SlideShare a Scribd company logo
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset1, Stefan Berger2,
Dimitrios Pendarakis3
1Research Staff Member, 2STSM,
3Manager and Research Staff Member
IBM Research
@salman_baset
flickr.com/68397968@N07
Philip Estes
STSM, IBM Cloud
@estesp
Outline
•  What is Docker?
•  Deployment models for Docker
•  Threat model
•  Protection against threats
•  Docker registry and engine configuration
•  Possible attacks
•  Putting it all together
Acknowledgements:
IBM Containers on Bluemix &
Docker, OpenStack, and Linux
community
engine
What is Docker?
This talk will focus
on Docker
container security
REST API
Shared Linux kernel
Client/end user
DockerHub
Isolation relies on core Linux kernel technologies:
cgroups, namespaces, capabilities, LSM restrictions, etc.
Build, ship and run distributed applications via a common toolbox...
“Docker” is now a fast-growing
ecosystem of related projects:
•  Compose
•  Swarm
•  Machine
•  Advanced networking
•  Registry (DTR)
•  Kubernetes/Mesos
•  ..among many others
$ docker run redis
$ docker run nginx
$ docker run ..
Deployment Model
HostHost
Single tenant, known code
Containers run inside a
machine (VM or baremetal)
A model
like VM-based
multi-tenant clouds
Security challenge
Focus of this talk
HostHost
Multi-tenant, unknown code
Containers of different tenants run on
same machine, virtual nets
Expose Docker API to tenants
tenant 1
tenant 2
Threat Model – Containers Attacks on Other Containers Running
on Same Machine
Physical or virtual machine
ls /root
myfile
PID TTY TIME CMD
1 pts/0 00:00:00 bash
1. Which other containers are running and which
processes others containers are running?
2. Which files are used by other containers?
ifconfig, route, iptables, netstat3. Which network stack is used by other containers?
sethostname(), gethostname()4. What is the hostname of other containers?
Containers overview:
http://www.slideshare.net/jpetazzo/anatomy-of-a-container-namespaces-cgroups-some-filesystem-magic-linuxcon
pipe, semaphore, shared memory, memory-mapped file5. Are processes of other containers doing any IPC?
Examples
Threat Model – Containers Attacks on Host Machine
Misconfigured container
Malicious container
Physical or virtual machine
1. Is root inside a container also root inside host?
2. Are CPU, memory, disk, and network limits obeyed?
3. Can a container gain privileged capabilities?
4. Are other limits obeyed, e.g., fork(), file descriptors?
5. Can a container mount or DOS host file systems?
Examples
Threat Model – Attacks Launched from Public Internet
Threat model similar to a VM cloud
Not covered in this talk
Docker cloud
1. Scan open ports
2. Guess passwords of common services
(e.g., ssh)
3. (D)DOS
Examples
Isolating from Other Containers
•  Kernel namespaces for limited system view
– PID space: Process IDs
– Mount space: Mount points
– Network space: network interfaces/devices, stacks, ports, etc.
– UTS space: sethostname(), gethostname()
– IPC space: System V IPC, POSIX message queues
•  In unprivileged containers, devices must be
explicitly passed inside container
using --device option
Necessary but not sufficient
A container started with privileged capabilities can sneak into other containers and load modules
Useful links:
http://man7.org/linux/man-pages/man7/namespaces.7.html
Isolating from Host
•  User namespaces
•  cgroups
•  Linux capabilities
•  Linux security modules
AppArmor/SELINUX
•  Seccomp
•  Docker API
•  Docker engine and storage configuration
Physical or virtual machine
Isolating from Host – User namespaces
•  Key benefit of user namespaces: deprivileged root user
10
$	
  docker	
  run	
  –name	
  cntr	
  -­‐v	
  /bin:/host/bin	
  -­‐ti	
  busybox	
  
/	
  #	
  id	
  
uid=0(root)	
  gid=0(root)	
  groups=10(wheel)	
  
/	
  #	
  cd	
  /host/bin	
  
/host/bin	
  #	
  mv	
  sh	
  old	
  
mv:	
  can't	
  rename	
  'sh':	
  Permission	
  denied	
  
/host/bin	
  #	
  cp	
  /bin/busybox	
  ./sh	
  
cp:	
  can't	
  create	
  './sh':	
  File	
  exists	
  
	
  
	
  
Host root ≠ Container root
$	
  docker	
  inspect	
  -­‐f	
  ‘{{	
  .State.Pid	
  }}’	
  cntr	
  
8851	
  
$	
  ps	
  -­‐u	
  200000	
  
	
  	
  PID	
  TTY	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  TIME	
  CMD	
  
	
  8851	
  pts/7	
  	
  	
  	
  00:00:00	
  sh	
  
Will be available
in Docker 1.9
•  Resource
control
- CPU
- Memory
- Swap
- Blkio
- Network
Physical or virtual machine
0%
Isolating from Host (and other containers) – control groups
Useful links
https://docs.docker.com/reference/run/
https://docs.docker.com/installation/ubuntulinux/
https://lwn.net/Articles/648292/
(cgroups)
docker run
--cpuset-cpus=0,1
--cpu-shares=512
-m 2G
--memory-swap 2G
--blkio-weight 500
•  Docker’s cgroup support is a work in progress
– New command line options being added
– Network cgroup: currently not implemented
– Linux kernel. cgroups for PID coming in 4.3
•  cgroup current limitations
– Blkio: Bps enforcement seems difficult
– Memory: needs configuration tweaking to ensure swap limits
– No accounting for size of PID space
•  cgroup v2 added to Linux now
– Redesigned and improved interface
– New hierarchical organization
Isolating from Host (and other containers) – cgroups
Useful links:
http://events.linuxfoundation.org/sites/events/files/slides/2014-KLF.pdf
http://events.linuxfoundation.org/sites/events/files/slides/2015-LCJ-cgroup-writeback.pdf
Isolating from Host (and other containers) – Linux Capabilities
13
•  Linux capabilities: fine-grained access control mechanism besides root/non-root
•  Restrict the ‘capabilities’ available for a process (or a thread)
– e.g., load kernel modules, mount, network admin operations, set time
•  Docker by default drops majority (24 out of 37)
•  Capabilities can be added to a Docker container
– e.g., docker run –cap-add=mount …
Physical or virtual machine
System
Call
Interface
open() mount()
Useful link:
https://github.com/docker/docker/blob/master/daemon/execdriver/native/template/default_template.go
https://docs.docker.com/reference/run/
http://linux.die.net/man/7/capabilities
cat /proc/self/status | grep Cap
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
Default Docker capabilities
chown, dac_override, fsetid, fowner,
mknod, net_raw, setgid, setuid, setfcap,
setpcap, net_bind_service, sys_chroot,
kill, audit_write
Isolating from Host (and other containers) – LSM
14
Physical or virtual machine
•  Linux security modules for Mandatory access control
•  AppArmor defines restrictions on
– file access, capability, network, mount
AppArmor
Policy
open(‘/etc/hosts’,…) open(‘/dev/kmem’,…)
Default Docker AppArmor Profile for Containers
•  Denies to sensitive data, e.g., LSM
path on host, kernel memory
•  Denies unmount
•  One single profile for all containers
•  Can define custom profile per container
Useful links:
http://manpages.ubuntu.com/manpages/raring/man5/apparmor.d.5.html
Isolating from Host – Seccomp
15
•  Strict the system calls that the calling thread is permitted to execute
•  Example: CAP_SETUID capability is implemented using four system calls
–  setuid(), setreuid(), setresuid(), setfsuid()
–  Can restrict which calls within CAP_SETUID capability are called
Physical or virtual machine
System
Call
Interface
setuid() setreuid()
Useful link:
http://man7.org/linux/man-pages/man2/seccomp.2.html
Isolating from Host – Restrict Docker API
•  Docker engine exposes an API
•  API is powerful – and can perform admin operations, e.g., create privileged
containers
•  In near future, each API call will have authentication and authorization
•  Until then,
– Restrict the APIs available to an end user, e.g.,
•  Prevent privileged container creation
•  Prevent addition of capabilities
•  Ensure appropriate AppArmor profile is
used
Container clouddocker run --cap-add
docker run –security-opt=“apparmor:profile”
docker run --privileged
Isolating from Host – Docker Engine and Storage Configuration
Docker Engine
•  Configure TLS for Docker Engine
•  Set appropriate limits, e.g., nproc, file descriptors
•  Docker Security Checklist and Docker Bench
– https://benchmarks.cisecurity.org/tools2/docker/
CIS_Docker_1.6_Benchmark_v1.0.0.pdf
https://github.com/docker/docker-bench-security
Docker Storage
•  Consider using devicemapper as storage
•  Consider setting the default filesystem of containers as read only
•  Bind mounted files in Docker have no quota. Consider making them read only.
Docker Registry Security
•  Python-based Docker registry V1 weaknesses:
– Image IDs are secrets (effectively)
– No content verification; audit/validation difficult
– Layer IDs randomly assigned, linked via “parent” entries (poor performance)
•  Docker Registry V2 API and implementation in Docker 1.6
– All content is addressable via strong cryptographic hash
– Content and naming separated
– Safe distribution over untrusted channels, data is verifiable
– Signing and verification now enabled via Docker Content Trust
– Digests and manifests together uniquely define content+relationships
•  Forkbomb. DOS on host. Host unusable within seconds
•  Multiple solutions, e.g.,
– limit number of processes in each container using nproc (handled per Linux user)
– cgroup PID space – coming in Linux kernel 4.3
– watchdog
fork()
fork()fork()
…………
Possible Attacks on Containers (1/3)
•  Resource exhaustion on host storage due to bind-mounted files -> DOS.
– /etc/hosts, /etc/resolv.conf, /etc/hostname (used during container linking)
•  Multiple solutions:
– readonly, pass as Docker volume, watchdog
Physical or virtual machine Hard Disk
Full
…
Pass as volume: https://github.com/docker/docker/pull/14613
Possible Attacks on Containers (2/3)
•  Application level vulnerabilities (e.g., weak credentials)
– Not a Docker issue
•  Security bad practice: specify passwords in a Dockerfile
– Passwords are then baked into a Docker image
– Recommended best practice to not include passwords in a Dockerfile
•  If applications with vulnerabilities or weak passwords deployed in
Docker containers are exposed to the Internet
– Potential for getting hacked
•  Follow security best practices for application as well
Possible Attacks on Containers (3/3)
Limited set of Linux capabilities each container is started with. A
Change of capabilities must be appropriately authorized.Capability limitation
Isolation from other containers
Kernel sharing among containers
Resource isolation
Kernel namespaces for isolating from other containers: pid, net, ipc,
mnt, utc, uts
Leverage cgroups for resource isolation.
Network traffic shaping is an issue with default networking.
All Docker containers share host kernel, but not all
syscalls and capabilities exposed to docker containers
Coloring:
Black: is out of box
Red: inherent issue with Docker
Orange: Not implemented in Docker yet
Restrict Docker API Calls
Users should not create privileged containers or change capabilities
without authorization
Docker Registry Use v2 registry that has signatures for images and layers
Putting It All Together (1/2)
Follow best practice for securing a host (e.g., STIG firewall, auditd)
Linux Security Module
Host root isolation
Hardware Assisted Verification and
Isolation
Use Trusted computing and TPM for host integrity verification and
VT-d for better isolation
…
User namespaces
Docker Engine Configuration Configure Docker engine appropriately
Host Security
User LSM (AppArmor/SELINUX) for container and Docker engine
confinement
Coloring:
Black: is out of box
Red: inherent issue with Docker
Orange: Not implemented in Docker yet
Putting It All Together (2/2)
Define security tests for checking various aspects of the system
Useful Links (1/2)
Docker configuration
•  https://docs.docker.com/reference/run/
•  https://docs.docker.com/installation/ubuntulinux/
•  https://github.com/docker/docker/blob/master/daemon/execdriver/
native/template/default_template.go
Docker security checklist
•  https://benchmarks.cisecurity.org/tools2/docker/
CIS_Docker_1.6_Benchmark_v1.0.0.pdf
•  https://github.com/docker/docker-bench-security
cgroups
•  https://lwn.net/Articles/648292/
•  https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt
•  https://github.com/torvalds/linux/blob/master/kernel/cgroup_pids.c
Docker cpu constraints
•  http://docs.docker.com/engine/reference/run/#cpu-share-constraint
•  http://docs.docker.com/engine/reference/run/#cpu-period-constraint
•  http://docs.docker.com/engine/reference/run/#cpu-quota-constraint
•  http://docs.docker.com/engine/reference/run/#cpuset-constraint
24
Useful Links (2/2)
25
AppArmor
•  http://manpages.ubuntu.com/manpages/raring/man5/apparmor.d.5.html
Linux capabilities
•  http://linux.die.net/man/7/capabilities
Linux user namespaces
•  http://man7.org/linux/man-pages/man7/user_namespaces.7.html
Linux Completely Fair Scheduler
•  http://www.ibm.com/developerworks/library/l-completely-fair-scheduler/
Seccomp
•  http://man7.org/linux/man-pages/man2/seccomp.2.html
Red Hat Security Technical Implementation Guide
•  https://www.stigviewer.com/stig/red_hat_enterprise_linux_6
Side channel attacks against multi-core processors
•  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in-
cross-vm-scenarios-part-i/
•  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in-
cross-vm-scenarios-part-ii/
•  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in-
cross-vm-scenarios-part-iii/

More Related Content

What's hot

Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
Docker allocating resources
Docker allocating resourcesDocker allocating resources
Docker allocating resources
Mohammadreza Amini
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)
Dobrica Pavlinušić
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containers
Google
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)
Boden Russell
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Boden Russell
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Jérôme Petazzoni
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
Boden Russell
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
Neeraj Shrimali
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...
Boden Russell
 
Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization
Sim Janghoon
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
Ralf Dannert
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
Docker, Inc.
 
Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7
Etsuji Nakai
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespaces
Locaweb
 
Docker Dojo
Docker DojoDocker Dojo

What's hot (20)

Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
 
Docker allocating resources
Docker allocating resourcesDocker allocating resources
Docker allocating resources
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containers
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...
 
Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
 
Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespaces
 
Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
 

Viewers also liked

Open Source Cloud Technologies
Open Source Cloud TechnologiesOpen Source Cloud Technologies
Open Source Cloud Technologies
Salman Baset
 
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case StudyDissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Salman Baset
 
SPEC Cloud (TM) IaaS 2016 Benchmark
SPEC Cloud (TM) IaaS 2016 BenchmarkSPEC Cloud (TM) IaaS 2016 Benchmark
SPEC Cloud (TM) IaaS 2016 Benchmark
Salman Baset
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
Cloud SLAs: Present and Future
Cloud SLAs: Present and FutureCloud SLAs: Present and Future
Cloud SLAs: Present and Future
Salman Baset
 
Microservice architecture
Microservice architectureMicroservice architecture
Microservice architecture
Slim Ouertani
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing
Ricardo Amaro
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger Hunt
Ashley Roach
 
Drupal workshop ist 2014
Drupal workshop ist 2014Drupal workshop ist 2014
Drupal workshop ist 2014
Ricardo Amaro
 
How To Train Your APIs
How To Train Your APIsHow To Train Your APIs
How To Train Your APIs
Ashley Roach
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013  drupal with lxc docker and vagrant Drupalcamp es 2013  drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant
Ricardo Amaro
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
Ronak Kogta
 
Priming Your Teams For Microservice Deployment to the Cloud
Priming Your Teams For Microservice Deployment to the CloudPriming Your Teams For Microservice Deployment to the Cloud
Priming Your Teams For Microservice Deployment to the Cloud
Matt Callanan
 
DOXLON November 2016 - Data Democratization Using Splunk
DOXLON November 2016 - Data Democratization Using SplunkDOXLON November 2016 - Data Democratization Using Splunk
DOXLON November 2016 - Data Democratization Using Splunk
Outlyer
 
DATA CENTER
DATA CENTER DATA CENTER
DATA CENTER
Shekar Reddy
 
Docker Security
Docker SecurityDocker Security
Docker Security
BladE0341
 
S.R.E - create ultra-scalable and highly reliable systems
S.R.E - create ultra-scalable and highly reliable systemsS.R.E - create ultra-scalable and highly reliable systems
S.R.E - create ultra-scalable and highly reliable systems
Ricardo Amaro
 
Drupal workshop fcul_2014
Drupal workshop fcul_2014Drupal workshop fcul_2014
Drupal workshop fcul_2014
Ricardo Amaro
 

Viewers also liked (20)

Open Source Cloud Technologies
Open Source Cloud TechnologiesOpen Source Cloud Technologies
Open Source Cloud Technologies
 
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case StudyDissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
 
SPEC Cloud (TM) IaaS 2016 Benchmark
SPEC Cloud (TM) IaaS 2016 BenchmarkSPEC Cloud (TM) IaaS 2016 Benchmark
SPEC Cloud (TM) IaaS 2016 Benchmark
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
 
Cloud SLAs: Present and Future
Cloud SLAs: Present and FutureCloud SLAs: Present and Future
Cloud SLAs: Present and Future
 
Microservice architecture
Microservice architectureMicroservice architecture
Microservice architecture
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger Hunt
 
Drupal workshop ist 2014
Drupal workshop ist 2014Drupal workshop ist 2014
Drupal workshop ist 2014
 
How To Train Your APIs
How To Train Your APIsHow To Train Your APIs
How To Train Your APIs
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013  drupal with lxc docker and vagrant Drupalcamp es 2013  drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
Priming Your Teams For Microservice Deployment to the Cloud
Priming Your Teams For Microservice Deployment to the CloudPriming Your Teams For Microservice Deployment to the Cloud
Priming Your Teams For Microservice Deployment to the Cloud
 
DOXLON November 2016 - Data Democratization Using Splunk
DOXLON November 2016 - Data Democratization Using SplunkDOXLON November 2016 - Data Democratization Using Splunk
DOXLON November 2016 - Data Democratization Using Splunk
 
DATA CENTER
DATA CENTER DATA CENTER
DATA CENTER
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
S.R.E - create ultra-scalable and highly reliable systems
S.R.E - create ultra-scalable and highly reliable systemsS.R.E - create ultra-scalable and highly reliable systems
S.R.E - create ultra-scalable and highly reliable systems
 
Drupal workshop fcul_2014
Drupal workshop fcul_2014Drupal workshop fcul_2014
Drupal workshop fcul_2014
 

Similar to Unraveling Docker Security: Lessons From a Production Cloud

Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
Akihiro Suda
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Walid Shaari
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
Akihiro Suda
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
Stephane Woillez
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
Sysdig
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
Akihiro Suda
 
Resource Management of Docker
Resource Management of DockerResource Management of Docker
Resource Management of Docker
SpeedyCloud
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 

Similar to Unraveling Docker Security: Lessons From a Production Cloud (20)

Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
 
Resource Management of Docker
Resource Management of DockerResource Management of Docker
Resource Management of Docker
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 

Recently uploaded

Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 

Recently uploaded (20)

Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 

Unraveling Docker Security: Lessons From a Production Cloud

  • 1. Unraveling Docker Security: Lessons From a Production Cloud Salman Baset1, Stefan Berger2, Dimitrios Pendarakis3 1Research Staff Member, 2STSM, 3Manager and Research Staff Member IBM Research @salman_baset flickr.com/68397968@N07 Philip Estes STSM, IBM Cloud @estesp
  • 2. Outline •  What is Docker? •  Deployment models for Docker •  Threat model •  Protection against threats •  Docker registry and engine configuration •  Possible attacks •  Putting it all together Acknowledgements: IBM Containers on Bluemix & Docker, OpenStack, and Linux community
  • 3. engine What is Docker? This talk will focus on Docker container security REST API Shared Linux kernel Client/end user DockerHub Isolation relies on core Linux kernel technologies: cgroups, namespaces, capabilities, LSM restrictions, etc. Build, ship and run distributed applications via a common toolbox... “Docker” is now a fast-growing ecosystem of related projects: •  Compose •  Swarm •  Machine •  Advanced networking •  Registry (DTR) •  Kubernetes/Mesos •  ..among many others $ docker run redis $ docker run nginx $ docker run ..
  • 4. Deployment Model HostHost Single tenant, known code Containers run inside a machine (VM or baremetal) A model like VM-based multi-tenant clouds Security challenge Focus of this talk HostHost Multi-tenant, unknown code Containers of different tenants run on same machine, virtual nets Expose Docker API to tenants tenant 1 tenant 2
  • 5. Threat Model – Containers Attacks on Other Containers Running on Same Machine Physical or virtual machine ls /root myfile PID TTY TIME CMD 1 pts/0 00:00:00 bash 1. Which other containers are running and which processes others containers are running? 2. Which files are used by other containers? ifconfig, route, iptables, netstat3. Which network stack is used by other containers? sethostname(), gethostname()4. What is the hostname of other containers? Containers overview: http://www.slideshare.net/jpetazzo/anatomy-of-a-container-namespaces-cgroups-some-filesystem-magic-linuxcon pipe, semaphore, shared memory, memory-mapped file5. Are processes of other containers doing any IPC? Examples
  • 6. Threat Model – Containers Attacks on Host Machine Misconfigured container Malicious container Physical or virtual machine 1. Is root inside a container also root inside host? 2. Are CPU, memory, disk, and network limits obeyed? 3. Can a container gain privileged capabilities? 4. Are other limits obeyed, e.g., fork(), file descriptors? 5. Can a container mount or DOS host file systems? Examples
  • 7. Threat Model – Attacks Launched from Public Internet Threat model similar to a VM cloud Not covered in this talk Docker cloud 1. Scan open ports 2. Guess passwords of common services (e.g., ssh) 3. (D)DOS Examples
  • 8. Isolating from Other Containers •  Kernel namespaces for limited system view – PID space: Process IDs – Mount space: Mount points – Network space: network interfaces/devices, stacks, ports, etc. – UTS space: sethostname(), gethostname() – IPC space: System V IPC, POSIX message queues •  In unprivileged containers, devices must be explicitly passed inside container using --device option Necessary but not sufficient A container started with privileged capabilities can sneak into other containers and load modules Useful links: http://man7.org/linux/man-pages/man7/namespaces.7.html
  • 9. Isolating from Host •  User namespaces •  cgroups •  Linux capabilities •  Linux security modules AppArmor/SELINUX •  Seccomp •  Docker API •  Docker engine and storage configuration Physical or virtual machine
  • 10. Isolating from Host – User namespaces •  Key benefit of user namespaces: deprivileged root user 10 $  docker  run  –name  cntr  -­‐v  /bin:/host/bin  -­‐ti  busybox   /  #  id   uid=0(root)  gid=0(root)  groups=10(wheel)   /  #  cd  /host/bin   /host/bin  #  mv  sh  old   mv:  can't  rename  'sh':  Permission  denied   /host/bin  #  cp  /bin/busybox  ./sh   cp:  can't  create  './sh':  File  exists       Host root ≠ Container root $  docker  inspect  -­‐f  ‘{{  .State.Pid  }}’  cntr   8851   $  ps  -­‐u  200000      PID  TTY                    TIME  CMD    8851  pts/7        00:00:00  sh   Will be available in Docker 1.9
  • 11. •  Resource control - CPU - Memory - Swap - Blkio - Network Physical or virtual machine 0% Isolating from Host (and other containers) – control groups Useful links https://docs.docker.com/reference/run/ https://docs.docker.com/installation/ubuntulinux/ https://lwn.net/Articles/648292/ (cgroups) docker run --cpuset-cpus=0,1 --cpu-shares=512 -m 2G --memory-swap 2G --blkio-weight 500
  • 12. •  Docker’s cgroup support is a work in progress – New command line options being added – Network cgroup: currently not implemented – Linux kernel. cgroups for PID coming in 4.3 •  cgroup current limitations – Blkio: Bps enforcement seems difficult – Memory: needs configuration tweaking to ensure swap limits – No accounting for size of PID space •  cgroup v2 added to Linux now – Redesigned and improved interface – New hierarchical organization Isolating from Host (and other containers) – cgroups Useful links: http://events.linuxfoundation.org/sites/events/files/slides/2014-KLF.pdf http://events.linuxfoundation.org/sites/events/files/slides/2015-LCJ-cgroup-writeback.pdf
  • 13. Isolating from Host (and other containers) – Linux Capabilities 13 •  Linux capabilities: fine-grained access control mechanism besides root/non-root •  Restrict the ‘capabilities’ available for a process (or a thread) – e.g., load kernel modules, mount, network admin operations, set time •  Docker by default drops majority (24 out of 37) •  Capabilities can be added to a Docker container – e.g., docker run –cap-add=mount … Physical or virtual machine System Call Interface open() mount() Useful link: https://github.com/docker/docker/blob/master/daemon/execdriver/native/template/default_template.go https://docs.docker.com/reference/run/ http://linux.die.net/man/7/capabilities cat /proc/self/status | grep Cap CapInh: 00000000a80425fb CapPrm: 00000000a80425fb CapEff: 00000000a80425fb CapBnd: 00000000a80425fb Default Docker capabilities chown, dac_override, fsetid, fowner, mknod, net_raw, setgid, setuid, setfcap, setpcap, net_bind_service, sys_chroot, kill, audit_write
  • 14. Isolating from Host (and other containers) – LSM 14 Physical or virtual machine •  Linux security modules for Mandatory access control •  AppArmor defines restrictions on – file access, capability, network, mount AppArmor Policy open(‘/etc/hosts’,…) open(‘/dev/kmem’,…) Default Docker AppArmor Profile for Containers •  Denies to sensitive data, e.g., LSM path on host, kernel memory •  Denies unmount •  One single profile for all containers •  Can define custom profile per container Useful links: http://manpages.ubuntu.com/manpages/raring/man5/apparmor.d.5.html
  • 15. Isolating from Host – Seccomp 15 •  Strict the system calls that the calling thread is permitted to execute •  Example: CAP_SETUID capability is implemented using four system calls –  setuid(), setreuid(), setresuid(), setfsuid() –  Can restrict which calls within CAP_SETUID capability are called Physical or virtual machine System Call Interface setuid() setreuid() Useful link: http://man7.org/linux/man-pages/man2/seccomp.2.html
  • 16. Isolating from Host – Restrict Docker API •  Docker engine exposes an API •  API is powerful – and can perform admin operations, e.g., create privileged containers •  In near future, each API call will have authentication and authorization •  Until then, – Restrict the APIs available to an end user, e.g., •  Prevent privileged container creation •  Prevent addition of capabilities •  Ensure appropriate AppArmor profile is used Container clouddocker run --cap-add docker run –security-opt=“apparmor:profile” docker run --privileged
  • 17. Isolating from Host – Docker Engine and Storage Configuration Docker Engine •  Configure TLS for Docker Engine •  Set appropriate limits, e.g., nproc, file descriptors •  Docker Security Checklist and Docker Bench – https://benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.6_Benchmark_v1.0.0.pdf https://github.com/docker/docker-bench-security Docker Storage •  Consider using devicemapper as storage •  Consider setting the default filesystem of containers as read only •  Bind mounted files in Docker have no quota. Consider making them read only.
  • 18. Docker Registry Security •  Python-based Docker registry V1 weaknesses: – Image IDs are secrets (effectively) – No content verification; audit/validation difficult – Layer IDs randomly assigned, linked via “parent” entries (poor performance) •  Docker Registry V2 API and implementation in Docker 1.6 – All content is addressable via strong cryptographic hash – Content and naming separated – Safe distribution over untrusted channels, data is verifiable – Signing and verification now enabled via Docker Content Trust – Digests and manifests together uniquely define content+relationships
  • 19. •  Forkbomb. DOS on host. Host unusable within seconds •  Multiple solutions, e.g., – limit number of processes in each container using nproc (handled per Linux user) – cgroup PID space – coming in Linux kernel 4.3 – watchdog fork() fork()fork() ………… Possible Attacks on Containers (1/3)
  • 20. •  Resource exhaustion on host storage due to bind-mounted files -> DOS. – /etc/hosts, /etc/resolv.conf, /etc/hostname (used during container linking) •  Multiple solutions: – readonly, pass as Docker volume, watchdog Physical or virtual machine Hard Disk Full … Pass as volume: https://github.com/docker/docker/pull/14613 Possible Attacks on Containers (2/3)
  • 21. •  Application level vulnerabilities (e.g., weak credentials) – Not a Docker issue •  Security bad practice: specify passwords in a Dockerfile – Passwords are then baked into a Docker image – Recommended best practice to not include passwords in a Dockerfile •  If applications with vulnerabilities or weak passwords deployed in Docker containers are exposed to the Internet – Potential for getting hacked •  Follow security best practices for application as well Possible Attacks on Containers (3/3)
  • 22. Limited set of Linux capabilities each container is started with. A Change of capabilities must be appropriately authorized.Capability limitation Isolation from other containers Kernel sharing among containers Resource isolation Kernel namespaces for isolating from other containers: pid, net, ipc, mnt, utc, uts Leverage cgroups for resource isolation. Network traffic shaping is an issue with default networking. All Docker containers share host kernel, but not all syscalls and capabilities exposed to docker containers Coloring: Black: is out of box Red: inherent issue with Docker Orange: Not implemented in Docker yet Restrict Docker API Calls Users should not create privileged containers or change capabilities without authorization Docker Registry Use v2 registry that has signatures for images and layers Putting It All Together (1/2)
  • 23. Follow best practice for securing a host (e.g., STIG firewall, auditd) Linux Security Module Host root isolation Hardware Assisted Verification and Isolation Use Trusted computing and TPM for host integrity verification and VT-d for better isolation … User namespaces Docker Engine Configuration Configure Docker engine appropriately Host Security User LSM (AppArmor/SELINUX) for container and Docker engine confinement Coloring: Black: is out of box Red: inherent issue with Docker Orange: Not implemented in Docker yet Putting It All Together (2/2) Define security tests for checking various aspects of the system
  • 24. Useful Links (1/2) Docker configuration •  https://docs.docker.com/reference/run/ •  https://docs.docker.com/installation/ubuntulinux/ •  https://github.com/docker/docker/blob/master/daemon/execdriver/ native/template/default_template.go Docker security checklist •  https://benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.6_Benchmark_v1.0.0.pdf •  https://github.com/docker/docker-bench-security cgroups •  https://lwn.net/Articles/648292/ •  https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt •  https://github.com/torvalds/linux/blob/master/kernel/cgroup_pids.c Docker cpu constraints •  http://docs.docker.com/engine/reference/run/#cpu-share-constraint •  http://docs.docker.com/engine/reference/run/#cpu-period-constraint •  http://docs.docker.com/engine/reference/run/#cpu-quota-constraint •  http://docs.docker.com/engine/reference/run/#cpuset-constraint 24
  • 25. Useful Links (2/2) 25 AppArmor •  http://manpages.ubuntu.com/manpages/raring/man5/apparmor.d.5.html Linux capabilities •  http://linux.die.net/man/7/capabilities Linux user namespaces •  http://man7.org/linux/man-pages/man7/user_namespaces.7.html Linux Completely Fair Scheduler •  http://www.ibm.com/developerworks/library/l-completely-fair-scheduler/ Seccomp •  http://man7.org/linux/man-pages/man2/seccomp.2.html Red Hat Security Technical Implementation Guide •  https://www.stigviewer.com/stig/red_hat_enterprise_linux_6 Side channel attacks against multi-core processors •  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in- cross-vm-scenarios-part-i/ •  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in- cross-vm-scenarios-part-ii/ •  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in- cross-vm-scenarios-part-iii/