LXC, Docker, security: is it safe to run applications in Linux Containers?

Jérôme Petazzoni
Jérôme PetazzoniDocker Inc.
Is it safe to run applications in Linux Containers? Jérôme Petazzoni Docker Inc. @jpetazzo @docker
...
Yes
/* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer * * Demonstrates that any given docker image someone is asking * you to run in your docker setup can access ANY file on your host, * e.g. dumping hosts /etc/shadow or other sensitive info, compromising * security of the host and any other docker VM's on it. * * docker using container based VMM: Sebarate pid and net namespace, * stripped caps and RO bind mounts into container's /. However * as its only a bind-mount the fs struct from the task is shared * with the host which allows to open files by file handles * (open_by_handle_at()). As we thankfully have dac_override and * dac_read_search we can do this. The handle is usually a 64bit * string with 32bit inodenumber inside (tested with ext4). * Inode of / is always 2, so we have a starting point to walk * the FS path and brute force the remaining 32bit until we find the * desired file (It's probably easier, depending on the fhandle export * function used for the FS in question: it could be a parent inode# or * the inode generation which can be obtained via an ioctl). * [In practise the remaining 32bit are all 0 :]
Wait
No!
Docker has changed its security status to It's complicated
Who am I? Why am I here? Jérôme Petazzoni (@jpetazzo) - Grumpy French Linux DevOps Operated dotCloud PAAS for 3+ years - hosts arbitrary code for arbitrary users - each service of each app runs in a container - no major security issue yet (fingers crossed) Containerize all the things! - VPN-in-Docker, KVM-in-Docker, Xorg-in-Docker, Docker-in-Docker...
What are those “containers” ? (1/3) Technically: ~chroot on steroids - a container is a set of processes (running on top of common kernel) - isolated* from the rest of the machine (cannot see/affect/harm host or other containers) - using namespaces to have private view of the system (network interfaces, PID tree, mountpoints...) - and cgroups to have metered/limited/reserved resources (to mitigate “bad neighbor” effect) *Limitations may apply.
What are those “containers” ? (2/3) From a distance: looks like a VM - I can SSH into my container - I can have root access in it - I can install packages in it - I have my own eth0 interface - I can tweak routing table, iptables rules - I can mount filesystems - etc.
What are those “containers” ? (3/3) Lightweight, fast, disposable... virtual environments - boot in milliseconds - just a few MB of intrinsic disk/memory usage - bare metal performance is possible The new way to build, ship, deploy, run your apps!
Why is this a hot topic? Containers have been around for decades LXC (Linux Containers) have been around for years So, what?
Blame Docker
Why is this a hot topic? Containers have been around for decades LXC (Linux Containers) have been around for years Tools like Docker made containers very easy to use Everybody* wants to deploy containers now But, oops, LXC wasn't made for security We want containers, and we want them now; how can we do that safely? *Okay, almost everybody. If you're not convinced yet of the general awesomeness of Docker and containers, give them a second chance by checking my other talk this afternoon; or the Docker meet-up tomorrow at New Relic.
Some inspirational quotes
“LXC is not yet secure. If I want real security I will use KVM.” —Dan Berrangé (famous LXC hacker) This was in 2011. The Linux Kernel has changed a tiny little bit since then.
“From security point of view lxc is terrible and may not be consider as security solution.” —someone on Reddit (original spelling and grammar) Common opinion among security experts and paranoid people. To be fair, they have to play safe & can't take risks.
“Basically containers are not functional as security containers at present, in that if you have root on a container you have root on the whole box.” —Gentoo Wiki That's just plain false, or misleading, and we'll see why.
“Containers do not contain.” —Dan Walsh (Mr SELinux) This was earlier this year, and this guy knows what he's talking about. Are we in trouble?
“For the fashion of Minas Tirith was such that it was built on seven levels, each delved into a hill, and about each was set a wall, and in each wall was a gate.” —J.R.R. Tolkien (also quoted in VAX/VMS Internals and Data Structures, ca. 1980)
Keyword: levels
Let's revisit one of those quotes... “If you have root on a container you have root on the whole box.” Don't give root in the container in the first place If you really have to give root, give looks-like-root If that's not enough, give root but build another wall
Root in the host Root in the container Uruks (intruders)
There is more than one threat model Regular applications - web servers, databases, caches, message queues, ... System services (high level) - logging, remote access, periodic command execution, ... System services (low level) - manage physical devices, networking, filesystems, ... Kernel - security policies, drivers, ... The special case of immutable infrastructure
Regular applications
Regular applications Apache, Nginx, MySQL, PostgreSQL, MongoDB, Redis, Memcached, Cassandra, Hadoop, RabbitMQ... Virtually all your programs in any language (services, web services, workers, everything!) They never ever need any kind of root privilege (except to install packages) Don't run them as root! Ever!
Regular applications Risk: they run arbitrary code - vector: by definition, they are arbitrary code - vector: security breach causes execution of malicious code Fix: nothing - by definition, we are willing to execute arbitrary code here Consequence: assume those apps can try anything to break out
Regular applications Risk: escalate from non-root to root - vector: vulnerabilities in SUID binaries Fix: defang SUID binaries - remove them - remove suid bit - mount filesystem with nosuid
Regular applications Risk: execute arbitrary kernel code - vector: bogus syscall (e.g. vmsplice* in 2008) Fix: limit available syscalls - seccomp-bpf = whitelist/blacklist syscalls Fix: run stronger kernels - GRSEC is a good idea (stable patches for 3.14 since July 4th) - update often (i.e. have efficient way to roll out kernel upgrades) *More details about that: http://lwn.net/Articles/268783/
Regular applications Risk: leak to another container - vector: bug in namespace code; filesystem leak* Fix: user namespaces - map UID in container to a different UID outside - two containers run a process with UID 1000, but it's 14298 and 15398 outside Fix: security modules (e.g. SELinux) - assign different security contexts to containers - those mechanisms were designed to isolate! *Like the one showed in the beginning of this talk!
System services (high level)
System services (high level) SSH, cron, syslog... You use/need them all the time Bad news: they typically run as root Good news: they don't really need root Bad news: it's hard to run them as non-root Good news: they are not arbitrary code
System services (high level) Risk: running arbitrary code as root - vector: malformed data or similar (note: risk is pretty low for syslog/cron; much higher for SSH) Fix: isolate sensitive services - run SSH on bastion host, or in a VM - note: this is not container-specific (if someone hacks into your SSH server, you'll have a bad time)
System services (high level) Risk: messing with /dev - vector: malicious code Fix: “devices” control group - whitelist/blacklist devices - fine-grained: can allow only read, write, none, or both - fine-grained: can specify major+minor number of device
System services (high level) Risk: use of root calls (mount, chmod, iptables...) - vector: malicious code Fix: capabilities - break down “root” into many permissions - e.g. CAP_NET_ADMIN (network configuration) - e.g. CAP_NET_RAW (generate and sniff traffic) - e.g. CAP_SYS_ADMIN (big can of worms )☹ - see capabilities(7)
Interlude: CAP_SYS_ADMIN Operations controlled by CAP_SYS_ADMIN...  quotactl, mount, umount, swapon, swapoff  sethostname, setdomainname  IPC_SET, IPC_RMID on arbitrary System V IPC resources  perform operations on trusted and security Extended Attributes  set realtime priority (ioprio_set + IOPRIO_CLASS_RT)  create new namespaces (clone and unshare + CLONE_NEWNS)
System services (high level) Risk: messing with /proc, /sys - vector: malicious code Fix: prevent unauthorized access control - Mandatory Access Control (AppArmor, SELinux) - remount read-only, then drop CAP_SYS_ADMIN to prevent remount Fix: wider implementation of namespaces - some parts of procfs/sysfs are “namespace-aware” - some aren't, but can be fixed (by writing kernel code)
System services (high level) Risk: leaking with UID 0 - vector: malicious code Fix: user namespaces - already mentioned earlier - UID 0 in the container is mapped to some random UID outside - you break out: you're not root - you manage to issue weird syscalls: they're done as unprivileged UID Caveat: user namespaces are still new. We have to see how they behave with that!
System services (low level)
System services (low level) Device management (keyboard, mouse, screen), network and firewall config, filesystem mounts... You use/need some of them all the time But you don't need any of them in your containers - physical device management is done by the host - network configuration and filesystems are setup by the host Exceptions: - custom mounts (FUSE) - network appliances
System services (low level) Risk: running arbitrary code as root - vector: malformed data or similar Fix: isolate sensitive functions - “one-shot” commands can be fenced in privileged context (think “sudo” but without even requiring “sudo”) - everything else (especially processes that are long-running, or handle arbitrary input) runs in non-privileged context - works well for FUSE, some VPN services
System services (low level) Risk: run arbitrary code with full privileges - vector: needs a process running with full privileges (rare!) - vector: malformed data, unchecked input… classic exploit Fix: treat it as “kernel” - we'll see that immediately in the next section
Kernel
Kernel Drivers - they can talk to the hardware, so they can do pretty much anything - except: virtualize the bus and use e.g. driver domains (Xen) Network stacks - this probably has to live into the kernel for good performance - except: DPDK, OpenOnload... (networking stacks in userspace) Security policies - by definition, they control everything else - except: there might be nested security contexts some day
Kernel Risk: run arbitrary code with absolute privileges Fix: ?
Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
Kernel Risk: run arbitrary code with absolute privileges Fix: give it its own kernel and (virtual) hardware - i.e. run it in a virtual machine - that VM can run in a container - that VM can hold a container - run a privileged container in Docker in a VM in a container in Docker https://github.com/jpetazzo/docker2docker - inb4 xzibit meme
LXC, Docker, security: is it safe to run applications in Linux Containers?
Immutable immutable infrastructure
Immutable immutable infrastructure New rule: the whole container is read-only Compromise: if we must write, write to a noexec area Scalability has never been easier (if totally read-only) It's even harder for malicious users to do evil things
Recap (in no specific order!)  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs
Thank you! Questions?  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs See also: - Docker in Production (1:40pm today) - Office hour (10:40am tomorrow, expo hall Table A) - Docker meet-up at New Relic (tomorrow evening)
1 of 53

LXC, Docker, security: is it safe to run applications in Linux Containers?

Download to read offline
Technology

Linux Containers (or LXC) is now a popular choice for development and testing environments. As more and more people use them in production deployments, they face a common question: are Linux Containers secure enough? It is often claimed that containers have weaker isolation than virtual machines. We will explore whether this is true, if it matters, and what can be done about it.

Jérôme Petazzoni
Jérôme PetazzoniDocker Inc.

Recommended

Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon by
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
96.9K views59 slides
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu... by
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
20.4K views56 slides
OpenStack Quantum Intro (OS Meetup 3-26-12) by
OpenStack Quantum Intro (OS Meetup 3-26-12)OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)Dan Wendlandt
66K views38 slides
Docker, Linux Containers (LXC), and security by
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
51.7K views59 slides
OpenStack 개요 및 활용 사례 @ Community Open Camp with Microsoft by
OpenStack 개요 및 활용 사례 @ Community Open Camp with MicrosoftOpenStack 개요 및 활용 사례 @ Community Open Camp with Microsoft
OpenStack 개요 및 활용 사례 @ Community Open Camp with MicrosoftIan Choi
4.2K views35 slides
UEFI HTTP/HTTPS Boot by
UEFI HTTP/HTTPS BootUEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS BootLinuxCon ContainerCon CloudOpen China
6.9K views13 slides

More Related Content

What's hot

Suricata: A Decade Under the Influence (of packet sniffing) by
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
21.9K views51 slides
Comparison of existing cni plugins for kubernetes by
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesAdam Hamsik
411 views21 slides
How VXLAN works on Linux by
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on LinuxEtsuji Nakai
26.7K views22 slides
CentOS Linux Server Hardening by
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
43.1K views33 slides
Cgroups, namespaces and beyond: what are containers made from? by
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
11.3K views55 slides
Everything You Need To Know About Persistent Storage in Kubernetes by
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
2.2K views27 slides

What's hot(20)

Suricata: A Decade Under the Influence (of packet sniffing) by Jason Williams
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams21.9K views
Comparison of existing cni plugins for kubernetes by Adam Hamsik
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetes
Adam Hamsik411 views
How VXLAN works on Linux by Etsuji Nakai
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
Etsuji Nakai26.7K views
CentOS Linux Server Hardening by MyOwn Telco
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
MyOwn Telco43.1K views
Cgroups, namespaces and beyond: what are containers made from? by Docker, Inc.
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
Docker, Inc.11.3K views
Everything You Need To Know About Persistent Storage in Kubernetes by The {code} Team
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
The {code} Team2.2K views
Union FileSystem - A Building Blocks Of a Container by Knoldus Inc.
Union FileSystem - A Building Blocks Of a ContainerUnion FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a Container
Knoldus Inc.671 views
Linux Locking Mechanisms by Kernel TLV
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
Kernel TLV5.5K views
Launch the First Process in Linux System by Jian-Hong Pan
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
Jian-Hong Pan2.1K views
QEMU - Binary Translation by Jiann-Fuh Liaw
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
Jiann-Fuh Liaw16.6K views
Docker introduction by Phuc Nguyen
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen1.3K views
Network Automation with Ansible by Anas
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
Anas 15.9K views
Meet cute-between-ebpf-and-tracing by Viller Hsiao
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao8.8K views
Ceph Performance and Sizing Guide by Jose De La Rosa
Ceph Performance and Sizing GuideCeph Performance and Sizing Guide
Ceph Performance and Sizing Guide
Jose De La Rosa15.4K views
Docker networking Tutorial 101 by LorisPack Project
Docker networking Tutorial 101Docker networking Tutorial 101
Docker networking Tutorial 101
LorisPack Project21.6K views
Kernel Recipes 2019 - XDP closer integration with network stack by Anne Nicolas
Kernel Recipes 2019 - XDP closer integration with network stackKernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stack
Anne Nicolas1.7K views
Accelerating Envoy and Istio with Cilium and the Linux Kernel by Thomas Graf
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf7.5K views
Container Network Interface: Network Plugins for Kubernetes and beyond by KubeAcademy
Container Network Interface: Network Plugins for Kubernetes and beyondContainer Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyond
KubeAcademy14.1K views
Golang Project Layout and Practice by Bo-Yi Wu
Golang Project Layout and PracticeGolang Project Layout and Practice
Golang Project Layout and Practice
Bo-Yi Wu19.3K views
Virtualized network with openvswitch by Sim Janghoon
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
Sim Janghoon19.4K views

Viewers also liked

Docker, Linux Containers, and Security: Does It Add Up? by
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
9.3K views58 slides
Docker Security Paradigm by
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
528 views19 slides
Containers, docker, and security: state of the union (Bay Area Infracoders Me... by
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Jérôme Petazzoni
7K views43 slides
Linux Containers From Scratch by
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
5.2K views42 slides
Docker Security Overview by
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
13K views18 slides
Docker London: Container Security by
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
16.9K views21 slides

Viewers also liked(20)

Docker, Linux Containers, and Security: Does It Add Up? by Jérôme Petazzoni
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni9.3K views
Docker Security Paradigm by Anis LARGUEM
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM528 views
Containers, docker, and security: state of the union (Bay Area Infracoders Me... by Jérôme Petazzoni
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni7K views
Linux Containers From Scratch by joshuasoundcloud
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
joshuasoundcloud5.2K views
Docker Security Overview by Sreenivas Makam
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam13K views
Docker London: Container Security by Phil Estes
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes16.9K views
Tom Purves: Designing for An Augmented Reality World by Refresh Events
Tom Purves: Designing for An Augmented Reality WorldTom Purves: Designing for An Augmented Reality World
Tom Purves: Designing for An Augmented Reality World
Refresh Events1.2K views
Docker security - TASK Jan 2016 by Fernando Montenegro
Docker security - TASK Jan 2016Docker security - TASK Jan 2016
Docker security - TASK Jan 2016
Fernando Montenegro1K views
The How and Why of Container Vulnerability Management by Black Duck by Synopsys
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Black Duck by Synopsys1.1K views
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo... by Yandex
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
Yandex20.1K views
Introduzione a Docker (parte 2 - Pratica) by Cristian Consonni
Introduzione a Docker (parte 2 - Pratica)Introduzione a Docker (parte 2 - Pratica)
Introduzione a Docker (parte 2 - Pratica)
Cristian Consonni1.4K views
Alla scoperta di Ubuntu Phone, lo smartphone open-source - Codemotion techmee... by Codemotion
Alla scoperta di Ubuntu Phone, lo smartphone open-source - Codemotion techmee...Alla scoperta di Ubuntu Phone, lo smartphone open-source - Codemotion techmee...
Alla scoperta di Ubuntu Phone, lo smartphone open-source - Codemotion techmee...
Codemotion634 views
Seven problems of Linux Containers by Kirill Kolyshkin
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux Containers
Kirill Kolyshkin28.1K views
Contain your risk: Deploy secure containers with trust and confidence by Black Duck by Synopsys
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys1K views
Docker Fudamentals by mvetro
Docker FudamentalsDocker Fudamentals
Docker Fudamentals
mvetro1.3K views
Docker: automation for the rest of us by Jérôme Petazzoni
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of us
Jérôme Petazzoni9.9K views
Docker at Spotify - Dockercon14 by dotCloud
Docker at Spotify - Dockercon14Docker at Spotify - Dockercon14
Docker at Spotify - Dockercon14
dotCloud56.7K views
[Impact Lab] IT инструменты для проекта by Dmitry Spodarets
[Impact Lab] IT инструменты для проекта[Impact Lab] IT инструменты для проекта
[Impact Lab] IT инструменты для проекта
Dmitry Spodarets3.4K views
Docker and Containers for Development and Deployment — SCALE12X by Jérôme Petazzoni
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12X
Jérôme Petazzoni25.5K views
Performance comparison between Linux Containers and Virtual Machines by Soheila Dehghanzadeh
Performance comparison between Linux Containers and Virtual MachinesPerformance comparison between Linux Containers and Virtual Machines
Performance comparison between Linux Containers and Virtual Machines
Soheila Dehghanzadeh477 views

Similar to LXC, Docker, security: is it safe to run applications in Linux Containers?

Lightweight Virtualization in Linux by
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in LinuxSadegh Dorri N.
567 views60 slides
Unix Security by
Unix SecurityUnix Security
Unix Securityreplay21
6.3K views47 slides
Threats, Vulnerabilities & Security measures in Linux by
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
3.9K views51 slides
An overview of unix rootkits by
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
446 views27 slides
Containerization is more than the new Virtualization: enabling separation of ... by
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
9K views61 slides
Rootkit&honeypot aalonso-dcu-dec09 by
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Angelill0
284 views31 slides

Similar to LXC, Docker, security: is it safe to run applications in Linux Containers?(20)

Lightweight Virtualization in Linux by Sadegh Dorri N.
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.567 views
Unix Security by replay21
Unix SecurityUnix Security
Unix Security
replay216.3K views
Threats, Vulnerabilities & Security measures in Linux by Amitesh Bharti
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti3.9K views
An overview of unix rootkits by UltraUploader
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
UltraUploader446 views
Containerization is more than the new Virtualization: enabling separation of ... by Jérôme Petazzoni
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
Jérôme Petazzoni9K views
Rootkit&honeypot aalonso-dcu-dec09 by Angelill0
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09
Angelill0284 views
.ppt by webhostingguy
.ppt.ppt
.ppt
webhostingguy672 views
Pitfalls and limits of dynamic malware analysis by Tamas K Lengyel
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel557 views
How Secure Is Your Container? ContainerCon Berlin 2016 by Phil Estes
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes5.6K views
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure.... by Shah Sheikh
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh1.3K views
Secure container: Kata container and gVisor by Ching-Hsuan Yen
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen395 views
Fuzzing_with_Xen.pdf by distortdistort
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
distortdistort4 views
OffensiveCon2022: Case Studies of Fuzzing with Xen by Tamas K Lengyel
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel1.6K views
WTF my container just spawned a shell! by Sysdig
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig 57.9K views
Containers and workload security an overview by Krishna-Kumar
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar 10.4K views
Docker Security by BladE0341
Docker SecurityDocker Security
Docker Security
BladE0341659 views
Linux Virus by Akhil Kadangode
Linux VirusLinux Virus
Linux Virus
Akhil Kadangode3.1K views
Scale11x lxc talk by dotCloud
Scale11x lxc talkScale11x lxc talk
Scale11x lxc talk
dotCloud22.3K views
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector by Seunghun han
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
Seunghun han324 views
Exploring Docker Security by Patrick Kleindienst
Exploring Docker SecurityExploring Docker Security
Exploring Docker Security
Patrick Kleindienst793 views

More from Jérôme Petazzoni

Use the Source or Join the Dark Side: differences between Docker Community an... by
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Jérôme Petazzoni
3.1K views38 slides
Orchestration for the rest of us by
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of usJérôme Petazzoni
1.9K views52 slides
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ... by
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Jérôme Petazzoni
5.2K views46 slides
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu... by
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Jérôme Petazzoni
10.9K views49 slides
From development environments to production deployments with Docker, Compose,... by
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
33K views122 slides
How to contribute to large open source projects like Docker (LinuxCon 2015) by
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)Jérôme Petazzoni
8.9K views57 slides

More from Jérôme Petazzoni(20)

Use the Source or Join the Dark Side: differences between Docker Community an... by Jérôme Petazzoni
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
Jérôme Petazzoni3.1K views
Orchestration for the rest of us by Jérôme Petazzoni
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of us
Jérôme Petazzoni1.9K views
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ... by Jérôme Petazzoni
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Jérôme Petazzoni5.2K views
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu... by Jérôme Petazzoni
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Jérôme Petazzoni10.9K views
From development environments to production deployments with Docker, Compose,... by Jérôme Petazzoni
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...
Jérôme Petazzoni33K views
How to contribute to large open source projects like Docker (LinuxCon 2015) by Jérôme Petazzoni
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
Jérôme Petazzoni8.9K views
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC... by Jérôme Petazzoni
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Jérôme Petazzoni7.4K views
Microservices. Microservices everywhere! (At OSCON 2015) by Jérôme Petazzoni
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)
Jérôme Petazzoni8.1K views
Deploy microservices in containers with Docker and friends - KCDC2015 by Jérôme Petazzoni
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
Jérôme Petazzoni8.9K views
Containers: from development to production at DevNation 2015 by Jérôme Petazzoni
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
Jérôme Petazzoni6.4K views
Immutable infrastructure with Docker and containers (GlueCon 2015) by Jérôme Petazzoni
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
Jérôme Petazzoni20.2K views
The Docker ecosystem and the future of application deployment by Jérôme Petazzoni
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
Jérôme Petazzoni2.9K views
Docker Non Technical Presentation by Jérôme Petazzoni
Docker Non Technical PresentationDocker Non Technical Presentation
Docker Non Technical Presentation
Jérôme Petazzoni4.1K views
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition by Jérôme Petazzoni
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni6.5K views
Introduction to Docker, December 2014 "Tour de France" Edition by Jérôme Petazzoni
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
Jérôme Petazzoni3.8K views
Containers, Docker, and Microservices: the Terrific Trio by Jérôme Petazzoni
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific Trio
Jérôme Petazzoni17.7K views
Pipework: Software-Defined Network for Containers and Docker by Jérôme Petazzoni
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
Jérôme Petazzoni9.1K views
Docker Tips And Tricks at the Docker Beijing Meetup by Jérôme Petazzoni
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing Meetup
Jérôme Petazzoni34.4K views
Introduction to Docker at Glidewell Laboratories in Orange County by Jérôme Petazzoni
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange County
Jérôme Petazzoni2.1K views
Docker en Production (Docker Paris) by Jérôme Petazzoni
Docker en Production (Docker Paris)Docker en Production (Docker Paris)
Docker en Production (Docker Paris)
Jérôme Petazzoni20.2K views

Recently uploaded

Black and White Modern Science Presentation.pptx by
Black and White Modern Science Presentation.pptxBlack and White Modern Science Presentation.pptx
Black and White Modern Science Presentation.pptxmaryamkhalid2916
14 views21 slides
PharoJS - Zürich Smalltalk Group Meetup November 2023 by
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023Noury Bouraqadi
120 views17 slides
Voice Logger - Telephony Integration Solution at Aegis by
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at AegisNirmal Sharma
17 views1 slide
Web Dev - 1 PPT.pdf by
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdfgdsczhcet
55 views45 slides
Data-centric AI and the convergence of data and model engineering: opportunit... by
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...Paolo Missier
34 views40 slides
The Research Portal of Catalonia: Growing more (information) & more (services) by
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)CSUC - Consorci de Serveis Universitaris de Catalunya
73 views25 slides

Recently uploaded(20)

Black and White Modern Science Presentation.pptx by maryamkhalid2916
Black and White Modern Science Presentation.pptxBlack and White Modern Science Presentation.pptx
Black and White Modern Science Presentation.pptx
maryamkhalid291614 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi120 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma17 views
Web Dev - 1 PPT.pdf by gdsczhcet
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdf
gdsczhcet55 views
Data-centric AI and the convergence of data and model engineering: opportunit... by Paolo Missier
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...
Paolo Missier34 views
The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya73 views
Perth MeetUp November 2023 by Michael Price
Perth MeetUp November 2023 Perth MeetUp November 2023
Perth MeetUp November 2023
Michael Price15 views
Future of Learning - Khoong Chan Meng by NUS-ISS
Future of Learning - Khoong Chan MengFuture of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan Meng
NUS-ISS33 views
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen... by NUS-ISS
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
NUS-ISS28 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb12 views
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... by Vadym Kazulkin
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin75 views
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze by NUS-ISS
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng TszeDigital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
NUS-ISS19 views
The details of description: Techniques, tips, and tangents on alternative tex... by BookNet Canada
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada121 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2216 views
Attacking IoT Devices from a Web Perspective - Linux Day by Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri15 views
Tunable Laser (1).pptx by Hajira Mahmood
Tunable Laser (1).pptxTunable Laser (1).pptx
Tunable Laser (1).pptx
Hajira Mahmood23 views
Understanding GenAI/LLM and What is Google Offering - Felix Goh by NUS-ISS
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix Goh
NUS-ISS41 views
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica... by NUS-ISS
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
NUS-ISS16 views
.conf Go 2023 - Data analysis as a routine by Splunk
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk93 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP19 views

LXC, Docker, security: is it safe to run applications in Linux Containers?

  • 1. Is it safe to run applications in Linux Containers? Jérôme Petazzoni Docker Inc. @jpetazzo @docker
  • 2. ...
  • 3. Yes
  • 4. /* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer * * Demonstrates that any given docker image someone is asking * you to run in your docker setup can access ANY file on your host, * e.g. dumping hosts /etc/shadow or other sensitive info, compromising * security of the host and any other docker VM's on it. * * docker using container based VMM: Sebarate pid and net namespace, * stripped caps and RO bind mounts into container's /. However * as its only a bind-mount the fs struct from the task is shared * with the host which allows to open files by file handles * (open_by_handle_at()). As we thankfully have dac_override and * dac_read_search we can do this. The handle is usually a 64bit * string with 32bit inodenumber inside (tested with ext4). * Inode of / is always 2, so we have a starting point to walk * the FS path and brute force the remaining 32bit until we find the * desired file (It's probably easier, depending on the fhandle export * function used for the FS in question: it could be a parent inode# or * the inode generation which can be obtained via an ioctl). * [In practise the remaining 32bit are all 0 :]
  • 6. No!
  • 7. Docker has changed its security status to It's complicated
  • 8. Who am I? Why am I here? Jérôme Petazzoni (@jpetazzo) - Grumpy French Linux DevOps Operated dotCloud PAAS for 3+ years - hosts arbitrary code for arbitrary users - each service of each app runs in a container - no major security issue yet (fingers crossed) Containerize all the things! - VPN-in-Docker, KVM-in-Docker, Xorg-in-Docker, Docker-in-Docker...
  • 9. What are those “containers” ? (1/3) Technically: ~chroot on steroids - a container is a set of processes (running on top of common kernel) - isolated* from the rest of the machine (cannot see/affect/harm host or other containers) - using namespaces to have private view of the system (network interfaces, PID tree, mountpoints...) - and cgroups to have metered/limited/reserved resources (to mitigate “bad neighbor” effect) *Limitations may apply.
  • 10. What are those “containers” ? (2/3) From a distance: looks like a VM - I can SSH into my container - I can have root access in it - I can install packages in it - I have my own eth0 interface - I can tweak routing table, iptables rules - I can mount filesystems - etc.
  • 11. What are those “containers” ? (3/3) Lightweight, fast, disposable... virtual environments - boot in milliseconds - just a few MB of intrinsic disk/memory usage - bare metal performance is possible The new way to build, ship, deploy, run your apps!
  • 12. Why is this a hot topic? Containers have been around for decades LXC (Linux Containers) have been around for years So, what?
  • 14. Why is this a hot topic? Containers have been around for decades LXC (Linux Containers) have been around for years Tools like Docker made containers very easy to use Everybody* wants to deploy containers now But, oops, LXC wasn't made for security We want containers, and we want them now; how can we do that safely? *Okay, almost everybody. If you're not convinced yet of the general awesomeness of Docker and containers, give them a second chance by checking my other talk this afternoon; or the Docker meet-up tomorrow at New Relic.
  • 16. “LXC is not yet secure. If I want real security I will use KVM.” —Dan Berrangé (famous LXC hacker) This was in 2011. The Linux Kernel has changed a tiny little bit since then.
  • 17. “From security point of view lxc is terrible and may not be consider as security solution.” —someone on Reddit (original spelling and grammar) Common opinion among security experts and paranoid people. To be fair, they have to play safe & can't take risks.
  • 18. “Basically containers are not functional as security containers at present, in that if you have root on a container you have root on the whole box.” —Gentoo Wiki That's just plain false, or misleading, and we'll see why.
  • 19. “Containers do not contain.” —Dan Walsh (Mr SELinux) This was earlier this year, and this guy knows what he's talking about. Are we in trouble?
  • 20. “For the fashion of Minas Tirith was such that it was built on seven levels, each delved into a hill, and about each was set a wall, and in each wall was a gate.” —J.R.R. Tolkien (also quoted in VAX/VMS Internals and Data Structures, ca. 1980)
  • 22. Let's revisit one of those quotes... “If you have root on a container you have root on the whole box.” Don't give root in the container in the first place If you really have to give root, give looks-like-root If that's not enough, give root but build another wall
  • 23. Root in the host Root in the container Uruks (intruders)
  • 24. There is more than one threat model Regular applications - web servers, databases, caches, message queues, ... System services (high level) - logging, remote access, periodic command execution, ... System services (low level) - manage physical devices, networking, filesystems, ... Kernel - security policies, drivers, ... The special case of immutable infrastructure
  • 26. Regular applications Apache, Nginx, MySQL, PostgreSQL, MongoDB, Redis, Memcached, Cassandra, Hadoop, RabbitMQ... Virtually all your programs in any language (services, web services, workers, everything!) They never ever need any kind of root privilege (except to install packages) Don't run them as root! Ever!
  • 27. Regular applications Risk: they run arbitrary code - vector: by definition, they are arbitrary code - vector: security breach causes execution of malicious code Fix: nothing - by definition, we are willing to execute arbitrary code here Consequence: assume those apps can try anything to break out
  • 28. Regular applications Risk: escalate from non-root to root - vector: vulnerabilities in SUID binaries Fix: defang SUID binaries - remove them - remove suid bit - mount filesystem with nosuid
  • 29. Regular applications Risk: execute arbitrary kernel code - vector: bogus syscall (e.g. vmsplice* in 2008) Fix: limit available syscalls - seccomp-bpf = whitelist/blacklist syscalls Fix: run stronger kernels - GRSEC is a good idea (stable patches for 3.14 since July 4th) - update often (i.e. have efficient way to roll out kernel upgrades) *More details about that: http://lwn.net/Articles/268783/
  • 30. Regular applications Risk: leak to another container - vector: bug in namespace code; filesystem leak* Fix: user namespaces - map UID in container to a different UID outside - two containers run a process with UID 1000, but it's 14298 and 15398 outside Fix: security modules (e.g. SELinux) - assign different security contexts to containers - those mechanisms were designed to isolate! *Like the one showed in the beginning of this talk!
  • 32. System services (high level) SSH, cron, syslog... You use/need them all the time Bad news: they typically run as root Good news: they don't really need root Bad news: it's hard to run them as non-root Good news: they are not arbitrary code
  • 33. System services (high level) Risk: running arbitrary code as root - vector: malformed data or similar (note: risk is pretty low for syslog/cron; much higher for SSH) Fix: isolate sensitive services - run SSH on bastion host, or in a VM - note: this is not container-specific (if someone hacks into your SSH server, you'll have a bad time)
  • 34. System services (high level) Risk: messing with /dev - vector: malicious code Fix: “devices” control group - whitelist/blacklist devices - fine-grained: can allow only read, write, none, or both - fine-grained: can specify major+minor number of device
  • 35. System services (high level) Risk: use of root calls (mount, chmod, iptables...) - vector: malicious code Fix: capabilities - break down “root” into many permissions - e.g. CAP_NET_ADMIN (network configuration) - e.g. CAP_NET_RAW (generate and sniff traffic) - e.g. CAP_SYS_ADMIN (big can of worms )☹ - see capabilities(7)
  • 36. Interlude: CAP_SYS_ADMIN Operations controlled by CAP_SYS_ADMIN...  quotactl, mount, umount, swapon, swapoff  sethostname, setdomainname  IPC_SET, IPC_RMID on arbitrary System V IPC resources  perform operations on trusted and security Extended Attributes  set realtime priority (ioprio_set + IOPRIO_CLASS_RT)  create new namespaces (clone and unshare + CLONE_NEWNS)
  • 37. System services (high level) Risk: messing with /proc, /sys - vector: malicious code Fix: prevent unauthorized access control - Mandatory Access Control (AppArmor, SELinux) - remount read-only, then drop CAP_SYS_ADMIN to prevent remount Fix: wider implementation of namespaces - some parts of procfs/sysfs are “namespace-aware” - some aren't, but can be fixed (by writing kernel code)
  • 38. System services (high level) Risk: leaking with UID 0 - vector: malicious code Fix: user namespaces - already mentioned earlier - UID 0 in the container is mapped to some random UID outside - you break out: you're not root - you manage to issue weird syscalls: they're done as unprivileged UID Caveat: user namespaces are still new. We have to see how they behave with that!
  • 40. System services (low level) Device management (keyboard, mouse, screen), network and firewall config, filesystem mounts... You use/need some of them all the time But you don't need any of them in your containers - physical device management is done by the host - network configuration and filesystems are setup by the host Exceptions: - custom mounts (FUSE) - network appliances
  • 41. System services (low level) Risk: running arbitrary code as root - vector: malformed data or similar Fix: isolate sensitive functions - “one-shot” commands can be fenced in privileged context (think “sudo” but without even requiring “sudo”) - everything else (especially processes that are long-running, or handle arbitrary input) runs in non-privileged context - works well for FUSE, some VPN services
  • 42. System services (low level) Risk: run arbitrary code with full privileges - vector: needs a process running with full privileges (rare!) - vector: malformed data, unchecked input… classic exploit Fix: treat it as “kernel” - we'll see that immediately in the next section
  • 44. Kernel Drivers - they can talk to the hardware, so they can do pretty much anything - except: virtualize the bus and use e.g. driver domains (Xen) Network stacks - this probably has to live into the kernel for good performance - except: DPDK, OpenOnload... (networking stacks in userspace) Security policies - by definition, they control everything else - except: there might be nested security contexts some day
  • 45. Kernel Risk: run arbitrary code with absolute privileges Fix: ?
  • 46. Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
  • 47. Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
  • 48. Kernel Risk: run arbitrary code with absolute privileges Fix: give it its own kernel and (virtual) hardware - i.e. run it in a virtual machine - that VM can run in a container - that VM can hold a container - run a privileged container in Docker in a VM in a container in Docker https://github.com/jpetazzo/docker2docker - inb4 xzibit meme
  • 51. Immutable immutable infrastructure New rule: the whole container is read-only Compromise: if we must write, write to a noexec area Scalability has never been easier (if totally read-only) It's even harder for malicious users to do evil things
  • 52. Recap (in no specific order!)  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs
  • 53. Thank you! Questions?  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs See also: - Docker in Production (1:40pm today) - Office hour (10:40am tomorrow, expo hall Table A) - Docker meet-up at New Relic (tomorrow evening)