Containers are slowly becoming the standardized units of deployment. As containers become more popular, they also become the focus targets for attacking the system. I talk about the ways in which containers can be attacked and how these attacks can be mitigated

1. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Securing Containers
Sathyajith Bhat | Senior DevOps Engineer – Adobe I/O

2. ©2018AdobeSystemsIncorporated. AllRightsReserved. 2
$whoami
§ Sathyajith Bhat
§ Senior DevOps Engineer - Adobe I/O
§ Organizer, Bangalore AWS Users’ Group
§ Author - Practical Docker with Python

3. ©2018AdobeSystemsIncorporated. AllRightsReserved. 3
Run this for me.
sudo docker run -v /:/app sathyabhat/demo
cat /tmp/demo.log

4. ©2018AdobeSystemsIncorporated. AllRightsReserved. 4
Adobe I/O
§ Adobe I/O is the place for developers looking to integrate, extend, or create apps and
experiences based on Adobe's products and technologies.
§ Adobe I/O API Gateway
§ A performant API Gateway based on Nginx and Openresty
§ 1.5 billion+ API calls per day
§ Adobe I/O Events
§ An event notification service to inform subscribing systems of near real-time events happening in Adobe
services.
§ Adobe I/O Runtime
§ A serverless platform(currently in private beta) based on Apache OpenWhisk which allows a developer to
execute code on Adobe's infrastructure.

5. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Containers - How We Perceive
5
Photo Courtesy: Sam
MacCutchan, Flickr

6. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Containers - How They Tend to Be
6
Photo Courtesy:
Kazuyoshi Kato, Flickr

7. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Threats to Containers
§ From Docker Hosts
§ From noisy neighbours
§ From within containers
§ From external world
§ From within the application
7

8. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Different mechanisms
§ Control Groups (cgroups)
§ Namespaces
§ Kernel Capabilities
§ Seccomp
§ Image Security
§ Vulnerability Scanning
8

9. ©2018AdobeSystemsIncorporated. AllRightsReserved.
cgroups
§ Group, Limit & isolate resource utilization
§ Resources that can be controlled: CPU, Memory, Disk, Network
§ cgroups Docker uses:
§ Memory
§ HugeTBL
§ CPU
§ CPUSet
§ BlkIO
§ Devices
§ /sys/fs/cgroups
9

10. ©2018AdobeSystemsIncorporated. AllRightsReserved.
cgroups
§ Applying limits
§ docker run --cpus=”0.5”
§ docker run --cpu-shares=512 (weighted CPU distribution, default weight == 1024)
§ docker run --memory=2g
§ docker run --oom-kill-disable (!!)
§ docker run --device-read-iops
§ docker run --device-write-iops
§ Custom cgroup?
§ Yes! docker run --cgroup-parent
10

11. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Namespaces
§ Abstraction which makes a process appear they are isolated
§ Controls what processes can see
§ Different types of namespaces:
§ Mount
§ PID
§ UTS
§ IPC
§ Network
§ User
11

12. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Namespaces - User Namespace Remapping
§ Remap a user with a container to another user on the Host
§ Remap privileged user within container to non-privileged one outside host
§ Enabling remapping:
§ dockerd --userns-remap=”remap-user:remap-group”
§ Or, edit daemon.json
{
userns-remap: “remap-user”
}
12

13. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Namespaces - User Namespace Remapping
Caveats
§ Ensure the users/groups are created & associated with your user
§ Enable/Disable it on a new Docker install than existing one
§ Can no longer user --pid=host or --network=host
13

14. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp
§ Secure Mode Computing
§ Kernel feature, restricts syscalls that a process can do
§ Create custom profiles, pass a different profile for each container
§ Default seccomp policy for Docker
§ Disables 44 system calls of 300+ system calls
14

15. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp
Pre-requisites:
§ Check for kernel support
§ grep CONFIG_SECCOMP=/boot/config-$(uname -r)
§ Apply seccomp
§ docker run
§ ???
§ Seccomp is applied by default!
§ Verify with docker info
15

16. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp
§ Create custom profiles as json
§ docker run --security-opt seccomp=profile.json
§ How to find what syscalls are in place?
§ strace (Linux)
§ dtruss (macOS)
16

17. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp(demo)
cat seccomp-profile.json
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "chown",
"action": "SCMP_ACT_ERRNO"
},
{
"name": "chmod",
"action": "SCMP_ACT_ERRNO"
}
]
}
17

18. ©2018AdobeSystemsIncorporated. AllRightsReserved.
seccomp(demo)
/ # echo "rm -rf" > fluffy_kittens.sh
/ # chmod u+x fluffy_kittens.sh
chmod: fluffy_kittens.sh: Operation not permitted
18

19. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Kernel Capabilities
§ Drop unnecessary capabilities from the container
§ Alternatively, provide necessary ones
§ Don’t need chown capability? Drop it
§ docker run --cap-drop=chown
19

20. ©2018AdobeSystemsIncorporated. AllRightsReserved.
AppArmor
§ Mandatory Access Control
§ Why?
§ Unix permissions allow for R/W/X
§ No fine grained permissions
§ Why should your application look at other logs?
§ Docker expects AppArmor policies to be loaded on Docker host
20

21. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Managing Vulnerabilities
§ Images are still software - and old, if not rebuilt
§ Heartbleed
§ Vulnerability in openSSL
§ Ghost
§ Vulnerability in glibc
21

22. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Managing Vulnerabilities
Vulnerability Scanners
§ Clair (CoreOS)
§ Twistlock
§ Aqua Container Security
§ Sysdig Falco
22

23. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Trusted Images
§ Don’t use images blindly
§ Host the images in private/self-hosted registry
§ Publishing to Docker Hub? Enable Docker Content Trust
23

24. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Docker Content Trust
§ Enable content trust
§ export DOCKER_CONTENT_TRUST=1
§ Images must have content signatures
§ Trust is managed by use of signing keys
§ Offline key: Root of content trust
§ Repository key for signing tags
§ Server managed Timestamp key
24

25. ©2018AdobeSystemsIncorporated. AllRightsReserved.
References
§ Kernel Capabilities
§ Tutorial on Creating AppArmor Profiles
§ Docker Security Docs
§ Sysadmin Casts - Linux Control Groups
§ Searchable Syscall Table
§ Google Chrome Seccomp Sandbox Implementation Doc
§ User Namespaces in Docker Engine
25

26. ©2018AdobeSystemsIncorporated. AllRightsReserved.
Thanks!
§ Twitter - sathyabhat
§ Email: sabhat@adobe.com
§ https://www.adobe.io | @adobeio
26