SlideShare a Scribd company logo

Container security: seccomp, network e namespaces

Kiratech
Kiratech

Le slides hanno l'obiettivo di evidenziare le nuove features di sicurezza introdotte nell'ultima release docker sia descrivendone il funzionamento sia mostrando, attraverso alcune demo, l'eventuale impatto in ambienti di produzione. Viene fatta una comparazione, in termini di analisi del rischio, tra ambienti host utilizzanti engine inferiore a release 1.9 e nuove versioni, soffermandosi su mancanze e future implementazioni.

Technology
1 of 18
Seccomp, network and namespaces Francesco Tornieri <francesco.tornieri AT kiratech.it>
VM vs Container 2
Namespaces ecc… 3
Namespaces ecc… 4 • man namespaces: – “A namespaces wraps a global system resource in a abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource”
PID & Capabilities (privileges associated with superuser) 5
PID & Capabilities • NET_RAW (man capabilities): – use RAW and PACKET sockets; – bind to any address for transparent proxying • docker run --rm ubuntu capsh --print | grep net_raw – Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_s etpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,ca p_setfcap+I – Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_ setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,c ap_setfcap • docker run --rm --cap-drop net_raw ubuntu capsh --print | grep net_raw – ? 6
PID & Capabilities • NET_BIND_SERVICE (man capabilities): – Bind a socket to Internet domain privileged ports (port numbers less than 1024) • docker run --rm -it --cap-drop ALL ubuntu bash – root@dba82716ff38:/# nc -l 127.0.0.1 25 – nc: Permission denied • docker run --rm -it --cap-drop ALL --cap-add net_bind_service ubuntu bash – root@e71400ba1c4e:/# nc -l 127.0.0.1 25 – ^C 7
Container Processes • Your command’s process is always PID 1 inside the container • docker run --rm ubuntu ps ax PID TTY STAT TIME COMMAND 1 ? Rs 0:00 ps ax 8
Bridge Network Model 9 docker0 bridge IP: 172.17.0.1 container1 Host IP: 172.17.0.2 eth0 vethdc..
Network namespaces • docker run -d -P nginx – HOST: • ip a – 47: vethccc0f9a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default • ethtool -S vethccc0f9a – NIC statistics: peer_ifindex: 46 • pidof nginx – 15363 15349 • sudo ls /proc/15363/ns/net • sudo mkdir -p /var/run/netns • sudo ln -sf /proc/15363/ns/net /var/run/netns/myproc • ip netns – myproc 10
Network namespace • HOST: – sudo ip netns exec myproc ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 46: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe11:2/64 scope link valid_lft forever preferred_lft forever 11
Username Namepaces • DEFAULT DOCKER == NO USER NAMESPACE – docker run -d -it ubuntu – pidof bash – cat /proc/15552/uid_map 0 0 4294967295 12 It is the starting user ID for the process in question It is the starting user ID to be utilized on the host system The length of the range of user IDs that is mapped between the two user namespaces (2^32 -1)
Username Namepaces • docker daemon –help – … – --userns-remap • Modify /etc/default/docker (DOCKER_OPTS): – DOCKER_OPTS="-H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --userns- remap default" • docker run -d -it ubuntu – Unable to find image 'ubuntu:latest' locally • sudo ls /var/lib/docker/ – 231072.231072 aufs containers image network tmp trust volumes • sudo ls /var/lib/docker/231072.231072 – aufs containers image network tmp trust volumes 13 New namespace
Username Namepaces • pidof bash – cat /proc/16003/uid_map 0 231072 65536 – cat /etc/subuid • ubuntu:100000:65536 • docker:165536:65536 • dockremap:231072:65536 14
Seccomp • From kernel.org documentation (https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt ): “A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process…. The resulting set reduces the total kernel surface exposed to the application… Seccomp filtering provides a means for a process to specify a filter for incoming system calls.” • docker engine >= 1.10 • kernel with CONFIG_SECCOMP enabled – cat /boot/config-`uname -r` | grep CONFIG_SECCOMP= – CONFIG_SECCOMP=y 15
Seccomp • Create a policy.json: { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "mkdir", "action": "SCMP_ACT_ERRNO" } ] } 16 The seccomp filter will have no effect on the thread calling the syscall if it does not match any of the configured seccomp filter rules
Seccomp • docker run -it --security-opt seccomp:policy.json ubuntu – mkdir test • mkdir: cannot create directory ‘test’: Permission denied 17
THANK YOU

Recommended

55 best linux tips, tricks and command lines
55 best linux tips, tricks and command lines55 best linux tips, tricks and command lines
55 best linux tips, tricks and command linesArif Wahyudi
 
Advanced Replication
Advanced ReplicationAdvanced Replication
Advanced ReplicationMongoDB
 
Replica Sets (NYC NoSQL Meetup)
Replica Sets (NYC NoSQL Meetup)Replica Sets (NYC NoSQL Meetup)
Replica Sets (NYC NoSQL Meetup)MongoDB
 
Hadoop installation
Hadoop installationHadoop installation
Hadoop installationAnkit Desai
 
Linux system admin useful commands
Linux system admin useful commandsLinux system admin useful commands
Linux system admin useful commandsali98091
 
Basic Linux commands
Basic Linux commandsBasic Linux commands
Basic Linux commandsatozknowledge .com
 
2345014 unix-linux-bsd-cheat-sheets-i
2345014 unix-linux-bsd-cheat-sheets-i2345014 unix-linux-bsd-cheat-sheets-i
2345014 unix-linux-bsd-cheat-sheets-iLogesh Kumar Anandhan
 
37562259 top-consuming-process
37562259 top-consuming-process37562259 top-consuming-process
37562259 top-consuming-processskumner
 

Recommended

55 best linux tips, tricks and command lines
55 best linux tips, tricks and command lines55 best linux tips, tricks and command lines
55 best linux tips, tricks and command linesArif Wahyudi
 
Advanced Replication
Advanced ReplicationAdvanced Replication
Advanced ReplicationMongoDB
 
Replica Sets (NYC NoSQL Meetup)
Replica Sets (NYC NoSQL Meetup)Replica Sets (NYC NoSQL Meetup)
Replica Sets (NYC NoSQL Meetup)MongoDB
 
Hadoop installation
Hadoop installationHadoop installation
Hadoop installationAnkit Desai
 
Linux system admin useful commands
Linux system admin useful commandsLinux system admin useful commands
Linux system admin useful commandsali98091
 
Basic Linux commands
Basic Linux commandsBasic Linux commands
Basic Linux commandsatozknowledge .com
 
2345014 unix-linux-bsd-cheat-sheets-i
2345014 unix-linux-bsd-cheat-sheets-i2345014 unix-linux-bsd-cheat-sheets-i
2345014 unix-linux-bsd-cheat-sheets-iLogesh Kumar Anandhan
 
37562259 top-consuming-process
37562259 top-consuming-process37562259 top-consuming-process
37562259 top-consuming-processskumner
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationMohammed Farrag
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersDavide Ciambelli
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례Open Source Consulting
 
Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5Khawar Nehal khawar.nehal@atrc.net.pk
 
Linux class 10 15 oct 2021-6
Linux class 10 15 oct 2021-6Linux class 10 15 oct 2021-6
Linux class 10 15 oct 2021-6Khawar Nehal khawar.nehal@atrc.net.pk
 
17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboardsDenis Ristic
 
Linux basics
Linux basicsLinux basics
Linux basicsGeeta Vinnakota
 
Summit demystifying systemd1
Summit demystifying systemd1Summit demystifying systemd1
Summit demystifying systemd1Susant Sahani
 
Refcard en-a4
Refcard en-a4Refcard en-a4
Refcard en-a4Arduino Aficionado
 
Common linux ubuntu commands overview
Common linux ubuntu commands overviewCommon linux ubuntu commands overview
Common linux ubuntu commands overviewAmeer Sameer
 
Dev ops
Dev opsDev ops
Dev opsTom Hall
 
Squid Server
Squid ServerSquid Server
Squid ServerSumant Garg
 
Logical volume manager xfs
Logical volume manager xfsLogical volume manager xfs
Logical volume manager xfsSarwar Javaid
 
Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013
Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013
Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013odnoklassniki.ru
 
Basics of-linux
Basics of-linuxBasics of-linux
Basics of-linuxSingsys Pte Ltd
 
2009 cluster user training
2009 cluster user training2009 cluster user training
2009 cluster user trainingChris Dwan
 
Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)
Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)
Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)Nag Arvind Gudiseva
 
Log
LogLog
LogEki Kinda
 
Log
LogLog
LogMariiana Guerrero
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server13bcs0012
 
Ryu ods2012-spring
Ryu ods2012-springRyu ods2012-spring
Ryu ods2012-springIsaku Yamahata
 
Implementing a layer 2 framework on linux network
Implementing a layer 2 framework on linux networkImplementing a layer 2 framework on linux network
Implementing a layer 2 framework on linux networkTakuya ASADA
 

More Related Content

What's hot

Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationMohammed Farrag
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersDavide Ciambelli
 
17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboardsDenis Ristic
 
Summit demystifying systemd1
Summit demystifying systemd1Summit demystifying systemd1
Summit demystifying systemd1Susant Sahani
 
Common linux ubuntu commands overview
Common linux ubuntu commands overviewCommon linux ubuntu commands overview
Common linux ubuntu commands overviewAmeer Sameer
 
Logical volume manager xfs
Logical volume manager xfsLogical volume manager xfs
Logical volume manager xfsSarwar Javaid
 
Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013
Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013
Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013odnoklassniki.ru
 
2009 cluster user training
2009 cluster user training2009 cluster user training
2009 cluster user trainingChris Dwan
 
Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)
Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)
Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)Nag Arvind Gudiseva
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server13bcs0012
 

What's hot (20)

Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for Beginners
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례
 
Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5
 
Linux class 10 15 oct 2021-6
Linux class 10 15 oct 2021-6Linux class 10 15 oct 2021-6
Linux class 10 15 oct 2021-6
 
17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards
 
Linux basics
Linux basicsLinux basics
Linux basics
 
Summit demystifying systemd1
Summit demystifying systemd1Summit demystifying systemd1
Summit demystifying systemd1
 
Refcard en-a4
Refcard en-a4Refcard en-a4
Refcard en-a4
 
Common linux ubuntu commands overview
Common linux ubuntu commands overviewCommon linux ubuntu commands overview
Common linux ubuntu commands overview
 
Dev ops
Dev opsDev ops
Dev ops
 
Squid Server
Squid ServerSquid Server
Squid Server
 
Logical volume manager xfs
Logical volume manager xfsLogical volume manager xfs
Logical volume manager xfs
 
Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013
Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013
Being closer to Cassandra by Oleg Anastasyev. Talk at Cassandra Summit EU 2013
 
Basics of-linux
Basics of-linuxBasics of-linux
Basics of-linux
 
2009 cluster user training
2009 cluster user training2009 cluster user training
2009 cluster user training
 
Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)
Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)
Hadoop 2.0 cluster setup on ubuntu 14.04 (64 bit)
 
Log
LogLog
Log
 
Log
LogLog
Log
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server
 

Viewers also liked

Implementing a layer 2 framework on linux network
Implementing a layer 2 framework on linux networkImplementing a layer 2 framework on linux network
Implementing a layer 2 framework on linux networkTakuya ASADA
 
簡介 Linux 的 Network Namespace 功能
簡介 Linux 的 Network Namespace 功能簡介 Linux 的 Network Namespace 功能
簡介 Linux 的 Network Namespace 功能John L Chen
 
Enterprise Linux 7 new feature_network configuration
Enterprise Linux 7 new feature_network configurationEnterprise Linux 7 new feature_network configuration
Enterprise Linux 7 new feature_network configurationsuk kim
 
Chris Swan ONUG Academy - Container Networks Tutorial
Chris Swan ONUG Academy - Container Networks TutorialChris Swan ONUG Academy - Container Networks Tutorial
Chris Swan ONUG Academy - Container Networks TutorialCohesive Networks
 
Erlang User Conference 2016: Container Networking: A Field Report
Erlang User Conference 2016: Container Networking: A Field ReportErlang User Conference 2016: Container Networking: A Field Report
Erlang User Conference 2016: Container Networking: A Field ReportSargun Dhillon
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linuxVarnnit Jain
 
Linux network namespaces
Linux network namespacesLinux network namespaces
Linux network namespacesMike Wilson
 
Skydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integrationSkydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integrationSylvain Afchain
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathThomas Graf
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network ViewNeuVector
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commandsHanan Nmr
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
Container Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyondContainer Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyondKubeAcademy
 
Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101Cumulus Networks
 
Docker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksAdrien Blind
 

Viewers also liked (20)

Ryu ods2012-spring
Ryu ods2012-springRyu ods2012-spring
Ryu ods2012-spring
 
Implementing a layer 2 framework on linux network
Implementing a layer 2 framework on linux networkImplementing a layer 2 framework on linux network
Implementing a layer 2 framework on linux network
 
簡介 Linux 的 Network Namespace 功能
簡介 Linux 的 Network Namespace 功能簡介 Linux 的 Network Namespace 功能
簡介 Linux 的 Network Namespace 功能
 
Enterprise Linux 7 new feature_network configuration
Enterprise Linux 7 new feature_network configurationEnterprise Linux 7 new feature_network configuration
Enterprise Linux 7 new feature_network configuration
 
Linux network configuration
Linux network configurationLinux network configuration
Linux network configuration
 
Chris Swan ONUG Academy - Container Networks Tutorial
Chris Swan ONUG Academy - Container Networks TutorialChris Swan ONUG Academy - Container Networks Tutorial
Chris Swan ONUG Academy - Container Networks Tutorial
 
Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)
 
Erlang User Conference 2016: Container Networking: A Field Report
Erlang User Conference 2016: Container Networking: A Field ReportErlang User Conference 2016: Container Networking: A Field Report
Erlang User Conference 2016: Container Networking: A Field Report
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
 
Linux network namespaces
Linux network namespacesLinux network namespaces
Linux network namespaces
 
Skydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integrationSkydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integration
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable Datapath
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network View
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
 
Linux Network Management
Linux Network ManagementLinux Network Management
Linux Network Management
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
Container Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyondContainer Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyond
 
Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101
 
Docker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined Networks
 

Similar to Container security: seccomp, network e namespaces

OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Ralf Dannert
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)Masami Hiramatsu
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosHeiko Loewe
 
Ericas-Linux-Plus-Study-Guide
Ericas-Linux-Plus-Study-GuideEricas-Linux-Plus-Study-Guide
Ericas-Linux-Plus-Study-GuideErica StJohn
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactAlessandro Selli
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesAkihiro Suda
 
RH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationRH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationIsabella789
 
RH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationRH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationIsabella789
 
Spark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg SchadSpark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg SchadSpark Summit
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsManuel Vega
 
Rh202 q&amp;a-demo-cert magic
Rh202 q&amp;a-demo-cert magicRh202 q&amp;a-demo-cert magic
Rh202 q&amp;a-demo-cert magicEllina Beckman
 

Similar to Container security: seccomp, network e namespaces (20)

OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and Mesos
 
Ericas-Linux-Plus-Study-Guide
Ericas-Linux-Plus-Study-GuideEricas-Linux-Plus-Study-Guide
Ericas-Linux-Plus-Study-Guide
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compact
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
RH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationRH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux Certification
 
RH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationRH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux Certification
 
Spark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg SchadSpark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg Schad
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Docker
DockerDocker
Docker
 
First steps on CentOs7
First steps on CentOs7First steps on CentOs7
First steps on CentOs7
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bits
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
 
Rh202 q&amp;a-demo-cert magic
Rh202 q&amp;a-demo-cert magicRh202 q&amp;a-demo-cert magic
Rh202 q&amp;a-demo-cert magic
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 

More from Kiratech

Red Hat OpenShift: l'abilitatore della Cloud Native Enterprise
Red Hat OpenShift: l'abilitatore della Cloud Native EnterpriseRed Hat OpenShift: l'abilitatore della Cloud Native Enterprise
Red Hat OpenShift: l'abilitatore della Cloud Native EnterpriseKiratech
 
Kaizen e DevOps: il miglioramento continuo
Kaizen e DevOps: il miglioramento continuoKaizen e DevOps: il miglioramento continuo
Kaizen e DevOps: il miglioramento continuoKiratech
 
Kiratech "Qualità, metodologia e competenza al servizio della Digital Enterpr...
Kiratech "Qualità, metodologia e competenza al servizio della Digital Enterpr...Kiratech "Qualità, metodologia e competenza al servizio della Digital Enterpr...
Kiratech "Qualità, metodologia e competenza al servizio della Digital Enterpr...Kiratech
 
Red hat Open Source Day 2017, Milan - "From Mainframe to Container, a Cloud s...
Red hat Open Source Day 2017, Milan - "From Mainframe to Container, a Cloud s...Red hat Open Source Day 2017, Milan - "From Mainframe to Container, a Cloud s...
Red hat Open Source Day 2017, Milan - "From Mainframe to Container, a Cloud s...Kiratech
 
Slides Webinar "Start your DevOps Journey with GITHUB" (in Italiano) by Kirat...
Slides Webinar "Start your DevOps Journey with GITHUB" (in Italiano) by Kirat...Slides Webinar "Start your DevOps Journey with GITHUB" (in Italiano) by Kirat...
Slides Webinar "Start your DevOps Journey with GITHUB" (in Italiano) by Kirat...Kiratech
 
Moby and linux kit, what to expect - Lorenzo Fontana, DevOps Expert at Kiratech
Moby and linux kit, what to expect - Lorenzo Fontana, DevOps Expert at KiratechMoby and linux kit, what to expect - Lorenzo Fontana, DevOps Expert at Kiratech
Moby and linux kit, what to expect - Lorenzo Fontana, DevOps Expert at KiratechKiratech
 
Containerday17 Moby-linuxkit-DockerCon-2017-announcements
Containerday17 Moby-linuxkit-DockerCon-2017-announcementsContainerday17 Moby-linuxkit-DockerCon-2017-announcements
Containerday17 Moby-linuxkit-DockerCon-2017-announcementsKiratech
 
Webinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformWebinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformKiratech
 
Marco bizzantino Microsoft-Docker Meetup #4 Docker bday intro
Marco bizzantino Microsoft-Docker Meetup #4 Docker bday introMarco bizzantino Microsoft-Docker Meetup #4 Docker bday intro
Marco bizzantino Microsoft-Docker Meetup #4 Docker bday introKiratech
 
Understanding the Docker ecosystem
Understanding the Docker ecosystemUnderstanding the Docker ecosystem
Understanding the Docker ecosystemKiratech
 
PHPKonf Istanbul 2016 - From development to production with Docker Datacenter
PHPKonf Istanbul 2016 - From development to production with Docker DatacenterPHPKonf Istanbul 2016 - From development to production with Docker Datacenter
PHPKonf Istanbul 2016 - From development to production with Docker DatacenterKiratech
 

More from Kiratech (11)

Red Hat OpenShift: l'abilitatore della Cloud Native Enterprise
Red Hat OpenShift: l'abilitatore della Cloud Native EnterpriseRed Hat OpenShift: l'abilitatore della Cloud Native Enterprise
Red Hat OpenShift: l'abilitatore della Cloud Native Enterprise
 
Kaizen e DevOps: il miglioramento continuo
Kaizen e DevOps: il miglioramento continuoKaizen e DevOps: il miglioramento continuo
Kaizen e DevOps: il miglioramento continuo
 
Kiratech "Qualità, metodologia e competenza al servizio della Digital Enterpr...
Kiratech "Qualità, metodologia e competenza al servizio della Digital Enterpr...Kiratech "Qualità, metodologia e competenza al servizio della Digital Enterpr...
Kiratech "Qualità, metodologia e competenza al servizio della Digital Enterpr...
 
Red hat Open Source Day 2017, Milan - "From Mainframe to Container, a Cloud s...
Red hat Open Source Day 2017, Milan - "From Mainframe to Container, a Cloud s...Red hat Open Source Day 2017, Milan - "From Mainframe to Container, a Cloud s...
Red hat Open Source Day 2017, Milan - "From Mainframe to Container, a Cloud s...
 
Slides Webinar "Start your DevOps Journey with GITHUB" (in Italiano) by Kirat...
Slides Webinar "Start your DevOps Journey with GITHUB" (in Italiano) by Kirat...Slides Webinar "Start your DevOps Journey with GITHUB" (in Italiano) by Kirat...
Slides Webinar "Start your DevOps Journey with GITHUB" (in Italiano) by Kirat...
 
Moby and linux kit, what to expect - Lorenzo Fontana, DevOps Expert at Kiratech
Moby and linux kit, what to expect - Lorenzo Fontana, DevOps Expert at KiratechMoby and linux kit, what to expect - Lorenzo Fontana, DevOps Expert at Kiratech
Moby and linux kit, what to expect - Lorenzo Fontana, DevOps Expert at Kiratech
 
Containerday17 Moby-linuxkit-DockerCon-2017-announcements
Containerday17 Moby-linuxkit-DockerCon-2017-announcementsContainerday17 Moby-linuxkit-DockerCon-2017-announcements
Containerday17 Moby-linuxkit-DockerCon-2017-announcements
 
Webinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformWebinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins Platform
 
Marco bizzantino Microsoft-Docker Meetup #4 Docker bday intro
Marco bizzantino Microsoft-Docker Meetup #4 Docker bday introMarco bizzantino Microsoft-Docker Meetup #4 Docker bday intro
Marco bizzantino Microsoft-Docker Meetup #4 Docker bday intro
 
Understanding the Docker ecosystem
Understanding the Docker ecosystemUnderstanding the Docker ecosystem
Understanding the Docker ecosystem
 
PHPKonf Istanbul 2016 - From development to production with Docker Datacenter
PHPKonf Istanbul 2016 - From development to production with Docker DatacenterPHPKonf Istanbul 2016 - From development to production with Docker Datacenter
PHPKonf Istanbul 2016 - From development to production with Docker Datacenter
 

Recently uploaded

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Container security: seccomp, network e namespaces

  • 1. Seccomp, network and namespaces Francesco Tornieri <francesco.tornieri AT kiratech.it>
  • 4. Namespaces ecc… 4 • man namespaces: – “A namespaces wraps a global system resource in a abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource”
  • 5. PID & Capabilities (privileges associated with superuser) 5
  • 6. PID & Capabilities • NET_RAW (man capabilities): – use RAW and PACKET sockets; – bind to any address for transparent proxying • docker run --rm ubuntu capsh --print | grep net_raw – Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_s etpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,ca p_setfcap+I – Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_ setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,c ap_setfcap • docker run --rm --cap-drop net_raw ubuntu capsh --print | grep net_raw – ? 6
  • 7. PID & Capabilities • NET_BIND_SERVICE (man capabilities): – Bind a socket to Internet domain privileged ports (port numbers less than 1024) • docker run --rm -it --cap-drop ALL ubuntu bash – root@dba82716ff38:/# nc -l 127.0.0.1 25 – nc: Permission denied • docker run --rm -it --cap-drop ALL --cap-add net_bind_service ubuntu bash – root@e71400ba1c4e:/# nc -l 127.0.0.1 25 – ^C 7
  • 8. Container Processes • Your command’s process is always PID 1 inside the container • docker run --rm ubuntu ps ax PID TTY STAT TIME COMMAND 1 ? Rs 0:00 ps ax 8
  • 9. Bridge Network Model 9 docker0 bridge IP: 172.17.0.1 container1 Host IP: 172.17.0.2 eth0 vethdc..
  • 10. Network namespaces • docker run -d -P nginx – HOST: • ip a – 47: vethccc0f9a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default • ethtool -S vethccc0f9a – NIC statistics: peer_ifindex: 46 • pidof nginx – 15363 15349 • sudo ls /proc/15363/ns/net • sudo mkdir -p /var/run/netns • sudo ln -sf /proc/15363/ns/net /var/run/netns/myproc • ip netns – myproc 10
  • 11. Network namespace • HOST: – sudo ip netns exec myproc ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 46: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe11:2/64 scope link valid_lft forever preferred_lft forever 11
  • 12. Username Namepaces • DEFAULT DOCKER == NO USER NAMESPACE – docker run -d -it ubuntu – pidof bash – cat /proc/15552/uid_map 0 0 4294967295 12 It is the starting user ID for the process in question It is the starting user ID to be utilized on the host system The length of the range of user IDs that is mapped between the two user namespaces (2^32 -1)
  • 13. Username Namepaces • docker daemon –help – … – --userns-remap • Modify /etc/default/docker (DOCKER_OPTS): – DOCKER_OPTS="-H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --userns- remap default" • docker run -d -it ubuntu – Unable to find image 'ubuntu:latest' locally • sudo ls /var/lib/docker/ – 231072.231072 aufs containers image network tmp trust volumes • sudo ls /var/lib/docker/231072.231072 – aufs containers image network tmp trust volumes 13 New namespace
  • 14. Username Namepaces • pidof bash – cat /proc/16003/uid_map 0 231072 65536 – cat /etc/subuid • ubuntu:100000:65536 • docker:165536:65536 • dockremap:231072:65536 14
  • 15. Seccomp • From kernel.org documentation (https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt ): “A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process…. The resulting set reduces the total kernel surface exposed to the application… Seccomp filtering provides a means for a process to specify a filter for incoming system calls.” • docker engine >= 1.10 • kernel with CONFIG_SECCOMP enabled – cat /boot/config-`uname -r` | grep CONFIG_SECCOMP= – CONFIG_SECCOMP=y 15
  • 16. Seccomp • Create a policy.json: { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "mkdir", "action": "SCMP_ACT_ERRNO" } ] } 16 The seccomp filter will have no effect on the thread calling the syscall if it does not match any of the configured seccomp filter rules
  • 17. Seccomp • docker run -it --security-opt seccomp:policy.json ubuntu – mkdir test • mkdir: cannot create directory ‘test’: Permission denied 17