The document discusses security measures for containerization in Docker, detailing mechanisms like control groups (cgroups), namespaces, and seccomp for limiting resource utilization and access. It emphasizes the importance of managing vulnerabilities in images and using trusted images, including the implementation of Docker Content Trust. Additionally, it covers the necessity of using tools like vulnerability scanners to ensure application security.

1. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Securing Containers
Sathyajith Bhat | Senior DevOps Engineer – Adobe I/O

2. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 2
$whoami
 Sathyajith Bhat
 Senior DevOps Engineer - Adobe I/O
 Organizer, Bangalore AWS Users’ Group
 Author - Practical Docker with Python

3. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 3
Adobe I/O
 Adobe I/O is the place for developers looking to integrate, extend, or create apps
and experiences based on Adobe's products and technologies.
 Adobe I/O Events
 An event notification service to inform subscribing systems of near real-time events happening
in Adobe services.
 Adobe I/O Runtime
 A serverless platform (currently in private beta) which allows a developer to execute code on
Adobe's infrastructure.

4. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 4
Run this for me.
sudo docker run -v /:/app sathyabhat/demo
cat /tmp/demo.log

5. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Containers - How We Perceive
5
Photo Courtesy: Sam
MacCutchan, Flickr

6. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Containers - How They Tend to Be
6
Photo Courtesy:
Kazuyoshi Kato, Flickr

7. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Threats to Containers
 From Docker Hosts
 From noisy neighbours
 From within containers
 From external world
 From within the application
7

8. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Different mechanisms
 Control Groups (cgroups)
 Namespaces
 Kernel Capabilities
 Seccomp
 Image Security
 Vulnerability Scanning
8

9. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
cgroups
 Group, Limit & isolate resource utilization
 Resources that can be controlled: CPU, Memory, Disk, Network
 cgroups Docker uses:
 Memory
 HugeTBL
 CPU
 CPUSet
 BlkIO
 Devices
 /sys/fs/cgroups
9

10. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
cgroups
 Applying limits
 docker run --cpus=”0.5”
 docker run --cpu-shares=512 (weighted CPU distribution, default weight == 1024)
 docker run --memory=2g
 docker run --oom-kill-disable (!!)
 docker run --device-read-iops
 docker run --device-write-iops
 Custom cgroup?
 Yes! docker run --cgroup-parent
10

11. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Namespaces
 Abstraction which makes a process appear they are isolated
 Controls what processes can see
 Different types of namespaces:
 Mount
 PID
 UTS
 IPC
 Network
 User
11

12. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Namespaces - User Namespace Remapping
 Remap a user with a container to another user on the Host
 Remap privileged user within container to non-privileged one outside host
 Enabling remapping:
 dockerd --userns-remap=”remap-user:remap-group”
 Or, edit daemon.json
{
userns-remap: “remap-user”
}
12

13. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Namespaces - User Namespace Remapping
Caveats
 Ensure the users/groups are created & associated with your user
 Enable/Disable it on a new Docker install than existing one
 Can no longer user --pid=host or --network=host
13

14. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
seccomp
 Secure Mode Computing
 Kernel feature, restricts syscalls that a process can do
 Create custom profiles, pass a different profile for each container
 Default seccomp policy for Docker
 Disables 44 system calls of 300+ system calls
14

15. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
seccomp
Pre-requisites:
 Check for kernel support
 grep CONFIG_SECCOMP=/boot/config-$(uname -r)
 Apply seccomp
 docker run
 ???
 Seccomp is applied by default!
 Verify with docker info
15

16. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
cgroups
 Create custom profiles as json
 docker run --security-opt seccomp=profile.json
 How to find what syscalls are in place?
 strace (Linux)
 dtruss (macOS)
16

17. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
seccomp(demo)
cat seccomp-profile.json
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "chown",
"action": "SCMP_ACT_ERRNO"
},
{
"name": "chmod",
"action": "SCMP_ACT_ERRNO"
}
]
}
17

18. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
seccomp(demo)
/ # echo "rm -rf" > fluffy_kittens.sh
/ # chmod u+x fluffy_kittens.sh
chmod: delete_everything.sh: Operation not permitted
18

19. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Kernel Capabilities
 Drop unnecessary capabilities from the container
 Alternatively, provide necessary ones
 Don’t need chown capability? Drop it
 docker run --cap-drop=chown
19

20. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
AppArmor
 Mandatory Access Control
 Why?
 Unix permissions allow for R/W/X
 No fine grained permissions
 Why should your application look at other logs?
 Docker expects AppArmor policies to be loaded on Docker host
20

21. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Managing Vulnerabilities
 Images are still software - and old, if not rebuilt
 Heartbleed
 Vulnerability in openSSL
 Ghost
 Vulnerability in glibc
21

22. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Managing Vulnerabilities
Vulnerability Scanners
 Clair (CoreOS)
 Twistlock
 Aqua Container Security
 Sysdig Falco
22

23. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Trusted Images
 Don’t use images blindly
 Host the images in private/self-hosted registry
 Publishing to Docker Hub? Enable Docker Content Trust
23

24. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Docker Content Trust
 Enable content trust
 export DOCKER_CONTENT_TRUST=1
 Images must have content signatures
 Trust is managed by use of signing keys
 Offline key: Root of content trust
 Repository key for signing tags
 Server managed Timestamp key
24

25. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
References
 Kernel Capabilities
 Tutorial on Creating AppArmor Profiles
 Docker Security Docs
 Sysadmin Casts - Linux Control Groups
 Searchable Syscall Table
 Google Chrome Seccomp Sandbox Implementation Doc
 User Namespaces in Docker Engine
25

26. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Thanks!
 Twitter - sathyabhat
 Email: sathya@sathyasays.com
 https://www.adobe.io | @adobeio
26