The document discusses container security mechanisms and strategies used in Docker, including control groups, namespaces, seccomp, and kernel capabilities. It emphasizes the importance of managing vulnerabilities, using trusted images, and enabling Docker content trust to enhance security. Additional tools and practices for vulnerability scanning and application-level security considerations within containers are also highlighted.

1. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Securing Containers
Sathyajith Bhat | Senior DevOps Engineer – Adobe I/O

2. ©2018AdobeSystemsIncorporated. AllRightsReserved. 2
$whoami
§ Sathyajith Bhat
§ Senior DevOps Engineer - Adobe I/O
§ Organizer, Bangalore AWS Users’ Group
§ Author - Practical Docker with Python

3. ©2018AdobeSystemsIncorporated. AllRightsReserved. 3
Run this for me.
sudo docker run -v /:/app sathyabhat/demo
cat /tmp/demo.log

4. ©2018AdobeSystemsIncorporated. AllRightsReserved. 4
Adobe I/O
§ Adobe I/O is the place for developers looking to integrate, extend, or create apps and
experiences based on Adobe's products and technologies.
§ Adobe I/O API Gateway
§ A performant API Gateway based on Nginx and Openresty
§ 1.5 billion+ API calls per day
§ Adobe I/O Events
§ An event notification service to inform subscribing systems of near real-time events happening in Adobe
services.
§ Adobe I/O Runtime
§ A serverless platform(currently in private beta) based on Apache OpenWhisk which allows a developer to
execute code on Adobe's infrastructure.

5. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Containers - How We Perceive
5
Photo Courtesy: Sam
MacCutchan, Flickr

6. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Containers - How They Tend to Be
6
Photo Courtesy:
Kazuyoshi Kato, Flickr

7. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Threats to Containers
§ From Docker Hosts
§ From noisy neighbours
§ From within containers
§ From external world
§ From within the application
7

8. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Different mechanisms
§ Control Groups (cgroups)
§ Namespaces
§ Kernel Capabilities
§ Seccomp
§ Image Security
§ Vulnerability Scanning
8

9. ©2018AdobeSystemsIncorporated. AllRightsReserved.
cgroups
§ Group, Limit & isolate resource utilization
§ Resources that can be controlled: CPU, Memory, Disk, Network
§ cgroups Docker uses:
§ Memory
§ HugeTBL
§ CPU
§ CPUSet
§ BlkIO
§ Devices
§ /sys/fs/cgroups
9

10. ©2018AdobeSystemsIncorporated. AllRightsReserved.
cgroups
§ Applying limits
§ docker run --cpus=”0.5”
§ docker run --cpu-shares=512 (weighted CPU distribution, default weight == 1024)
§ docker run --memory=2g
§ docker run --oom-kill-disable (!!)
§ docker run --device-read-iops
§ docker run --device-write-iops
§ Custom cgroup?
§ Yes! docker run --cgroup-parent
10

11. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Namespaces
§ Abstraction which makes a process appear they are isolated
§ Controls what processes can see
§ Different types of namespaces:
§ Mount
§ PID
§ UTS
§ IPC
§ Network
§ User
11

12. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Namespaces - User Namespace Remapping
§ Remap a user with a container to another user on the Host
§ Remap privileged user within container to non-privileged one outside host
§ Enabling remapping:
§ dockerd --userns-remap=”remap-user:remap-group”
§ Or, edit daemon.json
{
userns-remap: “remap-user”
}
12

13. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Namespaces - User Namespace Remapping
Caveats
§ Ensure the users/groups are created & associated with your user
§ Enable/Disable it on a new Docker install than existing one
§ Can no longer user --pid=host or --network=host
13

14. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp
§ Secure Mode Computing
§ Kernel feature, restricts syscalls that a process can do
§ Create custom profiles, pass a different profile for each container
§ Default seccomp policy for Docker
§ Disables 44 system calls of 300+ system calls
14

15. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp
Pre-requisites:
§ Check for kernel support
§ grep CONFIG_SECCOMP=/boot/config-$(uname -r)
§ Apply seccomp
§ docker run
§ ???
§ Seccomp is applied by default!
§ Verify with docker info
15

16. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp
§ Create custom profiles as json
§ docker run --security-opt seccomp=profile.json
§ How to find what syscalls are in place?
§ strace (Linux)
§ dtruss (macOS)
16

17. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp(demo)
cat seccomp-profile.json
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "chown",
"action": "SCMP_ACT_ERRNO"
},
{
"name": "chmod",
"action": "SCMP_ACT_ERRNO"
}
]
}
17

18. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp(demo)
/ # echo "rm -rf" > fluffy_kittens.sh
/ # chmod u+x fluffy_kittens.sh
chmod: fluffy_kittens.sh: Operation not permitted
18

19. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Kernel Capabilities
§ Drop unnecessary capabilities from the container
§ Alternatively, provide necessary ones
§ Don’t need chown capability? Drop it
§ docker run --cap-drop=chown
19

20. ©2018AdobeSystemsIncorporated. AllRightsReserved.
AppArmor
§ Mandatory Access Control
§ Why?
§ Unix permissions allow for R/W/X
§ No fine grained permissions
§ Why should your application look at other logs?
§ Docker expects AppArmor policies to be loaded on Docker host
20

21. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Managing Vulnerabilities
§ Images are still software - and old, if not rebuilt
§ Heartbleed
§ Vulnerability in openSSL
§ Ghost
§ Vulnerability in glibc
21

22. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Managing Vulnerabilities
Vulnerability Scanners
§ Clair (CoreOS)
§ Twistlock
§ Aqua Container Security
§ Sysdig Falco
22

23. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Trusted Images
§ Don’t use images blindly
§ Host the images in private/self-hosted registry
§ Publishing to Docker Hub? Enable Docker Content Trust
23

24. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Docker Content Trust
§ Enable content trust
§ export DOCKER_CONTENT_TRUST=1
§ Images must have content signatures
§ Trust is managed by use of signing keys
§ Offline key: Root of content trust
§ Repository key for signing tags
§ Server managed Timestamp key
24

25. ©2018AdobeSystemsIncorporated. AllRightsReserved.
References
§ Kernel Capabilities
§ Tutorial on Creating AppArmor Profiles
§ Docker Security Docs
§ Sysadmin Casts - Linux Control Groups
§ Searchable Syscall Table
§ Google Chrome Seccomp Sandbox Implementation Doc
§ User Namespaces in Docker Engine
25

26. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Thanks!
§ Twitter - sathyabhat
§ Email: sabhat@adobe.com
§ https://www.adobe.io | @adobeio
26