Docker security: Rolling out Trust in your container
Rolling out trust in your container
Buzz is catching on, and so is technology
Neatly packs multiple applications on one
Gives you way to compose clusters, manage them
and play with them at the scale of 100,000
Docker Docker Docker
A very secure system which is not user-friendly will not be
secure for long. (because people will find a way to go around it)
Usable Security is a principle of building security systems
while considering human workflows.
Idea of Usable Security
Its going to be everywhere
Your Desktop, Workstation & Cloud Infrastructure.
Your Production, Development & Testing Cycles.
It is going to be used by everyone
Your team, clients, and partners.
Independent developers and teams who are using your images.
We should definitely think about #docker-security
How safe is docker isolation ?
If some malicious user has docker daemon access, what
to do ?
Can I use security policies over docker ?
Can I really trust docker image I install ?
Can i ssh to docker container ?
Every process must be able to access only the information and
resources that are necessary for its legitimate purpose
- Diogo Mónica, Docker
Linux namespaces (isolated view of system.)
Cgroups (limit and isolate the resource usage.)
Linux Security Modules (Apparmor,SELINUX)
User-namespaces: root inside is not root outside
Seccomp: Individual syscall filtering (like chrome sandbox)
Enter Least Privilege
Cgroups, ulimit & User Namespaces
Docker root is not real root. (User Namespaces)
With cgroups, you can control on the resource usage of
docker run --lxc-conf=lxc.cgroup.cpuset.cpus = 0,1 ..
Root has certain capabilities, but we don’t want our
container to have all those capabilities
Each container can have some of the capabilities of root,
but not all.
Access to raw sockets (prevent opening privileged ports,
Some file system operations (mkdev, chown, chattrs)
Loading kernel modules
man 7 capabilities
Docker by default drops some capabilities
sys_admin, sys_time, sys_nice,.....
docker run –cap-drop=CHOWN ...
docker run –cap-add=MKNOD ...
Seccomp & Syscalls
Seccomp & Syscalls
You can block system calls from seccomp. Quite like sandboxing.
Supports syscall filtering by using BPF
SIGKILL signal to process, who made blocked syscall
docker run –lxc-conf=common.seccomp ...
Combine Docker with AppArmor/SELinux/TOMOYO Profiles
These profiles help you in deciding minimal privilege for each
Preventing permission escalation and unauthorized information
disclosure (or worse).
Within the container configuration the related AppArmor profile
can be defined with lxc.aa_profile.
docker run –security-opt label:type:svirt_apche ...
GRSEC and PaX
Use a hardened Linux kernel for host, with kernel patches.
Map user/group ids
lxc.id_map = u 0 1000000 65536
lxc.id_map = g 0 1000000 65536
Couple it with docker run –lxc-conf=
Can you really trust your images ?
Trusted Cross Platform content distribution
Trusted Client – Server Interaction
Publisher signed content
Publisher Key validates integrity of content
Platform Agnostic to distribute any content
Docker Content Trust
Two keys are generated when publisher first pushes image.
Exists for each new repository that publisher owns
Can be shared with collaborators easily.
Users see this key as official publisher’s key
Important in establishing trust.
Only needed when creating new repository or rotating existing
Once Images are signed, TUF maintains ensures
& Freshness of Content
Notion of Timestamp Key
Needed to ensure freshness guarantees
Generated at remote server.
Docker maintains it for you
Trust Update Framework