OSDC 2017 | Do you trust your containers? by Erez Freiberger
•
0 likes•28 views
ManageIQ is an open source management platform for Hybrid IT. It can manage small and large environments and supports multiple technologies such as virtual machines, public clouds and containers. Openshift is Red Hat's Paas container solution, managed by a dedicated provider in ManageIQ. It provides inventory reports, metrics collection and visualization, logs, usage reports, cluster deployment operations and security scanning for container images. As container images may come from various sources, there's a growing need of an analyzing tool. With ManageIQ one is given the option to scan the images and report security vulnerabilities. We will scan Openshift container images using ManageIQ and study the reports generated by OpenSCAP and Smartstate Analysis. We will talk about the image-inspector tool that is used to inspect the images, how it integrates with Openshift as a container and how ManageIQ is connecting to it through Openshift.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to OSDC 2017 | Do you trust your containers? by Erez Freiberger
Similar to OSDC 2017 | Do you trust your containers? by Erez Freiberger (20)
Recently uploaded
Recently uploaded (20)
OSDC 2017 | Do you trust your containers? by Erez Freiberger
- 1. Do You Trust Your Containers? Scanning Container Images For Vulnerabilities Using OpenSCAP and ManageIQ Erez Freiberger - github: enoodle May 17’
- 2. About Me Erez Freiberger Developer at Red Hat, Container Management team. efreiber@redhat.com github.com/enoodle Tel Aviv, Israel
- 3. Agenda ● What is a Container Image ○ Why should you suspect your images? ● How to Scan a Container Image ○ SCAP ○ OpenSCAP ○ Image Inspector ● Managing a secure containers cluster ○ Openshift ○ ManageIQ ○ Scanning images from ManageIQ ○ ManageIQ Policies
- 4. What is a Container Image
- 5. What is a Container Image The OCI image-spec https://github.com/opencontainers/image-spec/blob/master/spec.md Manifests, Layers compressed changes, Digests
- 6. What is a Container Image A mini Linux OS Layers of files
- 7. What is a Container Image A mini Linux OS Layers of files Created using packages and other images
- 8. What is a Container Image A mini Linux OS Layers of files Created using packages and other images Current implementations are “Lazy” on updating packages
- 9. Why should you suspect an Image? Did the vendor of the base image test it thoroughly?
- 10. Why should you suspect an Image? Did the vendor of the base image test it thoroughly? Are you using the most updated version of everything?
- 11. Why should you suspect an Image? Did the vendor of the base image test it thoroughly? Are you using the most updated version of everything? New threats can pop up anytime:
- 12. SCAP
- 13. SCAP SCAP - “Is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization”
- 14. SCAP SCAP - “Is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization” Super Standard: CVE, CPE, XCCDF, OVAL… Using a catalogue of known security issues SCAP can evaluate a given System.
- 15. OpenSCAP An Open Source implementation of SCAP protocol Reads the different file standards of SCAP, evaluates systems based on them and generates reports Maintained by Red Hat
- 16. OpenSCAP On fedora: sudo oscap xccdf eval --profile common --report /var/www/html/report.html --results /var/www/html/results.xml /usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml
- 17. A Look at an OpenSCAP report file:///home/efreiber/Downloads/openscap_result%20(1).html
- 19. SCAP Limitations Zero days Non standard packages Your code
- 20. How to run OpenSCAP on Images?
- 21. Image-Inspector
- 22. Image-Inspector Tool for running scans on container images Pulls, Extracts, Run OpenSCAP docker run docker.io/openshift/image-inspector --image=.. --scan-type openscap --serve 0.0.0.0:8080
- 23. Image-Inspector Tool for running scans on container images Pulls, Extracts, Run OpenSCAP Serves the scan results and the image metadata Webdav server for the image contents docker run docker.io/openshift/image-inspector --image=.. --scan-type openscap --serve 0.0.0.0:8080 github.com/openshift/image-inspector
- 25. Openshift (Container Platform) Built on top of Kubernetes A Container PAAS - Users, Projects, Templates, Deployments, Builds, Routes, Image Streams Built-in services: Image Registry, Logs And Metrics Collection github.com/openshift/origin
- 26. ManageIQ Hybrid Cloud Management System github.com/ManageIQ/manageiq
- 27. ManageIQ Single Pane of Glass Providers - Plugins to manage specific type of resource
- 28. ManageIQ Single Pane of Glass Providers - Plugins to manage specific type of resource Monitoring and Management Policies, Alerts, Reports, Automation Cross linking between providers
- 29. ManageIQ Openshift Provider: Metrics collection and Visualization, Reports, Inventory, Deployment, Security scanning for images github.com/ManageIQ/manageiq
- 30. Putting It All Together
- 31. Demo Container Image in ManageIQ Scanning..
- 32. Compliance Policies When to scan images? How to process the scan results? Actions to take based on scan results Built In OpenSCAP policy
- 33. Policy Demo Scanning new images in a provider
- 34. Image-Inspector Future More systems with CVEs CRI-O support Job Mode to run as a Kubernetes Job ManageIQ: Security Dashboard and Compliance Reports
- 35. Summary Container Images Scanning with OpenScap and Image-Inspector Automation and control with ManageIQ and Openshift
- 36. Putting It All Together