SlideShare a Scribd company logo
Docker Security
Security of the Docker Platform, and inside Datacenter clusters
Stephane Woillez
stephw@docker.com
SEMEA Technical Sales Lead
@swoillez
Agenda
• Security & Isolation at the Linux level
• Security of the Docker Production platform
• Security of Dockered applications
Security at the Linux Kernel
How Docker leverages Linux capabilities for security
Docker provides Containers, not VMs
Docker leverages Linux Security mechanisms
• Docker uses several mechanisms for security:
– Linux kernel namespaces
– Linux Control Groups (cgroups)
– The Docker daemon
– Linux capabilities (libcap)
– Linux security mechanisms like AppArmor or SELinux
What are Linux kernel NameSpaces ?
• Namespaces are a way to make a global resource appear to be
unique and isolated.
• The namespaces that the Linux kernel can manage are:
– Mount namespaces
– PID namespaces
– UTS namespaces
– IPC namespaces
– Network namespaces
– User namespaces
Examples of Linux NameSpaces
• Mount NameSpaces : allow a container to “think” that a directory which is
actually mounted from the host OS is exclusively the container's.
• PID namespaces : let the container think it's a new instance of the OS.
• User NameSpaces : allow a container to think that it really has users rigths
(like root) where in fact it has no right on the host OS.
• Network NameSpaces : allow a container to have its own IP addresses,
independent of that of the host. These addresses are not available from
outside of the host, this is private networking similar to that of virtualization.
The Docker service sets up an iptables masquerading rule so that the
container can get to the rest of the Internet.
What are Linux Control Groups (Cgroups) ?
• “Control Groups provide a mechanism for
aggregating/partitioning sets of tasks, and all their future
children, into hierarchical groups with specialized behavior.”
• This allows Docker to put various system resources into a
group, and apply limits to it, like how much disk IO, CPU use,
memory use, network use, namespaces
• This ensures that, even if a container is compromised (or just
spins out of control), there are limits in place which minimizes
the risk of that misbehaved container impacting the host or
other containers.
https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt:
The Docker daemon responsabilities
• The docker daemon (/usr/bin/docker) is responsible for managing the
control groups, orchestrating the namespaces, and so on so that
docker images can be run and secured.
• Because of the need to manage kernel functions, Docker runs with
root privileges. Be aware of this!
• Limit the users who have control of the Docker Daemon
Linux Kernel Capabilities (libcap)
• The root user historically had the ability to do
anything, once authenticated.
• Linux capabilities is a set of fine grained controls
which allow services or even users with root
equivalence to be limited in their scope.
• It also allows non-root users to be granted extra
privileges.
• By default, Docker disallows many root capabilities,
not needed by containers, including the ability to
modify logs, change networking, modify kernel
memory,…
11
A Container Security assessment by NCC
Source: NCC Group Whitepaper - Understanding and Hardening Linux Containers
Understanding and Hardening Linux Containers
Security of the Docker Production
Access Control and Isolation in production clusters
Delivering Containers as a Service
Developers IT Operations
BUILD
Development Environments
SHIP
Secure Content & Collaboration
RUN
Deploy, Manage, Scale
13
Universal Control Plane
App and Cluster management
Docker Trusted Registry
Secure image management & distro
Docker Engine
Container Runtime, Orchestration, Networking, volumes, plugins
Security
Content Trust, RBAC,
LDAP/AD
NetworkingOS Volumes Monitoring LoggingConfig MgtImagesCI/CD ..more..
Docker Datacenter Integrated DevOps Platform
Public Cloud Physical/ConvergedVirtualization
Infrastructure
Control: Orchestration and integrations at scale
Universal Control Plane
High
Availability
Access Control
3rd Party PluginsSwarm Managed
GUI
Management
Docker Native
Integration
Monitoring
15
Control: Secure Image Collaboration
Trusted Registry
Log
Aggregator
Authorization
Server
Registry ServiceContent Trust
16
LDAP/AD
Logs
Storage
Image Repo Image Repo Image Repo
Admin Server
Notary
Server
Web UI
CLI
• Docker 1.12 with built in
orchestration (clustering
and scheduling)
• Strong default cluster
security
Secure Cluster Management
• Leader acts as CA.
• Any Manager can be
promoted to leader.
• Workers and managers
identified by their
certificate.
• Communications secured
with Mutual TLS.
Mutual TLS by default
• Managers support BYO CA.
• Forwards CSRs to external
CA.
Support for External CAs
UCP delivers RBAC with Permission Levels
Security of Dockered Applications
Production Ready, Containers as a Service solution
Layers used by a container are readonly !!!
Control: Integrated Content Trust
Developers IT Operations
BUILD
Development Environments
SHIP
Secure Content & Collaboration
RUN
Deploy, Manage, Scale
23
Library of signed and trusted images
Enforce use of only trusted images
Docker Security Scanning Architecture
Threshold signing and gating
25
CI Security Scanning Staging
Production
UCP WorkerUCP Worker UCP Worker
UCP Manager
Sign image to “approve” passing of each stage.
Policy to check for signatures before deployment
THANK YOU

More Related Content

What's hot

Docker - Portable Deployment
Docker - Portable DeploymentDocker - Portable Deployment
Docker - Portable Deployment
javaonfly
 

What's hot (20)

Containers 101
Containers 101Containers 101
Containers 101
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefits
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
 
Building microservices with docker
Building microservices with dockerBuilding microservices with docker
Building microservices with docker
 
Docker Datacenter - CaaS
Docker Datacenter - CaaSDocker Datacenter - CaaS
Docker Datacenter - CaaS
 
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
 
Docker - Portable Deployment
Docker - Portable DeploymentDocker - Portable Deployment
Docker - Portable Deployment
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
 
Docker Container Introduction
Docker Container IntroductionDocker Container Introduction
Docker Container Introduction
 
Containers for Lawyers Richard Fontana
Containers for Lawyers  Richard FontanaContainers for Lawyers  Richard Fontana
Containers for Lawyers Richard Fontana
 
Docker 101
Docker 101Docker 101
Docker 101
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT Campus
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life Observations
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
 
Docker 101 - High level introduction to docker
Docker 101 - High level introduction to dockerDocker 101 - High level introduction to docker
Docker 101 - High level introduction to docker
 

Similar to SW Docker Security

Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 

Similar to SW Docker Security (20)

Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Docker
Docker Docker
Docker
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Understanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsUnderstanding the container landscape and it associated projects
Understanding the container landscape and it associated projects
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 
Devoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsDevoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and Bolts
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Docker Online Training
Docker Online TrainingDocker Online Training
Docker Online Training
 
An Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersAn Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux Containers
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
 
Docker training
Docker trainingDocker training
Docker training
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Server-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at PricelineServer-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at Priceline
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 

SW Docker Security

  • 1. Docker Security Security of the Docker Platform, and inside Datacenter clusters Stephane Woillez stephw@docker.com SEMEA Technical Sales Lead @swoillez
  • 2. Agenda • Security & Isolation at the Linux level • Security of the Docker Production platform • Security of Dockered applications
  • 3. Security at the Linux Kernel How Docker leverages Linux capabilities for security
  • 5. Docker leverages Linux Security mechanisms • Docker uses several mechanisms for security: – Linux kernel namespaces – Linux Control Groups (cgroups) – The Docker daemon – Linux capabilities (libcap) – Linux security mechanisms like AppArmor or SELinux
  • 6. What are Linux kernel NameSpaces ? • Namespaces are a way to make a global resource appear to be unique and isolated. • The namespaces that the Linux kernel can manage are: – Mount namespaces – PID namespaces – UTS namespaces – IPC namespaces – Network namespaces – User namespaces
  • 7. Examples of Linux NameSpaces • Mount NameSpaces : allow a container to “think” that a directory which is actually mounted from the host OS is exclusively the container's. • PID namespaces : let the container think it's a new instance of the OS. • User NameSpaces : allow a container to think that it really has users rigths (like root) where in fact it has no right on the host OS. • Network NameSpaces : allow a container to have its own IP addresses, independent of that of the host. These addresses are not available from outside of the host, this is private networking similar to that of virtualization. The Docker service sets up an iptables masquerading rule so that the container can get to the rest of the Internet.
  • 8. What are Linux Control Groups (Cgroups) ? • “Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior.” • This allows Docker to put various system resources into a group, and apply limits to it, like how much disk IO, CPU use, memory use, network use, namespaces • This ensures that, even if a container is compromised (or just spins out of control), there are limits in place which minimizes the risk of that misbehaved container impacting the host or other containers. https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt:
  • 9. The Docker daemon responsabilities • The docker daemon (/usr/bin/docker) is responsible for managing the control groups, orchestrating the namespaces, and so on so that docker images can be run and secured. • Because of the need to manage kernel functions, Docker runs with root privileges. Be aware of this! • Limit the users who have control of the Docker Daemon
  • 10. Linux Kernel Capabilities (libcap) • The root user historically had the ability to do anything, once authenticated. • Linux capabilities is a set of fine grained controls which allow services or even users with root equivalence to be limited in their scope. • It also allows non-root users to be granted extra privileges. • By default, Docker disallows many root capabilities, not needed by containers, including the ability to modify logs, change networking, modify kernel memory,…
  • 11. 11 A Container Security assessment by NCC Source: NCC Group Whitepaper - Understanding and Hardening Linux Containers Understanding and Hardening Linux Containers
  • 12. Security of the Docker Production Access Control and Isolation in production clusters
  • 13. Delivering Containers as a Service Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale 13
  • 14. Universal Control Plane App and Cluster management Docker Trusted Registry Secure image management & distro Docker Engine Container Runtime, Orchestration, Networking, volumes, plugins Security Content Trust, RBAC, LDAP/AD NetworkingOS Volumes Monitoring LoggingConfig MgtImagesCI/CD ..more.. Docker Datacenter Integrated DevOps Platform Public Cloud Physical/ConvergedVirtualization Infrastructure
  • 15. Control: Orchestration and integrations at scale Universal Control Plane High Availability Access Control 3rd Party PluginsSwarm Managed GUI Management Docker Native Integration Monitoring 15
  • 16. Control: Secure Image Collaboration Trusted Registry Log Aggregator Authorization Server Registry ServiceContent Trust 16 LDAP/AD Logs Storage Image Repo Image Repo Image Repo Admin Server Notary Server Web UI CLI
  • 17. • Docker 1.12 with built in orchestration (clustering and scheduling) • Strong default cluster security Secure Cluster Management
  • 18. • Leader acts as CA. • Any Manager can be promoted to leader. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS. Mutual TLS by default
  • 19. • Managers support BYO CA. • Forwards CSRs to external CA. Support for External CAs
  • 20. UCP delivers RBAC with Permission Levels
  • 21. Security of Dockered Applications Production Ready, Containers as a Service solution
  • 22. Layers used by a container are readonly !!!
  • 23. Control: Integrated Content Trust Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale 23 Library of signed and trusted images Enforce use of only trusted images
  • 24. Docker Security Scanning Architecture
  • 25. Threshold signing and gating 25 CI Security Scanning Staging Production UCP WorkerUCP Worker UCP Worker UCP Manager Sign image to “approve” passing of each stage. Policy to check for signatures before deployment