©2019 VMware, Inc. 26 https://github.com/vmware/tern o It’s not boring (even though the word “compliance” is boring) o It’s young - there’s a lot of work to be done o It’s in a space that is largely neglected by the cloud native community o I care about contributor/maintainer diversity o I care more about enabling contributors to submit code than submitting code myself Contribute!

Editor's Notes

  1. All container builders are dependent on the underlying linux kernel’s storage drivers. The storage driver’s API is called to implement a union mount of various filesystem layers. An image starts with what is essentially a linux filesystem consisting of bin, boot, etc, root, etc Then at runtime, a thin copy on write layer is created on which it a container builder will invoke commands to copy in files, untar filesystem bundles or invoke commands Copy on Write means only if you write to a file that exists in the bottom layer, it gets copied to the top layer. What gets stored in the new layer is the newly modified file.
  2. Once files are installed, the copy on write layer becomes the new diff layer. The storage driver I am familiar with is overlay2, the copy on write layer is just an empty directory. Once that directory gets populated, it is kept Now that layer becomes the next layer and a new copy on write layer is created for the next addition of files
  3. When you’re done you have a container image, which is just a collection of directory trees When you push this image to a registry, the directory trees get tarred and checksummed All a container image is is files with some metadata on how to set them up
  4. To containerize your app, you will download this image - which comes with all of these files (made by somebody else) You will then copy your app in and run scripts to set it up When you push this image you are pushing the whole thing - your changes and somebody else’s changes
  5. In fact you can find this information, given enough time and effort searching through Dockerhub and git This image golang:1.11 is built on top of buildpack-deps images which is built on top of another buildpack-deps image which is finally built on top of a debian:stretch image I have included links to the Dockerfiles that created these images but this is very lucky as most Dockerhub images do not have links to the Dockerfiles that created them Even now OCI images have no way of tracking provenance of an image. This information is opaque Right of the bat you can see that tracking where container images come from is hard
  6. - Let’s assume we have some go application we would like to containerize - This Dockerfile uses the builder pattern which means use one container to build the golang code and another smaller container to ship the golang binary - The build container has golang dependencies which includes the golang standard library, and whatever build dependencies are required Since go is a statically compiled language, that means you need to be extra careful with your binaries’ dependencies. Even though you are not distributing the golang image, you are copying a binary with statically compiled code into another container and possibly getting rid of the container you used to build it For compliance purposes, you need to know the whole dependency chain. The Dockerfile is not enough And this is why OSS compliance is much harder in containers
  7. You can also do this using overlay overlay2 is available in kernel 4.0 and above using the mount API Incidentally these are pretty much the same steps that are used when building a container Only here, you are retracing your steps layer by layer
  8. Tern analyzes the container layer by layer by running commands in a chroot environment. It retrieves those ‘command library’ which is essentially a list of binary names and corresponding scripts to recover package versions and licenses for whatever was installed using that binary As a result, the architecture is extensible for OS package managers and language package managers. Even for stuff you download using git.
  9. That means I am working on this on the weekdays and sometimes the weekends. It’s a young project so not many