Salman Baset, profile picture
Uploaded bySalman Baset
623 views

Container Security

Container security involves securing the host, container content, orchestration, and applications. The document discusses how container isolation evolved over time through namespaces, cgroups, capabilities, and other Linux kernel features. It also covers securing container images, orchestrators, and applications themselves. Emerging technologies like LinuxKit, Katacontainers, and MirageOS aim to provide more lightweight and secure container environments.

Embed presentation

Downloaded 42 times
Container Security Salman A. Baset @salman_baset, sabaset@us.ibm.com
What is a container? 2
What is a container? According to NIST (National Institute of Standards Technology) • Virtualization: the simulation of the software and/or hardware upon which other software runs. (800-125) • System Virtual Machine: A System Virtual Machine (VM) is a software implementation of a complete system platform that supports the execution of a complete operating system and corresponding applications in a cloud. (800- 180 draft) • Operating System Virtualization (aka OS Container): Provide multiple virtualized OSes above a single shared kernel (800-190). E.g., Solaris Zone, FreeBSD Jails, LXC • Application Virtualization (aka Application Containers): Same shared kernel is exposed to multiple discrete instances (800-180 draft). E.g., Docker (containerd), rkt 3
“Container” Security Orchestrator Security Content Security Host Security= + + 2002 – to-date2015 – to-date2016 - date Implement defense in depth App Security + 4 * - date
Container Runtime Stack on a Single Host Host kernel Container runtime VM kernel Host kernel Container runtime Application containers App Bins/libs App Bins/libs App Bins/libs App Bins/libs Application containers 1. Is host isolated from application container? 2. Is one application container isolated from another application container? 5
Shared kervel vs. separate kernel debate… CVEs inside Linux kernel https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 6
The previous chart can be misleading… • Gain privilege exploits in 2017: 36 • Includes CVEs in previous kernel versions • 1 eCryptfs 3.18 or earlier • Drivers: 5 Qualcomm drives, 2 NVIDIA, 1 USB, 1 BROADCOM, 1 GPU, 1 TTY • KVM: 1 (that is, CVE found in kvm also) • Not all CVEs are [easily] exploitable, but nevertheless… Host kernel Container runtime App Bins/libs App Bins/libs Application containers Focus of this talk 7
Usage Model Host kernel Container runtime App Bins/libs App Bins/libs Application containers Host kernel Container runtime App Bins/libs App Bins/libs Application containers Host kernel Container runtime App Bins/libs App Bins/libs Application containers Multiple apps of same user running on same/different hosts Multiple apps of distinct users running on same/different hosts Image Registry Orchestrator + + 8
What does host security mean? Informally… • Isolation from host • Can never be root • Should not “see” host processes • Shout not interfere with host operation • Isolation from other containers • Should not “see” other containers • Should not impact performance of other containers 9
Container on Linux • is just a process • wrapper in bunch of “isolation gear” • to isolate from host and other processes • the isolation gear was developed independently over time • docker engine (on a host) + containerd + runC 10
Namespaces • Linux kernel namespaces provide the isolation (hence “container”) in which we place one or more processes • Introduced ~2002 – inspired from Plan B • Ok, what about devices? • docker options • --userns • --pid • --uts pid mount ipc user net uts HOST SECURITY 11
Resource isolation - cgroups • What is a resource? • CPU, memory, disk, network • PID, file descriptors • Devices • cgroups v2 support introduced in Kernel 4.5. • Docker has many options for tuning cpu, mem, disk • cpu: 10 • device: 8 • memory: 5 • PID: configure the max number of PID descriptors • Device: maximum device bandwidth, in, out HOST SECURITY 12
Are namespaces and cgroups enough? • No • Linux capabilities: • Fine-grained access capabilities besides root/non-root • E.g., load a module, mount a file • Docker container drops most capabilities by default • chown, dac_override, fsetid, fowner, mknod, net_raw, setgid, setuid, setfcap, setpcap, net_bind_service, sys_chroot, kill, audit_write • Seccomp • Restrict the system calls that a system is allowed to execute • Often, security issues found in system calls pertaining to legacy devices • AppArmor / SELINUX • Mandatory access control (MAC) Default Docker capabilities HOST SECURITY 13
Is that enough for host security? • No • Other host security best practices still apply! • Patch management • Monitoring • Antivirus • Malware • Logging • Privileged user monitoring HOST SECURITY 14
Container Images • Container images are the root of software supply chain • Containers images are supposed to provide an immutable source • In reality: secrets needed for running the container are stored outside the container image, and can impact its run-time • Different secrets for different run-time environments (stage, prod) • Container images are often pulled through open source • Important to vet the base image, malware, anti-virus • Container images contain OS distro packages + application packages + application code • Ubuntu, Node.js • Check vulnerabilities of all content that goes inside the image, including scanning application source code CONTENT SECURITY App Bins/libs secrets 15
Orchestrator Security • Containers are often deployed through orchestrators • Docker Machine, Kubernetes • Sane defaults, TLSv1.2 etc • Who has access to those APIs just equally as important as other aspects • determine what volumes, devices are passed inside container • who can docker exec into a running container • Moreover, secrets are typically stored outside container registry and container run-time. Access to these secrets also important • Your Jenkins server may be leaking secrets! ORCHESTRATOR SECURITY 16
App Security • A developer still needs to configure their app securely. • However it is still much better to run app in a container than inside a host APP SECURITY 17 Configurepartitions Runasnon-root, utilizinguserand kernelnamespaces Configurelog, monitoring,audit Configurenetwork, relatedservices, disableIPforwarding Configurepatching andanti-virusagents Configuremandatory accesscontrol Preventapplication fromDoSingahost Furtherdeprivilege applicationthrough subsetofLinux capabilities FurtherDeprivilege applicationbylimiting allowedsystemcalls Configureapplication security Host Container Host Manual Manual Manual per app One time (in Docker) Manual per app Manual One time Step 1 Step 2 Step 3 Manual Manual Step 4 Manual Manual Step 5 Step 6 Manual per app Out of box (in Docker) Out of box (in Docker) Step 7 Manual per app Step 8 Manual per app Out of box (in Docker) Manual per app Out of box (in Docker) Step 9 Step 10 Manual per app Manual
Kernel and Container Security Evolution • 2015 • Content Addressability (image spec, phase 1) – Docker 1.6 • Default ulimits for all containers – Docker 1.6 • Docker Content Trust – (notary) image provenance/signing – Docker 1.8 • 2016 • Full migration to content addressability for images/layers – Docker 1.10 • User namespaces – Docker 1.10 • Secure computing (libseccomp) – Docker 1.10 • --pids-limit (cgroups pid limitation) – Docker 1.11 (kernel 4.3 +) • cgroups “v2” – (kernel 4.5+) • --no-new-privileges (limit process escalation) – Docker 1.11 • Storage driver quotas (limited) – Docker 1.12 • Secure by default multi-node orchestration (mutual TLS) – Docker 1.12 • 2017 • Improved resource isolation features in Linux Kernel and in Docker engine 18
Whats Next in Container Security? • Host Security • Linux Kit • Lightweight virtualization (Katacontainers (formerly Intel clear containers) ) • Unikernels (MirageOS) • Content Security • Distribution Specific Project (OCI) • Project Grafeas 19
Linux Kit • Secure, portable OSes for Linux containers • Support Kubernetes, AWS, GCP, Azure etc • https://github.com/linuxkit/linuxkit 20
Katacontainers • Based on Intel Clear Containers • Perform like containers but provide the workload isolation and security advantages of VMs • OCI compliant • https://github.com/kata-containers/ 21
MirageOS • Library operating system for unikernels • MirageOS3.0 released in Feb 2017 • https://mirage.io/ 22
Distribution Specific Project • Image and run-time formats through OCI • Image distribution is now defacto Docker Image Registry API • https://www.opencontainers.org/announcement/2018/04/09/oci- announces-dist-spec-project 23
Project Grafeas • Standardize container vulnerability format • Standardize attestations • https://grafeas.io/ 24
Conclusion • Container security has significantly evolved from early days of Docker • Secure-by-default in all major platforms • For users, security focus is on securing software supply chain • New features promise standardization, light-weight, VM isolation 25

More Related Content

PPTX
Understanding container security
byJohn Kinsella
 
PPTX
Docker Container Security
bySuraj Khetani
 
PPTX
Docker introduction & benefits
byAmit Manwade
 
PDF
Introduction to container based virtualization with docker
byBangladesh Network Operators Group
 
PPTX
Docker Basics
byDuckDuckGo
 
PPT
Container security
byAnthony Chow
 
PDF
Introduction to docker
byInstruqt
 
PPTX
Docker 101 : Introduction to Docker and Containers
byYajushi Srivastava
 
Understanding container security
byJohn Kinsella
 
Docker Container Security
bySuraj Khetani
 
Docker introduction & benefits
byAmit Manwade
 
Introduction to container based virtualization with docker
byBangladesh Network Operators Group
 
Docker Basics
byDuckDuckGo
 
Container security
byAnthony Chow
 
Introduction to docker
byInstruqt
 
Docker 101 : Introduction to Docker and Containers
byYajushi Srivastava
 

What's hot

PPTX
Docker: From Zero to Hero
byfazalraja
 
PDF
Introduction to Docker
byAditya Konarde
 
PDF
Docker Swarm 0.2.0
byDocker, Inc.
 
PPTX
Docker introduction (1)
byGourav Varma
 
PPTX
Docker introduction
bydotCloud
 
PDF
Container Security
byJie Liau
 
PPTX
Introduction to openshift
byMamathaBusi
 
PPTX
Kubernetes and container security
byVolodymyr Shynkar
 
PPTX
Azure storage
byAdam Skibicki
 
PDF
Docker Introduction
byPeng Xiao
 
PPTX
Kubernetes PPT.pptx
byssuser0cc9131
 
PDF
DevSecOps | DevOps Sec
byRubal Jain
 
PDF
Docker & kubernetes
byNexThoughts Technologies
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PPTX
Containerized Applications Overview
byApoorv Anand
 
PPTX
Introduction to Microservices
byMahmoudZidan41
 
PDF
An Introduction to Kubernetes
byImesh Gunaratne
 
PDF
Kubernetes 101
byWinton Winton
 
PDF
Kubernetes - A Comprehensive Overview
byBob Killen
 
PPTX
Azure DevOps
byMichael Jesse
 
Docker: From Zero to Hero
byfazalraja
 
Introduction to Docker
byAditya Konarde
 
Docker Swarm 0.2.0
byDocker, Inc.
 
Docker introduction (1)
byGourav Varma
 
Docker introduction
bydotCloud
 
Container Security
byJie Liau
 
Introduction to openshift
byMamathaBusi
 
Kubernetes and container security
byVolodymyr Shynkar
 
Azure storage
byAdam Skibicki
 
Docker Introduction
byPeng Xiao
 
Kubernetes PPT.pptx
byssuser0cc9131
 
DevSecOps | DevOps Sec
byRubal Jain
 
Docker & kubernetes
byNexThoughts Technologies
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Containerized Applications Overview
byApoorv Anand
 
Introduction to Microservices
byMahmoudZidan41
 
An Introduction to Kubernetes
byImesh Gunaratne
 
Kubernetes 101
byWinton Winton
 
Kubernetes - A Comprehensive Overview
byBob Killen
 
Azure DevOps
byMichael Jesse
 

Similar to Container Security

PPTX
Containers and workload security an overview
byKrishna-Kumar
 
PDF
Container Security: How We Got Here and Where We're Going
byPhil Estes
 
PPTX
Exploring Docker Security
byPatrick Kleindienst
 
PDF
Docker London: Container Security
byPhil Estes
 
PDF
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
byOW2
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
PDF
Securing the container DevOps pipeline by William Henry
byDevSecCon
 
PDF
Docker en kernel security
bysmart_bit
 
PPTX
Secure container: Kata container and gVisor
byChing-Hsuan Yen
 
ODP
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
PDF
Docker Security - Secure Container Deployment on Linux
byMichael Boelen
 
PPTX
Container security
byAnthony Chow
 
PDF
Containers & Security
byAll Things Open
 
PDF
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
byOdinot Stanislas
 
PDF
Ten layers of container security for CloudCamp Nov 2017
byGordon Haff
 
PDF
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
byJérôme Petazzoni
 
PDF
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
PDF
Docker, Linux Containers (LXC), and security
byJérôme Petazzoni
 
PDF
Is Docker Secure?
byManideep Konakandla
 
PDF
It's 2018. Are My Containers Secure Yet!?
byPhil Estes
 
Containers and workload security an overview
byKrishna-Kumar
 
Container Security: How We Got Here and Where We're Going
byPhil Estes
 
Exploring Docker Security
byPatrick Kleindienst
 
Docker London: Container Security
byPhil Estes
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
byOW2
 
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
Securing the container DevOps pipeline by William Henry
byDevSecCon
 
Docker en kernel security
bysmart_bit
 
Secure container: Kata container and gVisor
byChing-Hsuan Yen
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
Docker Security - Secure Container Deployment on Linux
byMichael Boelen
 
Container security
byAnthony Chow
 
Containers & Security
byAll Things Open
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
byOdinot Stanislas
 
Ten layers of container security for CloudCamp Nov 2017
byGordon Haff
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
byJérôme Petazzoni
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
Docker, Linux Containers (LXC), and security
byJérôme Petazzoni
 
Is Docker Secure?
byManideep Konakandla
 
It's 2018. Are My Containers Secure Yet!?
byPhil Estes
 

More from Salman Baset

PDF
Artificial Intelligence (AI) Security, Attack Vectors, Defense Techniques, Et...
bySalman Baset
 
PDF
GDPR considerations for blockchain solution architects.
bySalman Baset
 
PDF
GDPR and Blockchain
bySalman Baset
 
PDF
Blockchain - Beyond the Hype
bySalman Baset
 
PPTX
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
bySalman Baset
 
PDF
Open Source Cloud Technologies
bySalman Baset
 
PPTX
Cloud SLAs: Present and Future
bySalman Baset
 
PPTX
SPEC Cloud (TM) IaaS 2016 Benchmark
bySalman Baset
 
PPTX
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
PDF
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 
Artificial Intelligence (AI) Security, Attack Vectors, Defense Techniques, Et...
bySalman Baset
 
GDPR considerations for blockchain solution architects.
bySalman Baset
 
GDPR and Blockchain
bySalman Baset
 
Blockchain - Beyond the Hype
bySalman Baset
 
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
bySalman Baset
 
Open Source Cloud Technologies
bySalman Baset
 
Cloud SLAs: Present and Future
bySalman Baset
 
SPEC Cloud (TM) IaaS 2016 Benchmark
bySalman Baset
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 

Recently uploaded

PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PPTX
AI and Digital Transformation Solutions.
byBuildingblocks
 
PDF
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PPTX
CrowdStrike Falcon Insight (01212026).pptx
bypjsantos17
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
AI and Digital Transformation Solutions.
byBuildingblocks
 
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
CrowdStrike Falcon Insight (01212026).pptx
bypjsantos17
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 

Container Security

  • 1.
    Container Security Salman A.Baset @salman_baset, sabaset@us.ibm.com
  • 2.
    What is acontainer? 2
  • 3.
    What is acontainer? According to NIST (National Institute of Standards Technology) • Virtualization: the simulation of the software and/or hardware upon which other software runs. (800-125) • System Virtual Machine: A System Virtual Machine (VM) is a software implementation of a complete system platform that supports the execution of a complete operating system and corresponding applications in a cloud. (800- 180 draft) • Operating System Virtualization (aka OS Container): Provide multiple virtualized OSes above a single shared kernel (800-190). E.g., Solaris Zone, FreeBSD Jails, LXC • Application Virtualization (aka Application Containers): Same shared kernel is exposed to multiple discrete instances (800-180 draft). E.g., Docker (containerd), rkt 3
  • 4.
    “Container” Security Orchestrator Security Content Security Host Security= ++ 2002 – to-date2015 – to-date2016 - date Implement defense in depth App Security + 4 * - date
  • 5.
    Container Runtime Stackon a Single Host Host kernel Container runtime VM kernel Host kernel Container runtime Application containers App Bins/libs App Bins/libs App Bins/libs App Bins/libs Application containers 1. Is host isolated from application container? 2. Is one application container isolated from another application container? 5
  • 6.
    Shared kervel vs.separate kernel debate… CVEs inside Linux kernel https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 6
  • 7.
    The previous chartcan be misleading… • Gain privilege exploits in 2017: 36 • Includes CVEs in previous kernel versions • 1 eCryptfs 3.18 or earlier • Drivers: 5 Qualcomm drives, 2 NVIDIA, 1 USB, 1 BROADCOM, 1 GPU, 1 TTY • KVM: 1 (that is, CVE found in kvm also) • Not all CVEs are [easily] exploitable, but nevertheless… Host kernel Container runtime App Bins/libs App Bins/libs Application containers Focus of this talk 7
  • 8.
    Usage Model Host kernel Container runtime App Bins/libs App Bins/libs Application containers Hostkernel Container runtime App Bins/libs App Bins/libs Application containers Host kernel Container runtime App Bins/libs App Bins/libs Application containers Multiple apps of same user running on same/different hosts Multiple apps of distinct users running on same/different hosts Image Registry Orchestrator + + 8
  • 9.
    What does hostsecurity mean? Informally… • Isolation from host • Can never be root • Should not “see” host processes • Shout not interfere with host operation • Isolation from other containers • Should not “see” other containers • Should not impact performance of other containers 9
  • 10.
    Container on Linux •is just a process • wrapper in bunch of “isolation gear” • to isolate from host and other processes • the isolation gear was developed independently over time • docker engine (on a host) + containerd + runC 10
  • 11.
    Namespaces • Linux kernelnamespaces provide the isolation (hence “container”) in which we place one or more processes • Introduced ~2002 – inspired from Plan B • Ok, what about devices? • docker options • --userns • --pid • --uts pid mount ipc user net uts HOST SECURITY 11
  • 12.
    Resource isolation -cgroups • What is a resource? • CPU, memory, disk, network • PID, file descriptors • Devices • cgroups v2 support introduced in Kernel 4.5. • Docker has many options for tuning cpu, mem, disk • cpu: 10 • device: 8 • memory: 5 • PID: configure the max number of PID descriptors • Device: maximum device bandwidth, in, out HOST SECURITY 12
  • 13.
    Are namespaces andcgroups enough? • No • Linux capabilities: • Fine-grained access capabilities besides root/non-root • E.g., load a module, mount a file • Docker container drops most capabilities by default • chown, dac_override, fsetid, fowner, mknod, net_raw, setgid, setuid, setfcap, setpcap, net_bind_service, sys_chroot, kill, audit_write • Seccomp • Restrict the system calls that a system is allowed to execute • Often, security issues found in system calls pertaining to legacy devices • AppArmor / SELINUX • Mandatory access control (MAC) Default Docker capabilities HOST SECURITY 13
  • 14.
    Is that enoughfor host security? • No • Other host security best practices still apply! • Patch management • Monitoring • Antivirus • Malware • Logging • Privileged user monitoring HOST SECURITY 14
  • 15.
    Container Images • Containerimages are the root of software supply chain • Containers images are supposed to provide an immutable source • In reality: secrets needed for running the container are stored outside the container image, and can impact its run-time • Different secrets for different run-time environments (stage, prod) • Container images are often pulled through open source • Important to vet the base image, malware, anti-virus • Container images contain OS distro packages + application packages + application code • Ubuntu, Node.js • Check vulnerabilities of all content that goes inside the image, including scanning application source code CONTENT SECURITY App Bins/libs secrets 15
  • 16.
    Orchestrator Security • Containersare often deployed through orchestrators • Docker Machine, Kubernetes • Sane defaults, TLSv1.2 etc • Who has access to those APIs just equally as important as other aspects • determine what volumes, devices are passed inside container • who can docker exec into a running container • Moreover, secrets are typically stored outside container registry and container run-time. Access to these secrets also important • Your Jenkins server may be leaking secrets! ORCHESTRATOR SECURITY 16
  • 17.
    App Security • Adeveloper still needs to configure their app securely. • However it is still much better to run app in a container than inside a host APP SECURITY 17 Configurepartitions Runasnon-root, utilizinguserand kernelnamespaces Configurelog, monitoring,audit Configurenetwork, relatedservices, disableIPforwarding Configurepatching andanti-virusagents Configuremandatory accesscontrol Preventapplication fromDoSingahost Furtherdeprivilege applicationthrough subsetofLinux capabilities FurtherDeprivilege applicationbylimiting allowedsystemcalls Configureapplication security Host Container Host Manual Manual Manual per app One time (in Docker) Manual per app Manual One time Step 1 Step 2 Step 3 Manual Manual Step 4 Manual Manual Step 5 Step 6 Manual per app Out of box (in Docker) Out of box (in Docker) Step 7 Manual per app Step 8 Manual per app Out of box (in Docker) Manual per app Out of box (in Docker) Step 9 Step 10 Manual per app Manual
  • 18.
    Kernel and ContainerSecurity Evolution • 2015 • Content Addressability (image spec, phase 1) – Docker 1.6 • Default ulimits for all containers – Docker 1.6 • Docker Content Trust – (notary) image provenance/signing – Docker 1.8 • 2016 • Full migration to content addressability for images/layers – Docker 1.10 • User namespaces – Docker 1.10 • Secure computing (libseccomp) – Docker 1.10 • --pids-limit (cgroups pid limitation) – Docker 1.11 (kernel 4.3 +) • cgroups “v2” – (kernel 4.5+) • --no-new-privileges (limit process escalation) – Docker 1.11 • Storage driver quotas (limited) – Docker 1.12 • Secure by default multi-node orchestration (mutual TLS) – Docker 1.12 • 2017 • Improved resource isolation features in Linux Kernel and in Docker engine 18
  • 19.
    Whats Next inContainer Security? • Host Security • Linux Kit • Lightweight virtualization (Katacontainers (formerly Intel clear containers) ) • Unikernels (MirageOS) • Content Security • Distribution Specific Project (OCI) • Project Grafeas 19
  • 20.
    Linux Kit • Secure,portable OSes for Linux containers • Support Kubernetes, AWS, GCP, Azure etc • https://github.com/linuxkit/linuxkit 20
  • 21.
    Katacontainers • Based onIntel Clear Containers • Perform like containers but provide the workload isolation and security advantages of VMs • OCI compliant • https://github.com/kata-containers/ 21
  • 22.
    MirageOS • Library operatingsystem for unikernels • MirageOS3.0 released in Feb 2017 • https://mirage.io/ 22
  • 23.
    Distribution Specific Project •Image and run-time formats through OCI • Image distribution is now defacto Docker Image Registry API • https://www.opencontainers.org/announcement/2018/04/09/oci- announces-dist-spec-project 23
  • 24.
    Project Grafeas • Standardizecontainer vulnerability format • Standardize attestations • https://grafeas.io/ 24
  • 25.
    Conclusion • Container securityhas significantly evolved from early days of Docker • Secure-by-default in all major platforms • For users, security focus is on securing software supply chain • New features promise standardization, light-weight, VM isolation 25