Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker security configuration

Technical dive into configuring seccomp and linux security capabilities for Docker-based containers.

The real meat for this talk was in the demos - I'm working on a screencast version, and will add a link here once I have that published!

  • Be the first to comment

  • Be the first to like this

Docker security configuration

  1. 1. Real-World Examples and Troubleshooting
  2. 2.  Capabilities  Seccomp  Demo demo demo!
  3. 3.  None of my demos should “work” the first time.
  4. 4. Worst to best:  Run with --privileged=true  Run with –cap-add ALL  Run with --cap-drop ALL --cap-add <only needed>  Run as non-root user, unprivileged Useful: capabilities section of https://docs.docker.com/engine/reference/run/
  5. 5. From my Monday talk. Even in dev you should do this. Break the bad habit. Do as I say, not as I do!
  6. 6. 3 sections:  Default Action  Target architectures  Filter rules Like firewall rules, but harder to debug!
  7. 7.  SECCOMP_RET_KILL  SECCOMP_RET_TRAP  SECCOMP_RET_ERRNO  SECCOMP_RET_TRACE  SECCOMP_RET_ALLOW
  8. 8.  SECCOMP_RET_KILL  SECCOMP_RET_TRAP  SECCOMP_RET_ERRNO  SECCOMP_RET_TRACE  SECCOMP_RET_ALLOW https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
  9. 9.  SECCOMP_RET_KILL  SECCOMP_RET_TRAP  SECCOMP_RET_ERRNO SCMP_ACT_ERRNO  SECCOMP_RET_TRACE  SECCOMP_RET_ALLOW SCMP_ACT_ALLOW https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
  10. 10. We need to build a list of system calls called by the program… …that we want to succeed  Guess (preferably educated)  RTFM (thanks John!)  Capture behavior – maybe /usr/sbin/strace  Disassembly?
  11. 11. Getting that last 1% can be expensive
  12. 12.  no-new-privileges
  13. 13.  Modern OS  objdump (from binutils)  nm  strace  auditd (some day…)
  14. 14.  Study:  https://docs.docker.com/engine/reference/run/  https://github.com/docker/docker/blob/master/profiles/seccomp/default.json
  15. 15. @johnlkinsella http://layeredinsight.com http://github.com/jlk
  16. 16.  https://github.com/docker/docker/blob/master/docs/security/seccomp.md  http://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html  http://linux.die.net/man/1/capsh  https://github.com/jfrazelle/blog/blob/master/content/post/how-to-use-new-docker- seccomp-profiles.md  http://www.slideshare.net/Docker/docker-security-workshop-slides  https://filippo.io/linux-syscall-table/  http://dockersl.im

×