SlideShare a Scribd company logo

Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat

Download as ODP, PDF
Docker, Inc.
Docker, Inc.

You can secure your containerized microservices without slowing down development. Through a combination of Linux kernel features and open source tools, you can isolate the host from the container and the containers from each other, as well as finding vulnerabilities and securing data. Two of Red Hat's Docker contributors will discuss the state of container security today, covering Linux namespaces, SElinux, cgroups, capabilities, scan, seccomp, and other tools you can use right now.

1 of 74
Practical Container Security Mrunal Patel Principal Software Engineer Thomas Cameron Cloud Strategy Evangelist
AGENDA
3 AGENDA Containers and Security INTRODUCTION Who are we, and why should you care? What makes up container security? RED HAT AND CONTAINERS A brief history KERNEL NAMESPACES What are they? WHAT ARE CONTAINERS? How do they work? WHAT ARE CONTAINERS NOT? Mythbusting CONTAINER SECURITY
4 AGENDA Containers and Security CONTROL GROUPS What are they? THE DOCKER DAEMON How it works and the security it provides LINUX KERNEL CAPABILITIES libcap and how Docker deals with it SELINUX What it is, what it does, and why it matters TIPS AND TRICKS What do do, and what not to do. THE DOCKER DAEMON CONCLUSIONS Go forth and contain!
INTRODUCTION
6 INTRODUCTION Who am I, and why should you care? My name is Thomas Cameron, and I'm the global solutions architect leader at Red Hat. ● In IT since 1993 ● I was a police officer before that, educational background is in law enforcement & security ● At Red Hat since 2005 ● Red Hat Certified Architect, Red Hat Certified Security Specialist, and other certs ● In the past, I was an MCSE, a MCT, and a CNE ● Spent a lot of time focusing on security in organizations like banks, manufacturing companies, e-commerce, etc. ● I do NOT know everything. But I have some pretty impressive scars.
RED HAT AND CONTAINERS
8 RED HAT AND CONTAINERS A brief history Red Hat has been working on container technologies since before 2010 ● Makara acquisition 2010 – PaaS ● Rebranded as OpenShift ● “Cartridges” using SELinux, cgroups, kernel namespaces ● Docker came to prominence in 2013(-ish) ● Docker gained community adoption and we started participating in 2013. Meritocracy rules! ● Red Hat is a top contributor to Docker (#2 behind Docker at last check)
9 RED HAT AND CONTAINERS A brief history Industry adoption of Docker is incredible ● Docker has been through multiple successful venture capital rounds ● Apcera, Cisco, EMC, Fujitsu Limited, Goldman Sachs, HP, Huawei, IBM, Intel, Joyent, Mesosphere, Pivotal, Rancher Labs, Red Hat and VMware are all on board with container standardization with Docker.
10 RED HAT AND CONTAINERS A brief history Industry adoption of Docker is incredible ● Even Microsoft announced that they will support Docker containers!
11
WHAT ARE CONTAINERS?
13 WHAT ARE CONTAINERS? How do they work? Containerization, specifically Docker, is a technology which allows applications (web, database, app server, etc.) to be run abstracted from, and in some isolation from, the underlying operating system. The docker service can launch containers regardless of the underlying Linux distro. Containers can enable incredible application density, since you don't have the overhead of a full OS image for each app. Linux control groups also enable maximum utilization of the system. The same container can run on different versions of Linux ● Ubuntu containers on Fedora ● CentOS containers on RHEL
14 WHAT ARE CONTAINERS? How do they work? OK, maybe not... Containers make it really easy for application developers to build and deploy apps.
WHAT ARE CONTAINERS NOT?
16 WHAT ARE CONTAINERS NOT? Mythbusting Containers are not a panacea. They are not “the cure to all that ails you!”
17 WHAT ARE CONTAINERS NOT? Mythbusting Containers are not a fit for every application.
18 WHAT ARE CONTAINERS NOT? Mythbusting They are not virtualization. You can run containers on an OS on bare metal.
CONTAINER SECURITY
20 CONTAINER SECURITY What makes up container security? Containers use several mechanisms for security: ● Linux kernel namespaces ● Linux Control Groups (cgroups) ● The Docker daemon ● Linux capabilities (libcap) ● Linux security mechanisms like AppArmor or SELinux
KERNEL NAMESPACES
22 LINUX KERNEL NAMESPACES What are they? Namespaces are just a way to make a global resource appear to be unique and isolated. The namespaces that the Linux kernel can manage are: ● Mount namespaces ● PID namespaces ● UTS namespaces ● IPC namespaces ● Network namespaces ● User namespaces
MOUNT NAMESPACES
24 LINUX KERNEL NAMESPACES What are they? Mount namespaces allow a container to “think” that a directory which is actually mounted from the host OS is exclusively the container's. When you start a container with the -v [host-path]:[container-path]:[rw|ro] argument, you can mount a directory from the host in the container. The container “sees” the directory in its own mount namespace, not knowing that it is actually on the host. So multiple containers could, for instance use the host's /var/www/html directory without having to copy content to all the containers.
25
PID NAMESPACES
27 LINUX KERNEL NAMESPACES What are they? PID namespaces let the container think it's a new instance of the OS. When you start a container on a host, it will get a new process ID. PID namespaces enable the container to “see” the PIDs inside the container as unique, as if the container were its own instance of an OS. In the following example, I launch a Fedora container running bash, and run “ps ax” The container only “sees” its own PID namespace, so the bash process exists within the container as PID 1. On the host, however, the docker process is PID 18557:
28
29
USER NAMESPACES
31 LINUX KERNEL NAMESPACES What are they? When you start a container, assuming you've added your user to the docker group, you start it as your user account. In the following example, I start the container as tcameron. Once the container is started, my user inside the container is root. This is an example of user namespaces.
32
NETWORK NAMESPACES
34 LINUX KERNEL NAMESPACES What are they? Network namespaces allow a container to have its own IP address, independent of that of the host. These addresses are not available from outside of the host, this is private networking similar to that of virtualization. The Docker service sets up an iptables masquerading rule so that the container can get to the rest of the Internet. In the following query, I find that my Fedora instance has the address 172.17.0.7, even though the host doesn't have an address associated with the ethernet interface:
35
IPC NAMESPACES
37 LINUX KERNEL NAMESPACES What are they? IPC namespaces do the same thing with interprocess communications. My container has no IPCs mapped, but my host has many:
38
39
UTS NAMESPACES
41 LINUX KERNEL NAMESPACES What are they? UTS (UNIX Timesharing System) namespaces let the container “think” it's a separate OS, with its own hostname and domain name:
42
43
CONTROL GROUPS
45 CONTROL GROUPS What are they? From the documentation at https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt: “Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior.” This allows us to put various system resources into a group, and apply limits to it, like how much disk IO, CPU use, memory use, network use, namespaces, and so on. In the case of containers, the resources are those assigned to that container.
46 CONTROL GROUPS What are they? This ensures that, even if a container is compromised (or just spins out of control), there are limits in place which minimizes the risk of that misbehaved container impacting the host or other containers.
47 CONTROL GROUPS What are they? Note that when I run the command systemctl status docker.service, I get the control group and slice information:
48
49 CONTROL GROUPS What are they? You can navigate the /sys/fs/cgroup/ pseudo-directory to see what resources are allocated to your containers. There are over 8500 entries in this directory on my system, so it is not practical to talk about the details of individual cgroups, but you can get information about memory, cpu, block I/O, network I/O, and so on here.
50
THE DOCKER DAEMON
52 THE DOCKER DAEMON How it works and the security it provides The docker daemon (/usr/bin/docker) is responsible for managing the control groups, orchestrating the namespaces, and so on so that docker images can be run and secured. Because of the need to manage kernel functions, Docker runs with root privileges. Be aware of this!
53 THE DOCKER DAEMON How it works and the security it provides There are some considerations for running Docker: ● Only allow trusted users to run docker. The Docker documentation recommends that you add users to the docker group so they can run docker commands. With this flexibility comes risk. Make sure you only delegate this ability to trusted users. Remember that they can mount the host filesystem in their container with root privileges! ● If you are using the REST API to manage your host(s), make sure you do not have vulnerabilities exposed. Ensure you have strong authentication. ● Use SSL if you are going to expose the REST API over http. Don't expose it except to secured networks or VPN.
LINUX KERNEL CAPABILITIES (libcap)
55 LINUX KERNEL CAPABILITIES libcap and how Docker deals with it The root user historically had the ability to do anything, once authenticated. Linux capabilities is a set of fine grained controls which allow services or even users with root equivalence to be limited in their scope. It also allows non-root users to be granted extra privileges. A regular user, for instance, could be granted the net_bind_service capability and they could bind a service to a privileged port (below 1024).
56 LINUX KERNEL CAPABILITIES libcap and how Docker deals with it In containers, many of the capabilities to manage network and other services are not actually needed. SSH services, cron, services, filesystem mounts and unmounts are not needed, network management is not needed, etc. By default, Docker disallows many root capabilities, including the ability to modify logs, change networking, modify kernel memory, and the catch-all CAP_SYS_ADMIN.
57
SELINUX
59 SELINUX What it is, what it does, and why it matters Security Enhanced Linux (SELinux) is a mandatory access control system. Processes, files, memory, network interfaces, and so on are labeled, and there is a policy which is administratively set and fixed. That policy will determine how processes can interact with files, each other, network ports, and the like.
60 SELINUX What it is, what it does, and why it matters SELinux is primarily concerned with labeling and type enforcement. For a mythical service “foo,” the executable file on disk might have the label foo_exec_t. The startup scripts for foo might have the label foo_config_t. The log files for foo might have the label foo_log_t. The data for foo might have the label foo_data_t. When foo is running, the process in memory might have the label foo_t. Type enforcement is the rule set that says that when a process running in the foo_t context tries to access a file on the filesystem with the label foo_config_t or foo_data_t, that access is allowed. When the process with the label foo_t tries to write to a log file with the foo_log_t, that would be allowed, as well. Any other access, unless explicitly allowed by policy, is denied.
61 SELINUX What it is, what it does, and why it matters If the foo process, running in the foo_t context tries to access, for instance, the directory /home/tcameron, with the label user_home_dir_t, even if the permissions are wide open, the policy will stop that access. SELinux labels are stored as extended attributes on the filesystem, or in memory.
62 SELINUX What it is, what it does, and why it matters SELinux labels are stored in the format: ● selinux_user:selinux_role:selinux_type:mls:mcs So for the mythical “foo” service, the full syntax for the label of the running process might be: ● user_u:object_r:foo_t:s0:c0
63 SELINUX What it is, what it does, and why it matters The default policy for SELinux is “targeted.” In the targeted policy, we don't use the SELinux user or role, so we'll ignore them for today. We will also ignore the MLS (multilevel security) label, since that is only used in the MLS policy (think top secret vs. secret in the military). We really only care about the type (remember, type enforcement) and the MCS label. Think of MCS labels as extra identifiers. In SELinux for containers, we can be very granular about which processes can access which other processes. These are different labels: ● user_u:object_r:foo_t:s0:c0 ● user_u:object_r:foo_t:s0:c1
64 SELINUX What it is, what it does, and why it matters Type enforcement says that a process with the first label is different from the process with the second. So policy would prevent them from interacting. Also, there is no policy allowing a process running with those labels to access the filesystem unless it is labeled with foo_config_t or foo_content_t or another defined label. Neither of those processes would be able to access /etc/shadow, which has the label shadow_t.
65 SELINUX What it is, what it does, and why it matters On a standalone system running Docker, all of the containers run in the same context by default. In Red Hat's PaaS offering, OpenShift, this is not the case. Each Openshift container runs in its own context, with labels like: ● staff_u:system_r:openshift_t:s0:c0,c1 ● staff_u:system_r:openshift_t:s0:c2,c3 ● staff_u:system_r:openshift_t:s0:c4,c5 So, even if someone were to gain access to the docker container process on the host, SELinux would prevent them from being able to access other containers, or the host.
66 SELINUX What it is, what it does, and why it matters In the following example, I emulate an exploit where someone takes over a container. I use runcon (run in the context) to set my context to that of an Openshift container. I attempt to access /etc/shadow (shadow_t label). I try to write to the filesystem. I try to read the contents of a user's home directory.
67
TIPS AND TRICKS
69 TIPS AND TRICKS What to do, and what not to do Containers are, at the end of the day, just processes running on the host. Use common sense.
70 TIPS AND TRICKS What to do, and what not to do Do: ● Have a process in place to update your containers. Follow it. ● Run services in the containers with the lowest privilege possible. Drop root privileges as soon as you can. ● Mount filesystems from the host read-only wherever possible. ● Treat root inside the container just like you would on the host. ● Watch your logs.
71 TIPS AND TRICKS What to do, and what not to do Don't: ● Download any old container you find on the 'net. ● Run SSH inside the container. ● Run with root privileges. ● Disable SELinux. ● Roll your own containers once, and never maintain them. ● Run production containers on unsupported platforms.
CONCLUSION
73 CONCLUSION Go forth and contain! Containers are incredibly cool. They make application deployment really, really easy. They leverage some incredible capabilities within the Linux kernel. By design, they are relatively secure, but there are some gotchas. As with every other piece of software out there, docker tech requires some feeding and maintenance. Well maintained, containers can make your business more agile, less complex, and safe.
Thank you!

Recommended

Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Docker, Inc.
 
DockerCon EU 2015: Monitoring Docker
DockerCon EU 2015: Monitoring DockerDockerCon EU 2015: Monitoring Docker
DockerCon EU 2015: Monitoring Docker
Docker, Inc.
 
Experiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processingExperiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processing
Docker, Inc.
 
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahOn-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
Docker, Inc.
 
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Docker, Inc.
 
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Docker, Inc.
 
Docker Datacenter Overview and Production Setup Slides
Docker Datacenter Overview and Production Setup SlidesDocker Datacenter Overview and Production Setup Slides
Docker Datacenter Overview and Production Setup Slides
Docker, Inc.
 
DockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General Session
Docker, Inc.
 

Recommended

Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Docker, Inc.
 
DockerCon EU 2015: Monitoring Docker
DockerCon EU 2015: Monitoring DockerDockerCon EU 2015: Monitoring Docker
DockerCon EU 2015: Monitoring Docker
Docker, Inc.
 
Experiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processingExperiences with AWS immutable deploys and job processing
Experiences with AWS immutable deploys and job processing
Docker, Inc.
 
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahOn-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
Docker, Inc.
 
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Microservices + Events + Docker = A Perfect Trio by Docker Captain Chris Rich...
Docker, Inc.
 
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Docker, Inc.
 
Docker Datacenter Overview and Production Setup Slides
Docker Datacenter Overview and Production Setup SlidesDocker Datacenter Overview and Production Setup Slides
Docker Datacenter Overview and Production Setup Slides
Docker, Inc.
 
DockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General Session
Docker, Inc.
 
Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)
Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)
Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)
Docker, Inc.
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016
Docker, Inc.
 
Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022
Hussain Mansoor
 
Docker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott CoultonDocker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott Coulton
Docker, Inc.
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life Observations
Docker, Inc.
 
Securing your Containers
Securing your ContainersSecuring your Containers
Securing your Containers
Riyaz Faizullabhoy
 
Docker on Docker
Docker on DockerDocker on Docker
Docker on Docker
Docker, Inc.
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
Docker, Inc.
 
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrogDocker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker, Inc.
 
Docker Datacenter - CaaS
Docker Datacenter - CaaSDocker Datacenter - CaaS
Docker Datacenter - CaaS
Harish Jayakumar
 
Docker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&A
Docker, Inc.
 
DockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTRDockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTR
Docker, Inc.
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
Docker, Inc.
 
DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1
Docker, Inc.
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Docker, Inc.
 
Production Ready Containers from IBM and Docker
Production Ready Containers from IBM and DockerProduction Ready Containers from IBM and Docker
Production Ready Containers from IBM and Docker
Docker, Inc.
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and Architecture
Docker, Inc.
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Docker, Inc.
 
Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016
Docker
 
PPT_Compiled
PPT_CompiledPPT_Compiled
PPT_Compiled
Avineshwar Singh
 
History of the republic of India
History of the republic of IndiaHistory of the republic of India
History of the republic of India
RoyB
 

More Related Content

What's hot

Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)
Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)
Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)
Docker, Inc.
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016
Docker, Inc.
 
Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022
Hussain Mansoor
 
Docker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott CoultonDocker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott Coulton
Docker, Inc.
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life Observations
Docker, Inc.
 
Securing your Containers
Securing your ContainersSecuring your Containers
Securing your Containers
Riyaz Faizullabhoy
 
Docker on Docker
Docker on DockerDocker on Docker
Docker on Docker
Docker, Inc.
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
Docker, Inc.
 
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrogDocker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker, Inc.
 
Docker Datacenter - CaaS
Docker Datacenter - CaaSDocker Datacenter - CaaS
Docker Datacenter - CaaS
Harish Jayakumar
 
Docker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&A
Docker, Inc.
 
DockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTRDockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTR
Docker, Inc.
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
Docker, Inc.
 
DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1
Docker, Inc.
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Docker, Inc.
 
Production Ready Containers from IBM and Docker
Production Ready Containers from IBM and DockerProduction Ready Containers from IBM and Docker
Production Ready Containers from IBM and Docker
Docker, Inc.
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and Architecture
Docker, Inc.
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Docker, Inc.
 
Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016
Docker
 

What's hot (20)

Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)
Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)
Docker Practice in Alibaba Cloud by Li Yi (Mark) & Zuhe Li (Sogo)
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016
 
Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022Intro to docker - innovation demo 2022
Intro to docker - innovation demo 2022
 
Docker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott CoultonDocker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott Coulton
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life Observations
 
Securing your Containers
Securing your ContainersSecuring your Containers
Securing your Containers
 
Docker on Docker
Docker on DockerDocker on Docker
Docker on Docker
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
 
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrogDocker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
Docker Container Lifecycles, Problem or Opportunity? by Baruch Sadogursky, JFrog
 
Docker Datacenter - CaaS
Docker Datacenter - CaaSDocker Datacenter - CaaS
Docker Datacenter - CaaS
 
Docker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&A
 
DockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTRDockerCon SF 2015: DHE/DTR
DockerCon SF 2015: DHE/DTR
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
 
DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
 
Production Ready Containers from IBM and Docker
Production Ready Containers from IBM and DockerProduction Ready Containers from IBM and Docker
Production Ready Containers from IBM and Docker
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and Architecture
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
 
Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016
 

Viewers also liked

PPT_Compiled
PPT_CompiledPPT_Compiled
PPT_Compiled
Avineshwar Singh
 
History of the republic of India
History of the republic of IndiaHistory of the republic of India
History of the republic of India
RoyB
 
Fundamental Duties 5.1
Fundamental Duties 5.1Fundamental Duties 5.1
Fundamental Duties 5.1
Sri Teja
 
Polity dpsp 4.3
Polity dpsp 4.3Polity dpsp 4.3
Polity dpsp 4.3
Abhishek Kunwar
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
Polity dpsp 4.2
Polity dpsp 4.2Polity dpsp 4.2
Polity dpsp 4.2
Abhishek Kunwar
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil Estes
Docker, Inc.
 
DockerCon EU 2015: It's in the game: the path to micro-services at Electronic...
DockerCon EU 2015: It's in the game: the path to micro-services at Electronic...DockerCon EU 2015: It's in the game: the path to micro-services at Electronic...
DockerCon EU 2015: It's in the game: the path to micro-services at Electronic...
Docker, Inc.
 
DockerCon SF 2015: Cultural Change using Docker
DockerCon SF 2015: Cultural Change using Docker DockerCon SF 2015: Cultural Change using Docker
DockerCon SF 2015: Cultural Change using Docker
Docker, Inc.
 
OpenStack Boston
OpenStack BostonOpenStack Boston
OpenStack Boston
Docker, Inc.
 
How to Use Your Own Private Registry
How to Use Your Own Private RegistryHow to Use Your Own Private Registry
How to Use Your Own Private Registry
Docker, Inc.
 
DockerCon EU 2015: Monitoring and Managing Dynamic Docker Environments
DockerCon EU 2015: Monitoring and Managing Dynamic Docker EnvironmentsDockerCon EU 2015: Monitoring and Managing Dynamic Docker Environments
DockerCon EU 2015: Monitoring and Managing Dynamic Docker Environments
Docker, Inc.
 
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar TogetherDockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
Docker, Inc.
 
Autoscaling Docker Containers by Konstantinos Faliagkas, Docker Birthday #3 A...
Autoscaling Docker Containers by Konstantinos Faliagkas, Docker Birthday #3 A...Autoscaling Docker Containers by Konstantinos Faliagkas, Docker Birthday #3 A...
Autoscaling Docker Containers by Konstantinos Faliagkas, Docker Birthday #3 A...
Docker, Inc.
 
Trust and Image Provenance by Derek McGowan
Trust and Image Provenance by Derek McGowanTrust and Image Provenance by Derek McGowan
Trust and Image Provenance by Derek McGowan
Docker, Inc.
 
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
Docker, Inc.
 
DockerCon SF 2015: Education for a digital world
DockerCon SF 2015: Education for a digital worldDockerCon SF 2015: Education for a digital world
DockerCon SF 2015: Education for a digital world
Docker, Inc.
 
DockerCon14 Contributing to Docker by Tianon
DockerCon14 Contributing to Docker by TianonDockerCon14 Contributing to Docker by Tianon
DockerCon14 Contributing to Docker by Tianon
Docker, Inc.
 
Dockercon Swarm Updated
Dockercon Swarm UpdatedDockercon Swarm Updated
Dockercon Swarm Updated
Docker, Inc.
 
Dockerfile Basics Workshop #1
Dockerfile Basics Workshop #1Dockerfile Basics Workshop #1
Dockerfile Basics Workshop #1
Docker, Inc.
 

Viewers also liked (20)

PPT_Compiled
PPT_CompiledPPT_Compiled
PPT_Compiled
 
History of the republic of India
History of the republic of IndiaHistory of the republic of India
History of the republic of India
 
Fundamental Duties 5.1
Fundamental Duties 5.1Fundamental Duties 5.1
Fundamental Duties 5.1
 
Polity dpsp 4.3
Polity dpsp 4.3Polity dpsp 4.3
Polity dpsp 4.3
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Polity dpsp 4.2
Polity dpsp 4.2Polity dpsp 4.2
Polity dpsp 4.2
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil Estes
 
DockerCon EU 2015: It's in the game: the path to micro-services at Electronic...
DockerCon EU 2015: It's in the game: the path to micro-services at Electronic...DockerCon EU 2015: It's in the game: the path to micro-services at Electronic...
DockerCon EU 2015: It's in the game: the path to micro-services at Electronic...
 
DockerCon SF 2015: Cultural Change using Docker
DockerCon SF 2015: Cultural Change using Docker DockerCon SF 2015: Cultural Change using Docker
DockerCon SF 2015: Cultural Change using Docker
 
OpenStack Boston
OpenStack BostonOpenStack Boston
OpenStack Boston
 
How to Use Your Own Private Registry
How to Use Your Own Private RegistryHow to Use Your Own Private Registry
How to Use Your Own Private Registry
 
DockerCon EU 2015: Monitoring and Managing Dynamic Docker Environments
DockerCon EU 2015: Monitoring and Managing Dynamic Docker EnvironmentsDockerCon EU 2015: Monitoring and Managing Dynamic Docker Environments
DockerCon EU 2015: Monitoring and Managing Dynamic Docker Environments
 
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar TogetherDockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
DockerCon SF 2015: Panel Discussion Birds of a Different Feather Soar Together
 
Autoscaling Docker Containers by Konstantinos Faliagkas, Docker Birthday #3 A...
Autoscaling Docker Containers by Konstantinos Faliagkas, Docker Birthday #3 A...Autoscaling Docker Containers by Konstantinos Faliagkas, Docker Birthday #3 A...
Autoscaling Docker Containers by Konstantinos Faliagkas, Docker Birthday #3 A...
 
Trust and Image Provenance by Derek McGowan
Trust and Image Provenance by Derek McGowanTrust and Image Provenance by Derek McGowan
Trust and Image Provenance by Derek McGowan
 
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
Everything You Need to Know About Docker and Storage by Ryan Wallner, ClusterHQ
 
DockerCon SF 2015: Education for a digital world
DockerCon SF 2015: Education for a digital worldDockerCon SF 2015: Education for a digital world
DockerCon SF 2015: Education for a digital world
 
DockerCon14 Contributing to Docker by Tianon
DockerCon14 Contributing to Docker by TianonDockerCon14 Contributing to Docker by Tianon
DockerCon14 Contributing to Docker by Tianon
 
Dockercon Swarm Updated
Dockercon Swarm UpdatedDockercon Swarm Updated
Dockercon Swarm Updated
 
Dockerfile Basics Workshop #1
Dockerfile Basics Workshop #1Dockerfile Basics Workshop #1
Dockerfile Basics Workshop #1
 

Similar to Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat

Containers & Security
Containers & SecurityContainers & Security
Containers & Security
All Things Open
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
Stephane Woillez
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
Marco Ferrigno
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Docker
DockerDocker
Docker
Neeraj Wadhwa
 
Docker_Interview_Questions__Answers.pdf
Docker_Interview_Questions__Answers.pdfDocker_Interview_Questions__Answers.pdf
Docker_Interview_Questions__Answers.pdf
RifqiMultazamOfficia
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.
Henryk Konsek
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
Walid Ashraf
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
Ronak Kogta
 
Docker training
Docker trainingDocker training
Docker training
Kiran Kumar
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
 
Reviwe(docker)
Reviwe(docker)Reviwe(docker)
Reviwe(docker)
Mohammadreza Amini
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof
 
Accelerate your development with Docker
Accelerate your development with DockerAccelerate your development with Docker
Accelerate your development with Docker
Andrey Hristov
 
Accelerate your software development with Docker
Accelerate your software development with DockerAccelerate your software development with Docker
Accelerate your software development with Docker
Andrey Hristov
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and Ecosystem
Patrick Chanezon
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 

Similar to Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat (20)

Containers & Security
Containers & SecurityContainers & Security
Containers & Security
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Docker
DockerDocker
Docker
 
Docker_Interview_Questions__Answers.pdf
Docker_Interview_Questions__Answers.pdfDocker_Interview_Questions__Answers.pdf
Docker_Interview_Questions__Answers.pdf
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
Docker training
Docker trainingDocker training
Docker training
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
 
Reviwe(docker)
Reviwe(docker)Reviwe(docker)
Reviwe(docker)
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Accelerate your development with Docker
Accelerate your development with DockerAccelerate your development with Docker
Accelerate your development with Docker
 
Accelerate your software development with Docker
Accelerate your software development with DockerAccelerate your software development with Docker
Accelerate your software development with Docker
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and Ecosystem
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 

More from Docker, Inc.

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience
Docker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker Build
Docker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
Docker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and Compose
Docker, Inc.
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
Docker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
Docker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker Hub
Docker, Inc.
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
Docker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
Docker, Inc.
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
Docker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio Code
Docker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container Registry
Docker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
Docker, Inc.
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
Docker, Inc.
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels
Docker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Docker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
Docker, Inc.
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
Docker, Inc.
 

More from Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker Build
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and Compose
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker Hub
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio Code
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container Registry
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
 

Recently uploaded

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 

Recently uploaded (20)

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 

Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat

  • 1. Practical Container Security Mrunal Patel Principal Software Engineer Thomas Cameron Cloud Strategy Evangelist
  • 3. 3 AGENDA Containers and Security INTRODUCTION Who are we, and why should you care? What makes up container security? RED HAT AND CONTAINERS A brief history KERNEL NAMESPACES What are they? WHAT ARE CONTAINERS? How do they work? WHAT ARE CONTAINERS NOT? Mythbusting CONTAINER SECURITY
  • 4. 4 AGENDA Containers and Security CONTROL GROUPS What are they? THE DOCKER DAEMON How it works and the security it provides LINUX KERNEL CAPABILITIES libcap and how Docker deals with it SELINUX What it is, what it does, and why it matters TIPS AND TRICKS What do do, and what not to do. THE DOCKER DAEMON CONCLUSIONS Go forth and contain!
  • 6. 6 INTRODUCTION Who am I, and why should you care? My name is Thomas Cameron, and I'm the global solutions architect leader at Red Hat. ● In IT since 1993 ● I was a police officer before that, educational background is in law enforcement & security ● At Red Hat since 2005 ● Red Hat Certified Architect, Red Hat Certified Security Specialist, and other certs ● In the past, I was an MCSE, a MCT, and a CNE ● Spent a lot of time focusing on security in organizations like banks, manufacturing companies, e-commerce, etc. ● I do NOT know everything. But I have some pretty impressive scars.
  • 7. RED HAT AND CONTAINERS
  • 8. 8 RED HAT AND CONTAINERS A brief history Red Hat has been working on container technologies since before 2010 ● Makara acquisition 2010 – PaaS ● Rebranded as OpenShift ● “Cartridges” using SELinux, cgroups, kernel namespaces ● Docker came to prominence in 2013(-ish) ● Docker gained community adoption and we started participating in 2013. Meritocracy rules! ● Red Hat is a top contributor to Docker (#2 behind Docker at last check)
  • 9. 9 RED HAT AND CONTAINERS A brief history Industry adoption of Docker is incredible ● Docker has been through multiple successful venture capital rounds ● Apcera, Cisco, EMC, Fujitsu Limited, Goldman Sachs, HP, Huawei, IBM, Intel, Joyent, Mesosphere, Pivotal, Rancher Labs, Red Hat and VMware are all on board with container standardization with Docker.
  • 10. 10 RED HAT AND CONTAINERS A brief history Industry adoption of Docker is incredible ● Even Microsoft announced that they will support Docker containers!
  • 11. 11
  • 13. 13 WHAT ARE CONTAINERS? How do they work? Containerization, specifically Docker, is a technology which allows applications (web, database, app server, etc.) to be run abstracted from, and in some isolation from, the underlying operating system. The docker service can launch containers regardless of the underlying Linux distro. Containers can enable incredible application density, since you don't have the overhead of a full OS image for each app. Linux control groups also enable maximum utilization of the system. The same container can run on different versions of Linux ● Ubuntu containers on Fedora ● CentOS containers on RHEL
  • 14. 14 WHAT ARE CONTAINERS? How do they work? OK, maybe not... Containers make it really easy for application developers to build and deploy apps.
  • 16. 16 WHAT ARE CONTAINERS NOT? Mythbusting Containers are not a panacea. They are not “the cure to all that ails you!”
  • 17. 17 WHAT ARE CONTAINERS NOT? Mythbusting Containers are not a fit for every application.
  • 18. 18 WHAT ARE CONTAINERS NOT? Mythbusting They are not virtualization. You can run containers on an OS on bare metal.
  • 20. 20 CONTAINER SECURITY What makes up container security? Containers use several mechanisms for security: ● Linux kernel namespaces ● Linux Control Groups (cgroups) ● The Docker daemon ● Linux capabilities (libcap) ● Linux security mechanisms like AppArmor or SELinux
  • 22. 22 LINUX KERNEL NAMESPACES What are they? Namespaces are just a way to make a global resource appear to be unique and isolated. The namespaces that the Linux kernel can manage are: ● Mount namespaces ● PID namespaces ● UTS namespaces ● IPC namespaces ● Network namespaces ● User namespaces
  • 24. 24 LINUX KERNEL NAMESPACES What are they? Mount namespaces allow a container to “think” that a directory which is actually mounted from the host OS is exclusively the container's. When you start a container with the -v [host-path]:[container-path]:[rw|ro] argument, you can mount a directory from the host in the container. The container “sees” the directory in its own mount namespace, not knowing that it is actually on the host. So multiple containers could, for instance use the host's /var/www/html directory without having to copy content to all the containers.
  • 25. 25
  • 27. 27 LINUX KERNEL NAMESPACES What are they? PID namespaces let the container think it's a new instance of the OS. When you start a container on a host, it will get a new process ID. PID namespaces enable the container to “see” the PIDs inside the container as unique, as if the container were its own instance of an OS. In the following example, I launch a Fedora container running bash, and run “ps ax” The container only “sees” its own PID namespace, so the bash process exists within the container as PID 1. On the host, however, the docker process is PID 18557:
  • 28. 28
  • 29. 29
  • 31. 31 LINUX KERNEL NAMESPACES What are they? When you start a container, assuming you've added your user to the docker group, you start it as your user account. In the following example, I start the container as tcameron. Once the container is started, my user inside the container is root. This is an example of user namespaces.
  • 32. 32
  • 34. 34 LINUX KERNEL NAMESPACES What are they? Network namespaces allow a container to have its own IP address, independent of that of the host. These addresses are not available from outside of the host, this is private networking similar to that of virtualization. The Docker service sets up an iptables masquerading rule so that the container can get to the rest of the Internet. In the following query, I find that my Fedora instance has the address 172.17.0.7, even though the host doesn't have an address associated with the ethernet interface:
  • 35. 35
  • 37. 37 LINUX KERNEL NAMESPACES What are they? IPC namespaces do the same thing with interprocess communications. My container has no IPCs mapped, but my host has many:
  • 38. 38
  • 39. 39
  • 41. 41 LINUX KERNEL NAMESPACES What are they? UTS (UNIX Timesharing System) namespaces let the container “think” it's a separate OS, with its own hostname and domain name:
  • 42. 42
  • 43. 43
  • 45. 45 CONTROL GROUPS What are they? From the documentation at https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt: “Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior.” This allows us to put various system resources into a group, and apply limits to it, like how much disk IO, CPU use, memory use, network use, namespaces, and so on. In the case of containers, the resources are those assigned to that container.
  • 46. 46 CONTROL GROUPS What are they? This ensures that, even if a container is compromised (or just spins out of control), there are limits in place which minimizes the risk of that misbehaved container impacting the host or other containers.
  • 47. 47 CONTROL GROUPS What are they? Note that when I run the command systemctl status docker.service, I get the control group and slice information:
  • 48. 48
  • 49. 49 CONTROL GROUPS What are they? You can navigate the /sys/fs/cgroup/ pseudo-directory to see what resources are allocated to your containers. There are over 8500 entries in this directory on my system, so it is not practical to talk about the details of individual cgroups, but you can get information about memory, cpu, block I/O, network I/O, and so on here.
  • 50. 50
  • 52. 52 THE DOCKER DAEMON How it works and the security it provides The docker daemon (/usr/bin/docker) is responsible for managing the control groups, orchestrating the namespaces, and so on so that docker images can be run and secured. Because of the need to manage kernel functions, Docker runs with root privileges. Be aware of this!
  • 53. 53 THE DOCKER DAEMON How it works and the security it provides There are some considerations for running Docker: ● Only allow trusted users to run docker. The Docker documentation recommends that you add users to the docker group so they can run docker commands. With this flexibility comes risk. Make sure you only delegate this ability to trusted users. Remember that they can mount the host filesystem in their container with root privileges! ● If you are using the REST API to manage your host(s), make sure you do not have vulnerabilities exposed. Ensure you have strong authentication. ● Use SSL if you are going to expose the REST API over http. Don't expose it except to secured networks or VPN.
  • 55. 55 LINUX KERNEL CAPABILITIES libcap and how Docker deals with it The root user historically had the ability to do anything, once authenticated. Linux capabilities is a set of fine grained controls which allow services or even users with root equivalence to be limited in their scope. It also allows non-root users to be granted extra privileges. A regular user, for instance, could be granted the net_bind_service capability and they could bind a service to a privileged port (below 1024).
  • 56. 56 LINUX KERNEL CAPABILITIES libcap and how Docker deals with it In containers, many of the capabilities to manage network and other services are not actually needed. SSH services, cron, services, filesystem mounts and unmounts are not needed, network management is not needed, etc. By default, Docker disallows many root capabilities, including the ability to modify logs, change networking, modify kernel memory, and the catch-all CAP_SYS_ADMIN.
  • 57. 57
  • 59. 59 SELINUX What it is, what it does, and why it matters Security Enhanced Linux (SELinux) is a mandatory access control system. Processes, files, memory, network interfaces, and so on are labeled, and there is a policy which is administratively set and fixed. That policy will determine how processes can interact with files, each other, network ports, and the like.
  • 60. 60 SELINUX What it is, what it does, and why it matters SELinux is primarily concerned with labeling and type enforcement. For a mythical service “foo,” the executable file on disk might have the label foo_exec_t. The startup scripts for foo might have the label foo_config_t. The log files for foo might have the label foo_log_t. The data for foo might have the label foo_data_t. When foo is running, the process in memory might have the label foo_t. Type enforcement is the rule set that says that when a process running in the foo_t context tries to access a file on the filesystem with the label foo_config_t or foo_data_t, that access is allowed. When the process with the label foo_t tries to write to a log file with the foo_log_t, that would be allowed, as well. Any other access, unless explicitly allowed by policy, is denied.
  • 61. 61 SELINUX What it is, what it does, and why it matters If the foo process, running in the foo_t context tries to access, for instance, the directory /home/tcameron, with the label user_home_dir_t, even if the permissions are wide open, the policy will stop that access. SELinux labels are stored as extended attributes on the filesystem, or in memory.
  • 62. 62 SELINUX What it is, what it does, and why it matters SELinux labels are stored in the format: ● selinux_user:selinux_role:selinux_type:mls:mcs So for the mythical “foo” service, the full syntax for the label of the running process might be: ● user_u:object_r:foo_t:s0:c0
  • 63. 63 SELINUX What it is, what it does, and why it matters The default policy for SELinux is “targeted.” In the targeted policy, we don't use the SELinux user or role, so we'll ignore them for today. We will also ignore the MLS (multilevel security) label, since that is only used in the MLS policy (think top secret vs. secret in the military). We really only care about the type (remember, type enforcement) and the MCS label. Think of MCS labels as extra identifiers. In SELinux for containers, we can be very granular about which processes can access which other processes. These are different labels: ● user_u:object_r:foo_t:s0:c0 ● user_u:object_r:foo_t:s0:c1
  • 64. 64 SELINUX What it is, what it does, and why it matters Type enforcement says that a process with the first label is different from the process with the second. So policy would prevent them from interacting. Also, there is no policy allowing a process running with those labels to access the filesystem unless it is labeled with foo_config_t or foo_content_t or another defined label. Neither of those processes would be able to access /etc/shadow, which has the label shadow_t.
  • 65. 65 SELINUX What it is, what it does, and why it matters On a standalone system running Docker, all of the containers run in the same context by default. In Red Hat's PaaS offering, OpenShift, this is not the case. Each Openshift container runs in its own context, with labels like: ● staff_u:system_r:openshift_t:s0:c0,c1 ● staff_u:system_r:openshift_t:s0:c2,c3 ● staff_u:system_r:openshift_t:s0:c4,c5 So, even if someone were to gain access to the docker container process on the host, SELinux would prevent them from being able to access other containers, or the host.
  • 66. 66 SELINUX What it is, what it does, and why it matters In the following example, I emulate an exploit where someone takes over a container. I use runcon (run in the context) to set my context to that of an Openshift container. I attempt to access /etc/shadow (shadow_t label). I try to write to the filesystem. I try to read the contents of a user's home directory.
  • 67. 67
  • 69. 69 TIPS AND TRICKS What to do, and what not to do Containers are, at the end of the day, just processes running on the host. Use common sense.
  • 70. 70 TIPS AND TRICKS What to do, and what not to do Do: ● Have a process in place to update your containers. Follow it. ● Run services in the containers with the lowest privilege possible. Drop root privileges as soon as you can. ● Mount filesystems from the host read-only wherever possible. ● Treat root inside the container just like you would on the host. ● Watch your logs.
  • 71. 71 TIPS AND TRICKS What to do, and what not to do Don't: ● Download any old container you find on the 'net. ● Run SSH inside the container. ● Run with root privileges. ● Disable SELinux. ● Roll your own containers once, and never maintain them. ● Run production containers on unsupported platforms.
  • 73. 73 CONCLUSION Go forth and contain! Containers are incredibly cool. They make application deployment really, really easy. They leverage some incredible capabilities within the Linux kernel. By design, they are relatively secure, but there are some gotchas. As with every other piece of software out there, docker tech requires some feeding and maintenance. Well maintained, containers can make your business more agile, less complex, and safe.