This document summarizes a presentation on Docker security and least-privilege microservices from DockerCon US 2015. It discusses the history and principles of least-privilege, how Docker supports fine-grained access controls for containers through features like namespaces, capabilities, and security profiles. It also covers making containers more secure by default and tools like Docker Bench for assessing container security. The conclusion is that Docker allows least-privilege microservices and better tools are still needed to define per-container security profiles.

1. Docker
Security
Thuong
Nguyen
–
Vega
Recap
From
DockerCon
US
2015

2. Least-privilege Microservices
Diogo Mónica
Nathan McCauley
Recap
From
DockerCon
US
2015

3. Agenda
•
•
•
•
•
Why least-privilege
History of least-privilege
Least-privilege with Docker
Ongoing and future work
Conclusions
Recap
From
DockerCon
US
2015

4. “Every process must be able to access only the
information and resources that are necessary for its
legitimate purpose”
Recap
From
DockerCon
US
2015

5. Front-end
Server
Database
Auth Service
Recap
From
DockerCon
US
2015

6. 1990
Internet
All-in-one
Recap
From
DockerCon
US
2015

7. 2000
Internet
DatabasesServicesFront-end
Recap
From
DockerCon
US
2015

8. 2010
Internet
Recap
From
DockerCon
US
2015

9. Recap
From
DockerCon
US
2015

10. Container
One Process
AppA
AppB
AppC
AppD
AppE
AppF
libraries
Docker Engine
Host OS
Server
Recap
From
DockerCon
US
2015

11. Today
Internet
Recap
From
DockerCon
US
2015

12. ‣ A FE server has a very different security profile than a database or a worker host
‣ Imagine that each container only has access exactly to the resources and APIs it
needs. No more, no less.
Front-end Server Back-end Server
‣ Access to a lot of
downstream
services
‣ Most exposed
‣ I/ O intensive
‣ Limited network
access
Worker Host
‣ CPU Intensive
‣ Wide range of workloads
Profiles
Recap
From
DockerCon
US
2015

13. ‣ A container is a process. Let’s find out what syscalls it needs.
Process Monitoring
Recap
From
DockerCon
US
2015

14. ‣ Namespaces provide an isolated view of the system (Network, PID, etc)
‣ Cgroups limit and isolate the resource usage of a collection of processes
‣ Linux Security Modules give us a MAC (AppArmor, SELinux)
Fine-grained controls
Recap
From
DockerCon
US
2015

15. Fine-grained controls
‣ Capabilities divides the privileges of root into distinct units (bind, chown, etc)
‣ Per-container ulimit (since 1.6)
‣ User-namespaces: root inside is not root outside (remapped root for 1.8)
‣ Seccomp: Individual syscall filtering (working on my laptop)
Recap
From
DockerCon
US
2015

16. Safer by default
‣ Less than half the Linux capabilities by
default
‣ Copy-on-write ensures immutability
‣ No device access by default
‣ Default AppArmor and SELinux profiles
for an increasing number of containers
Recap
From
DockerCon
US
2015

17. Safer by default
‣ Smaller footprint
‣ Remove all unneeded
packages
‣ Remove all unneeded users
‣ Remove all suid
binaries
…
Debia
n
Recap
From
DockerCon
US
2015

18. Security Profiles
‣ Producers of containers should be responsible for creating adequate profiles
‣ Profile gets shipped with the container
‣ Aggregates all of the different isolation mechanisms into one single profile
Recap
From
DockerCon
US
2015

19. Securing the Ecosystem
User-
namespaces
Seccomp Provenance
Selinux Kerbero
s
Recap
From
DockerCon
US
2015

20. Intro to Container Security
http://bit.ly/1M4O9XE
Recap
From
DockerCon
US
2015

21. Docker Bench
https://dockerbench.com/
‣ Fully automated
‣ Shipped as a container that tests containers
Recap
From
DockerCon
US
2015

22. Conclusion
‣ Docker is on the path to support least-privilege microservices, since it allows
fine-grained control over what access each container should have.
‣ We will need easier tooling to define per-container security profiles
‣ You can help!
#docker-security on Freenode
Recap
From
DockerCon
US
2015

23. Thank you
diogo@docker.com
nathan.mccauley@docker.com
Recap
From
DockerCon
US
2015