SlideShare a Scribd company logo

Docker security 101 (CfgMgmtCamp 2019)

Frank Louwers
Frank Louwers

Ignite talk at CfgMgmtCamp 2019

Technology
1 of 20
Download to read offline
CONTAINER SECURITY 101 IT’S 2019. STOP SPREADING FUD. FFS.
WHOAMI FRANK LOUWERS @FRANK_BE HTTPS://KIWAZO.BE BUILT, GREW AND SOLD A HOSTING COMPANY (15+ YEARS) FREELANCE CONSULTANT DOCKER TRAINER DAI / DCA / DSP / DTSP
CONTAINERS != CURL -K | (SUDO BASH)
CONTAINERS != CURL -K | SUDO BASH ▸ HTTPS ▸ Download from a registry you trust ▸ TUF (The upgrade framework) for content signing ▸ Protects against MitM attacks ▸ John Doe’s packages or community-driven packages? ▸ FROM johndoe/mongo vs FROM mongo ▸ RESULT: image pull is much better than curl or curl -k CONTAINERS =! CURL -K | (SUDO) BASH
CONTAINERS != CURL -K | SUDO BASH ▸ “root” inside your container is not root outside your container ▸ Namespaces: in Linux kernel since 2002 and 2006 (!!!) ▸ Seccomp profile: by default some 44-ish syscalls are blocked ▸ Kernel capabilities: so root-user becomes a spectrum instead of binary. (no raw network access, no mount, …) ▸ RESULT: “root” can’t do anything outside the container CONTAINERS =! CURL -K | (SUDO) BASH
CONTAINERS != CURL -K | SUDO BASH ▸ Any app, script, … you run on your computer can do “Bad Things”, no matter how you run it ▸ Even if you compile it from source (look up “Ken Thompson Hack”) ▸ By default, every app has access to all “your” files, environment variables, shell, .bashrc/.zshrc, processes etc ▸ By default, containers don’t! ▸ RESULT: docker container run foo is safer than ./foo CONTAINERS =! CURL -K | (SUDO) BASH
BY DEFAULT, WITHOUT CONFIGURING ANYTHING ▸ Secure image pulls ▸ Secure executation ▸ “Throw-away”: remove the container, and all traces are gone ▸ Even if it is “root”, it has less privileges than your normal uid=1000 user ▸ Can’t access your files, environment variables (AWS_KEY anyone?) BY DEFAULT, WITHOUT CONFIGURING ANYTHING
DEVS SHALL NOT MESS WITH MY USERS
DEVS SHALL NOT MESS WITH MY USERS ▸ Indeed. Next question… ▸ I mean: why does it matter what user the apps think it uses? ▸ If it is “root”, it is “container-X-root-that-is-not-really-root” ▸ If it is “jane”, it is “container-X-jane-that-is-not-really-jane” ▸ Optional (1 parameter, if your kernel supports it): User namespaces as well: so uid 1000 in container is not uid 1000 outside your container. Only relevant if doing volume mounts DEVS SHALL NOT MESS WITH MY USERS
BUT WHAT ABOUT PRIVILEGED CONTAINERS?
WHAT ABOUT PRIVILEGED CONTAINERS ▸ “running as root inside the container” doesn’t mean privileged ▸ NEED TO TURN THIS ON EXPLICITLY WHEN RUNNING! ▸ Runs the container without most of the restrictions we saw earlier ▸ Of course it has more access! ▸ Even then it has (slightly) less access than `sudo foo` ▸ “I can get root on the server in 5 minutes from a Priv container” ▸ “I can get root on the server in 5 seconds from a setuid binary” WHAT ABOUT PRIVILEGED CONTAINERS?
BUT WHAT ABOUT THE FIREWALL?
WHAT ABOUT THE FIREWALL? ▸ Indeed. And 99 times out of 100, they shouldn’t. Next question? ▸ By default: container is firewalled: no inbound traffic ▸ You need to open ports explicitly at run-time! ▸ Multiple containers: ▸ Compose, Swarm: Can only see each other when on same “network” ▸ Kube: slightly different, need explicit: ▸ NetworkPolicy objects ▸ Network driver that supports them (Flannel doesn’t) MY DEV WON’T DO PROPER FIREWALLING
SECRETS IN ENVIRONMENT VARIABLES?
SECRETS IN ENVIRONMENT VARIABLES? ▸ Some (old) “hello-word” example Docker images suggest using ENV variables to pass security tokens ▸ Your Dev should learn about Secrets! ▸ Secrets are: ▸ Encrypted at rest (by default in Swarm, optional in kube) ▸ Encrypted in transit (by default in Swarm, optional in kube) ▸ Only accessible where needed and never stored on disk (on Linux anyway) ▸ Easy to use in the app: accessible from a file MY DEV ASKS TO PASS ACCESS TOKEN AS ENVIRONMENT VARS
THANKS FRANK, BUT I WANT TO DO BETTER
THANKS FRANK, BUT I WANT TO DO BETTER ▸ Docker worker nodes should run docker workloads. Don’t run anything else on them. ▸ Don’t mount volumes unless you absolutely need to! ▸ Use the “ro” flag when mounting volumes ▸ Use community images: ▸ no / in the image name (e.g. FROM ubuntu, not FROM h4ck3r/ubuntu) ▸ Don’t reinvent the wheel: eg: FROM posgres instead of FROM ubuntu RUN apt-get install postgres” ▸ Privileged containers should be treated as (root) daemons on your host OS BEST PRACTISES
THANKS FRANK, BUT I WANT TO DO BETTER ▸ Setup own repository (with signing!) ▸ Provide “organisation approved” base images and keep them up to date ▸ Do security scans of your (dev’s) images ▸ Use repository automation ▸ eg: “if it has security issues, move to a different repo” ▸ Prevent “unknown” images from running in prod ▸ Prevent “john-the-interim-UI-designer” from deploying to prod ▸ Central logging (easier in Docker than for non-container / legacy apps) THANKS FRANK, BUT I WANT TO DO EVEN BETTER
BUT YOU DIDN’T MENTION ANYTHING CONFIGMANAGEMENT RELATED? INDEED. I DIDN’T.
Q & A Bonus: Freelancer, interested in Docker Training and consulting? Come and talk to me! @FRANK_BE FRANK@LOUWERS.BE

Recommended

Docker hands-on
Docker hands-onDocker hands-on
Docker hands-onDharmit Shah
 
Тарас Кирилюк — Docker basics. How-to for Drupal developers
Тарас Кирилюк — Docker basics. How-to for Drupal developersТарас Кирилюк — Docker basics. How-to for Drupal developers
Тарас Кирилюк — Docker basics. How-to for Drupal developersLEDC 2016
 
2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.comMathieu Buffenoir
 
Test complex database systems in your laptop with dbdeployer
Test complex database systems in your laptop with dbdeployerTest complex database systems in your laptop with dbdeployer
Test complex database systems in your laptop with dbdeployerGiuseppe Maxia
 
Drush 5.0 (DrupalCamp LA 2012) - Chris Charlton
Drush 5.0 (DrupalCamp LA 2012) - Chris CharltonDrush 5.0 (DrupalCamp LA 2012) - Chris Charlton
Drush 5.0 (DrupalCamp LA 2012) - Chris CharltonChris Charlton
 
First steps to docker
First steps to dockerFirst steps to docker
First steps to dockerGuilhem Marty
 
Practical Introduction To Linux
Practical Introduction To LinuxPractical Introduction To Linux
Practical Introduction To LinuxZeeshan Rizvi
 
20111126 ns2 installation
20111126 ns2 installation20111126 ns2 installation
20111126 ns2 installationTeerawat Issariyakul
 

Recommended

Docker hands-on
Docker hands-onDocker hands-on
Docker hands-onDharmit Shah
 
Тарас Кирилюк — Docker basics. How-to for Drupal developers
Тарас Кирилюк — Docker basics. How-to for Drupal developersТарас Кирилюк — Docker basics. How-to for Drupal developers
Тарас Кирилюк — Docker basics. How-to for Drupal developersLEDC 2016
 
2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.comMathieu Buffenoir
 
Test complex database systems in your laptop with dbdeployer
Test complex database systems in your laptop with dbdeployerTest complex database systems in your laptop with dbdeployer
Test complex database systems in your laptop with dbdeployerGiuseppe Maxia
 
Drush 5.0 (DrupalCamp LA 2012) - Chris Charlton
Drush 5.0 (DrupalCamp LA 2012) - Chris CharltonDrush 5.0 (DrupalCamp LA 2012) - Chris Charlton
Drush 5.0 (DrupalCamp LA 2012) - Chris CharltonChris Charlton
 
First steps to docker
First steps to dockerFirst steps to docker
First steps to dockerGuilhem Marty
 
Practical Introduction To Linux
Practical Introduction To LinuxPractical Introduction To Linux
Practical Introduction To LinuxZeeshan Rizvi
 
20111126 ns2 installation
20111126 ns2 installation20111126 ns2 installation
20111126 ns2 installationTeerawat Issariyakul
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Partner S.A.
 
The Docker Multitenancy Problem: A Journey through Infrastructure Hell
The Docker Multitenancy Problem: A Journey through Infrastructure HellThe Docker Multitenancy Problem: A Journey through Infrastructure Hell
The Docker Multitenancy Problem: A Journey through Infrastructure HellPeter Klipfel
 
Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesLuciano Fiandesio
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerKevin Littlejohn
 
Hybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmHybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmRuncy Oommen
 
クリーンな開発環境をDockerで作ろう
クリーンな開発環境をDockerで作ろうクリーンな開発環境をDockerで作ろう
クリーンな開発環境をDockerで作ろうShota Shimura
 
Docker Insight
Docker InsightDocker Insight
Docker InsightTiago Pires
 
Austin - Container Days - Docker 101
Austin - Container Days - Docker 101Austin - Container Days - Docker 101
Austin - Container Days - Docker 101Bill Maxwell
 
Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)
Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)
Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)Puppet
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerBardia Heydari
 
Single node setup
Single node setupSingle node setup
Single node setupKBCHOW123
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerJulio Martinez
 
CoreOSによるDockerコンテナのクラスタリング
CoreOSによるDockerコンテナのクラスタリングCoreOSによるDockerコンテナのクラスタリング
CoreOSによるDockerコンテナのクラスタリングYuji ODA
 
Puppet and Vagrant in development
Puppet and Vagrant in developmentPuppet and Vagrant in development
Puppet and Vagrant in developmentAdam Culp
 
Install openstack
Install openstackInstall openstack
Install openstack어형 이
 
Docker Clustering - Batteries Included
Docker Clustering - Batteries IncludedDocker Clustering - Batteries Included
Docker Clustering - Batteries IncludedC4Media
 
Infrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleRobert Reiz
 
How to manage Microsoft Azure with open source
How to manage Microsoft Azure with open sourceHow to manage Microsoft Azure with open source
How to manage Microsoft Azure with open sourceTaehee Jang
 
Deploying to Ubuntu on Linode
Deploying to Ubuntu on LinodeDeploying to Ubuntu on Linode
Deploying to Ubuntu on LinodeWO Community
 
DevOps: Docker Workshop
DevOps: Docker WorkshopDevOps: Docker Workshop
DevOps: Docker WorkshopJoonas Hämäläinen
 
Corwin on Containers
Corwin on ContainersCorwin on Containers
Corwin on ContainersCorwin Brown
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerChristophe Muller
 

More Related Content

What's hot

Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Partner S.A.
 
The Docker Multitenancy Problem: A Journey through Infrastructure Hell
The Docker Multitenancy Problem: A Journey through Infrastructure HellThe Docker Multitenancy Problem: A Journey through Infrastructure Hell
The Docker Multitenancy Problem: A Journey through Infrastructure HellPeter Klipfel
 
Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesLuciano Fiandesio
 
Hybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmHybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmRuncy Oommen
 
クリーンな開発環境をDockerで作ろう
クリーンな開発環境をDockerで作ろうクリーンな開発環境をDockerで作ろう
クリーンな開発環境をDockerで作ろうShota Shimura
 
Austin - Container Days - Docker 101
Austin - Container Days - Docker 101Austin - Container Days - Docker 101
Austin - Container Days - Docker 101Bill Maxwell
 
Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)
Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)
Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)Puppet
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerBardia Heydari
 
Single node setup
Single node setupSingle node setup
Single node setupKBCHOW123
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerJulio Martinez
 
CoreOSによるDockerコンテナのクラスタリング
CoreOSによるDockerコンテナのクラスタリングCoreOSによるDockerコンテナのクラスタリング
CoreOSによるDockerコンテナのクラスタリングYuji ODA
 
Puppet and Vagrant in development
Puppet and Vagrant in developmentPuppet and Vagrant in development
Puppet and Vagrant in developmentAdam Culp
 
Install openstack
Install openstackInstall openstack
Install openstack어형 이
 
Docker Clustering - Batteries Included
Docker Clustering - Batteries IncludedDocker Clustering - Batteries Included
Docker Clustering - Batteries IncludedC4Media
 
Infrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleRobert Reiz
 
How to manage Microsoft Azure with open source
How to manage Microsoft Azure with open sourceHow to manage Microsoft Azure with open source
How to manage Microsoft Azure with open sourceTaehee Jang
 
Deploying to Ubuntu on Linode
Deploying to Ubuntu on LinodeDeploying to Ubuntu on Linode
Deploying to Ubuntu on LinodeWO Community
 

What's hot (20)

Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: Introduction
 
The Docker Multitenancy Problem: A Journey through Infrastructure Hell
The Docker Multitenancy Problem: A Journey through Infrastructure HellThe Docker Multitenancy Problem: A Journey through Infrastructure Hell
The Docker Multitenancy Problem: A Journey through Infrastructure Hell
 
Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutes
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Hybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmHybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker Swarm
 
クリーンな開発環境をDockerで作ろう
クリーンな開発環境をDockerで作ろうクリーンな開発環境をDockerで作ろう
クリーンな開発環境をDockerで作ろう
 
Docker Insight
Docker InsightDocker Insight
Docker Insight
 
Austin - Container Days - Docker 101
Austin - Container Days - Docker 101Austin - Container Days - Docker 101
Austin - Container Days - Docker 101
 
Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)
Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)
Puppet Camp Chicago 2014: Docker and Puppet: 1+1=3 (Intermediate)
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Single node setup
Single node setupSingle node setup
Single node setup
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
CoreOSによるDockerコンテナのクラスタリング
CoreOSによるDockerコンテナのクラスタリングCoreOSによるDockerコンテナのクラスタリング
CoreOSによるDockerコンテナのクラスタリング
 
Puppet and Vagrant in development
Puppet and Vagrant in developmentPuppet and Vagrant in development
Puppet and Vagrant in development
 
Install openstack
Install openstackInstall openstack
Install openstack
 
Docker Clustering - Batteries Included
Docker Clustering - Batteries IncludedDocker Clustering - Batteries Included
Docker Clustering - Batteries Included
 
Infrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & Ansible
 
How to manage Microsoft Azure with open source
How to manage Microsoft Azure with open sourceHow to manage Microsoft Azure with open source
How to manage Microsoft Azure with open source
 
Deploying to Ubuntu on Linode
Deploying to Ubuntu on LinodeDeploying to Ubuntu on Linode
Deploying to Ubuntu on Linode
 
DevOps: Docker Workshop
DevOps: Docker WorkshopDevOps: Docker Workshop
DevOps: Docker Workshop
 

Similar to Docker security 101 (CfgMgmtCamp 2019)

Corwin on Containers
Corwin on ContainersCorwin on Containers
Corwin on ContainersCorwin Brown
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansibleDharmit Shah
 
2017-10-24 All Day DevOps - Disposable Development Environments
2017-10-24 All Day DevOps - Disposable Development Environments2017-10-24 All Day DevOps - Disposable Development Environments
2017-10-24 All Day DevOps - Disposable Development EnvironmentsBoyd Hemphill
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewiredotCloud
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDocker, Inc.
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
 
Linux containers & Devops
Linux containers & DevopsLinux containers & Devops
Linux containers & DevopsMaciej Lasyk
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014Carlo Bonamico
 
Lightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSLightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSJérôme Petazzoni
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkJérôme Petazzoni
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyJérôme Petazzoni
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerizationBalint Pato
 

Similar to Docker security 101 (CfgMgmtCamp 2019) (20)

Corwin on Containers
Corwin on ContainersCorwin on Containers
Corwin on Containers
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
 
What is this "docker"
What is this "docker" What is this "docker"
What is this "docker"
 
2017-10-24 All Day DevOps - Disposable Development Environments
2017-10-24 All Day DevOps - Disposable Development Environments2017-10-24 All Day DevOps - Disposable Development Environments
2017-10-24 All Day DevOps - Disposable Development Environments
 
To AWS with Ansible
To AWS with AnsibleTo AWS with Ansible
To AWS with Ansible
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless mode
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
 
Linux containers & Devops
Linux containers & DevopsLinux containers & Devops
Linux containers & Devops
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Lightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSLightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFS
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Containers & Security
Containers & SecurityContainers & Security
Containers & Security
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange County
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerization
 
Docker
DockerDocker
Docker
 

More from Frank Louwers

GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019Frank Louwers
 
BISC 2013: Hosting and security
BISC 2013: Hosting and securityBISC 2013: Hosting and security
BISC 2013: Hosting and securityFrank Louwers
 
Devopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needsDevopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needsFrank Louwers
 
Openminds Techtalk: DNS
Openminds Techtalk: DNSOpenminds Techtalk: DNS
Openminds Techtalk: DNSFrank Louwers
 
Node.js: waarom en hoe
Node.js: waarom en hoeNode.js: waarom en hoe
Node.js: waarom en hoeFrank Louwers
 
IPv6 voor webbouwers
IPv6 voor webbouwersIPv6 voor webbouwers
IPv6 voor webbouwersFrank Louwers
 
Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429Frank Louwers
 
Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508Frank Louwers
 
Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523Frank Louwers
 
Schaalbaarheid En Optimalisatie
Schaalbaarheid En OptimalisatieSchaalbaarheid En Optimalisatie
Schaalbaarheid En OptimalisatieFrank Louwers
 
OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3Frank Louwers
 

More from Frank Louwers (13)

GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019
 
BISC 2013: Hosting and security
BISC 2013: Hosting and securityBISC 2013: Hosting and security
BISC 2013: Hosting and security
 
Devopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needsDevopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needs
 
Openminds Techtalk: DNS
Openminds Techtalk: DNSOpenminds Techtalk: DNS
Openminds Techtalk: DNS
 
Node.js: waarom en hoe
Node.js: waarom en hoeNode.js: waarom en hoe
Node.js: waarom en hoe
 
IPv6 voor webbouwers
IPv6 voor webbouwersIPv6 voor webbouwers
IPv6 voor webbouwers
 
Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429
 
Iso9001 Agile Teams
Iso9001 Agile TeamsIso9001 Agile Teams
Iso9001 Agile Teams
 
Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508
 
Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523
 
Schaalbaarheid En Optimalisatie
Schaalbaarheid En OptimalisatieSchaalbaarheid En Optimalisatie
Schaalbaarheid En Optimalisatie
 
Africa On Rails
Africa On RailsAfrica On Rails
Africa On Rails
 
OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Docker security 101 (CfgMgmtCamp 2019)

  • 1. CONTAINER SECURITY 101 IT’S 2019. STOP SPREADING FUD. FFS.
  • 2. WHOAMI FRANK LOUWERS @FRANK_BE HTTPS://KIWAZO.BE BUILT, GREW AND SOLD A HOSTING COMPANY (15+ YEARS) FREELANCE CONSULTANT DOCKER TRAINER DAI / DCA / DSP / DTSP
  • 4. CONTAINERS != CURL -K | SUDO BASH ▸ HTTPS ▸ Download from a registry you trust ▸ TUF (The upgrade framework) for content signing ▸ Protects against MitM attacks ▸ John Doe’s packages or community-driven packages? ▸ FROM johndoe/mongo vs FROM mongo ▸ RESULT: image pull is much better than curl or curl -k CONTAINERS =! CURL -K | (SUDO) BASH
  • 5. CONTAINERS != CURL -K | SUDO BASH ▸ “root” inside your container is not root outside your container ▸ Namespaces: in Linux kernel since 2002 and 2006 (!!!) ▸ Seccomp profile: by default some 44-ish syscalls are blocked ▸ Kernel capabilities: so root-user becomes a spectrum instead of binary. (no raw network access, no mount, …) ▸ RESULT: “root” can’t do anything outside the container CONTAINERS =! CURL -K | (SUDO) BASH
  • 6. CONTAINERS != CURL -K | SUDO BASH ▸ Any app, script, … you run on your computer can do “Bad Things”, no matter how you run it ▸ Even if you compile it from source (look up “Ken Thompson Hack”) ▸ By default, every app has access to all “your” files, environment variables, shell, .bashrc/.zshrc, processes etc ▸ By default, containers don’t! ▸ RESULT: docker container run foo is safer than ./foo CONTAINERS =! CURL -K | (SUDO) BASH
  • 7. BY DEFAULT, WITHOUT CONFIGURING ANYTHING ▸ Secure image pulls ▸ Secure executation ▸ “Throw-away”: remove the container, and all traces are gone ▸ Even if it is “root”, it has less privileges than your normal uid=1000 user ▸ Can’t access your files, environment variables (AWS_KEY anyone?) BY DEFAULT, WITHOUT CONFIGURING ANYTHING
  • 8. DEVS SHALL NOT MESS WITH MY USERS
  • 9. DEVS SHALL NOT MESS WITH MY USERS ▸ Indeed. Next question… ▸ I mean: why does it matter what user the apps think it uses? ▸ If it is “root”, it is “container-X-root-that-is-not-really-root” ▸ If it is “jane”, it is “container-X-jane-that-is-not-really-jane” ▸ Optional (1 parameter, if your kernel supports it): User namespaces as well: so uid 1000 in container is not uid 1000 outside your container. Only relevant if doing volume mounts DEVS SHALL NOT MESS WITH MY USERS
  • 11. WHAT ABOUT PRIVILEGED CONTAINERS ▸ “running as root inside the container” doesn’t mean privileged ▸ NEED TO TURN THIS ON EXPLICITLY WHEN RUNNING! ▸ Runs the container without most of the restrictions we saw earlier ▸ Of course it has more access! ▸ Even then it has (slightly) less access than `sudo foo` ▸ “I can get root on the server in 5 minutes from a Priv container” ▸ “I can get root on the server in 5 seconds from a setuid binary” WHAT ABOUT PRIVILEGED CONTAINERS?
  • 12. BUT WHAT ABOUT THE FIREWALL?
  • 13. WHAT ABOUT THE FIREWALL? ▸ Indeed. And 99 times out of 100, they shouldn’t. Next question? ▸ By default: container is firewalled: no inbound traffic ▸ You need to open ports explicitly at run-time! ▸ Multiple containers: ▸ Compose, Swarm: Can only see each other when on same “network” ▸ Kube: slightly different, need explicit: ▸ NetworkPolicy objects ▸ Network driver that supports them (Flannel doesn’t) MY DEV WON’T DO PROPER FIREWALLING
  • 15. SECRETS IN ENVIRONMENT VARIABLES? ▸ Some (old) “hello-word” example Docker images suggest using ENV variables to pass security tokens ▸ Your Dev should learn about Secrets! ▸ Secrets are: ▸ Encrypted at rest (by default in Swarm, optional in kube) ▸ Encrypted in transit (by default in Swarm, optional in kube) ▸ Only accessible where needed and never stored on disk (on Linux anyway) ▸ Easy to use in the app: accessible from a file MY DEV ASKS TO PASS ACCESS TOKEN AS ENVIRONMENT VARS
  • 16. THANKS FRANK, BUT I WANT TO DO BETTER
  • 17. THANKS FRANK, BUT I WANT TO DO BETTER ▸ Docker worker nodes should run docker workloads. Don’t run anything else on them. ▸ Don’t mount volumes unless you absolutely need to! ▸ Use the “ro” flag when mounting volumes ▸ Use community images: ▸ no / in the image name (e.g. FROM ubuntu, not FROM h4ck3r/ubuntu) ▸ Don’t reinvent the wheel: eg: FROM posgres instead of FROM ubuntu RUN apt-get install postgres” ▸ Privileged containers should be treated as (root) daemons on your host OS BEST PRACTISES
  • 18. THANKS FRANK, BUT I WANT TO DO BETTER ▸ Setup own repository (with signing!) ▸ Provide “organisation approved” base images and keep them up to date ▸ Do security scans of your (dev’s) images ▸ Use repository automation ▸ eg: “if it has security issues, move to a different repo” ▸ Prevent “unknown” images from running in prod ▸ Prevent “john-the-interim-UI-designer” from deploying to prod ▸ Central logging (easier in Docker than for non-container / legacy apps) THANKS FRANK, BUT I WANT TO DO EVEN BETTER
  • 19. BUT YOU DIDN’T MENTION ANYTHING CONFIGMANAGEMENT RELATED? INDEED. I DIDN’T.
  • 20. Q & A Bonus: Freelancer, interested in Docker Training and consulting? Come and talk to me! @FRANK_BE FRANK@LOUWERS.BE