SlideShare a Scribd company logo

Docker Security in Production Overview

Delve Labs
Delve Labs

Delve Labs was present during the GoSec 2016 conference, where our lead DevOps engineer presented an overview of the current options available for securing Docker in production environments. https://www.delve-labs.com

Technology
1 of 19
Download to read offline
Docker Security In Production #DevOps #Infrastructure #Deployment #Security
➔ CI/CD chain security ( git / notary / registry ) ◆ … export DOCKER_CONTENT_TRUST=1 ➔ Microservices architecture ◆ … secret management (Vault & al.) ◆ … Orchestration & Deployment Strategies ➔ Keeping binaries & libs. up to date in production ➔ Monitoring / Alerting / Metric / SOC / SIEM / etc. What this talk is NOT about
Infrastructure information leak Denial of Service Data corruption Software & Crypto exploit Container escape Root / Kernel exploit Hypervisor escape Hardware Implant, etc. Reconnaissance Loss of Availability Loss of Integrity Loss of Confidentiality Privilege Escalation to Host Host Auditability compromised Pivot to other Host Tin foil hat & Cryptopocalypse ! Type of attack Threat “hierarchy” ⇦ ⇦ ⇦ ⇦ ⇦ ⇦ ⇦ ⇦
Docker builds on Kernel & Host Security ➔ Grsecurity kernel Randomization++, Bound checking, Fork delay, Hardened seccomp BPF ➔ SELinux / AppArmor Complex execution profiles, {White,Black}-listing ➔ Sysctl settings fd limit, IP stack, sysrq, buffers, etc. ➔ Unattended-upgrades And all the typical hardening & distro compile flags!
Docker Daemon ➔ Limit docker group : docker.sock Access to socket = root ➔ Authorization plugin API Docker 1.10+: --authorization-plugin should help mitigate previous issue soon ➔ docker-machine & TLS Use --tls-verify (port 2376) ➔ SELinux / AppArmor Profile apparmor.d/docker + restrictions limit path, resources, etc. ➔ Export logs outside of host --log-driver= (syslog, fluentd, ...)
cgroups hardware resource limits ➔ Mitigate potential DoS attacks Limit memory, disk, network I/O & CPU share ➔ cgroups only limit resources share, not access Not blocking access to: kcore, modprobe, sysrq, mknod, eth0, ... ➔ You can define your own initial cgroup --cgroup-parent to inherit a previous context
Limiting CPU usage ➔ Limit the total or relative amount of CPU time share --cpu-shares relative weight (== cpu_shares: 100) --cpu-period CFS (QoS) period --cpu-quota CFS (QoS) quota ➔ Limit which CPU or RAM node can be used --cpuset-cpus CPU affinity (== cpu_set: 0,1) --cpuset-mems Memory NUMA node (ie: 0-3, 0,1)
Limiting memory usage ➔ Limit a container’s memory usage Limit: --memory=1g (== mem_limit:) Soft Limit: --memory-reservation ➔ Limit swap usage Total Limit: --memory-swap (== memswap_limit:) Swapiness: --memory-swapiness ** GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1" ** ➔ Limit container’s kernel memory usage --kernel-memory limit ➔ Verify the Out Of Memory kernel policy --oom-kill-disable & --oom-score-adj
Device I/O & Filesystems ➔ Put docker on its own partition /var/lib/docker as a ZFS/BTRFS volume (snapshots, quotas) ➔ Minimum rights “rwm” options, i.e: --device=/dev/zero:/dev/zero:r ➔ Mount root & volumes as read-only For volumes: /path:roz (Zz = SELinux label) for root (/): read_only: true Use with --shm-size & /dev/shm for pid files, scratch, tmp, etc. --tmpfs /run:rw,noexec,nodev,nosuid,size=8m ➔ Limit allocated I/O bandwidth --device-read-bps, --device-write-bps --device-read-iops, --device-write-iops --blkio-weight-device 10 -> 1000
➔ Create an internal N-Tier architecture networks: ( docker-compose 1.6+ & version: ‘2’ ) || --net= ➔ Think about inter-container communication --icc=false + --link= (but deprecated), --ip-forward= ➔ Disable userland-proxy --userland-proxy=false … saves memory & faster ➔ Use iptables and tc Limit access and use QoS if necessary. Networking
➔ Set your typical soft & hard limits Daemon: --default-ulimit nofile=50:100 Container: --ulimit nofile=50:100 compose 1.6+: ulimit: nofile: soft:50 hard:100 ➔ Prevent fork bombs: threads / process limits compose 1.6+: ulimits: nproc: soft:32 hard:64 Docker 1.11+ & Kernel 4.3+: --pids-limit (cgroup support) ➔ Think about your restart policy restart: always? no? System resources & ulimits
Namespaces ➔ Currently namespaced resources Audit, cgroups, IPC, mount, NET, PID, Syslog, UID, UTS --userns-remap=default (new in 1.10+), *but*: Per daemon, not per container (--userns=host not yet in compose) Volumes UID/GID also remapped... Incompatible with IPC/PID/NET NS sharing... i.e. --net=container:app1, --readonly filesystem... ➔ NOT (yet) Namespaced The Kernel, LSM, UID (by default), keyring, ring buffer (dmesg), /proc/{sys}, /sys, /dev/{shm} ... ➔ A lot of work & cleanup still required for namespaces Many holes over the years: CVE-2010-0006, CVE-2011-2189, CVE-2013-1858, CVE-2013-1956, CVE-2013-4205, CVE-2014-4014, CVE-2014-5206, CVE-2014-5207, CVE-2014-8989, CVE-2015-8709, (!)
Capabilities Default Capabilities cap_chown cap_dac_override cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_net_bind_service cap_net_raw cap_sys_chroot cap_mknod cap_audit_write cap_setfcap ➔ Useful but incomplete security model Some are very granular: MKNOD Others give you root: SYS_ADMIN ➔ Use whitelisting: --cap-drop=all Then --cap-add=SETUID etc, until it runs ➔ RUN setcap cap_mknod /bin/mknod Use instead of suid binaries ➔ Default Capabilities are inadequate SETUID, SETGID, MKNOD, ...
Seccomp (Secure Computing) ➔ Extremely granular filter BPF filters of syscalls + arguments Docker default blacklist (whitelist in the future) ➔ Use tools to create profiles dockersl.im, genSeccomp.sh, etc. strace -c -f -S name ls 2>&1 >/dev/null | tail -n +3 | head -n -2 | awk '{print $(NF)}' ➔ --seccomp:/path/profile.json Disable default Seccomp filtering --seccomp:unconfined ➔ Use security_opt: - no-new-privileges Keeps UID, GID & LSM Labels + can’t gain Capabilities/SUID
➔ Swarm init / join Expose master nodes carefully (hold cluster’s secrets) Mutually auth. TLS, AES-GCM, 12 hours key rotation (Gossip / Raft) ➔ Use overlay network encryption docker network create -d overlay -o encrypted mynet - Keys shared with tasks & services, but not «docker run» ➔ Mutually authenticate your microservices too Microservices should not rely on overlay encryption: Authenticate & Encrypt [container ↔ container] communications ➔ «docker-compose bundle» - experimental status Lacks support for most useful runtime security options, maybe in 1.13+? Swarm Networking [1.12+]
➔ Never use --privileged Use granular solutions previously described ➔ Run process as a user Don’t run inside container as root: use nobody Remove SUID, strip unused files, etc. ➔ Layer as many security features Not all of them will apply, work, be enabled, etc. ➔ Don’t forget to harden applications! NGINX configs, exposed services, databases, etc. Containers Runtime Security
References: https://www.youtube.com/watch?v=UywECF0h3eg (new in 1.10) https://www.youtube.com/watch?v=7ouzigqFUWU (defcon docker) https://www.youtube.com/watch?v=iN6QbszB1R8 (defcon container) https://www.youtube.com/watch?v=_SwxuMGQI2o (microXchg) https://docs.docker.com/engine/security/security/ https://blog.docker.com/2016/02/docker-engine-1-10-security/ https://github.com/konstruktoid/Docker/blob/master/Security/CheatSheet.md http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/ https://gallery.mailchimp.com/979c70339150d05eec1531104/files/Docker_Security_Red_Hat.pdf https://www.sans.org/reading-room/whitepapers/linux/securing-linux-containers-36142 https://www.alfresco.com/blogs/devops/2015/12/03/docker-security-tools-audit-and-vulnerability-assessment/ http://doger.io http://www.slideshare.net/Docker/docker-security-workshop-slides https://www.infoq.com/news/2016/08/secure-docker-microservices (Grattafiori TL;DR for youtube) https://www.youtube.com/watch?v=346WmxQ5xtk (Grattafiori Docker & High Security) Tools: https://github.com/docker/docker-bench-security (Good practices) http://dockersl.im (Seccomp, etc.) https://github.com/konstruktoid/Docker/blob/master/Scripts/genSeccomp.sh (Seccomp Profile Generator) https://github.com/jfrazelle/bane (AppArmor)
Alexandre Guédon LEAD INFRASTRUCTURE ARCHITECT alexandre@delvelabs.ca @peerprod

Recommended

Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 PresentationSreenivas Makam
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsDevOps.com
 
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, DockerUnder the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, DockerDocker, Inc.
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 

Recommended

Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 PresentationSreenivas Makam
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsDevOps.com
 
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, DockerUnder the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, DockerDocker, Inc.
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Exploring Docker Security
Exploring Docker SecurityExploring Docker Security
Exploring Docker SecurityPatrick Kleindienst
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker securityWalid Ashraf
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Docker, Inc.
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
 
dockerizing web application
dockerizing web applicationdockerizing web application
dockerizing web applicationWalid Ashraf
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current StatusSreenivas Makam
 
The state of the swarm
The state of the swarmThe state of the swarm
The state of the swarmMathieu Buffenoir
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOpsОмские ИТ-субботники
 
Docker toolbox
Docker toolboxDocker toolbox
Docker toolboxYonghwee Kim
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Amazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionAmazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionRemotty
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersBen Hall
 
Docker up and running
Docker up and runningDocker up and running
Docker up and runningVictor S. Recio
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingOpen Source Consulting
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online Operations E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online OperationsE-Government Center Moldova
 

More Related Content

What's hot

Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker securityWalid Ashraf
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Docker, Inc.
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
 
dockerizing web application
dockerizing web applicationdockerizing web application
dockerizing web applicationWalid Ashraf
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current StatusSreenivas Makam
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOpsОмские ИТ-субботники
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Amazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionAmazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionRemotty
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersBen Hall
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingOpen Source Consulting
 

What's hot (20)

Exploring Docker Security
Exploring Docker SecurityExploring Docker Security
Exploring Docker Security
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
 
dockerizing web application
dockerizing web applicationdockerizing web application
dockerizing web application
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
 
The state of the swarm
The state of the swarmThe state of the swarm
The state of the swarm
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
 
Docker toolbox
Docker toolboxDocker toolbox
Docker toolbox
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Container security
Container securityContainer security
Container security
 
Amazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionAmazon EC2 Container Service in Action
Amazon EC2 Container Service in Action
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containers
 
Docker up and running
Docker up and runningDocker up and running
Docker up and running
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource Consulting
 

Viewers also liked

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Data validation - Excel
Data validation - ExcelData validation - Excel
Data validation - ExcelYi Chiao Cheng
 
Docker Platform and Ecosystem Nov 2015
Docker Platform and Ecosystem Nov 2015Docker Platform and Ecosystem Nov 2015
Docker Platform and Ecosystem Nov 2015Patrick Chanezon
 
Excel presentation data validation
Excel presentation data validationExcel presentation data validation
Excel presentation data validationNagamani Y R
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionPatrick Chanezon
 
Validation and Verification
Validation and VerificationValidation and Verification
Validation and Verificationmrmwood
 
Types of Data Validation
Types of Data ValidationTypes of Data Validation
Types of Data ValidationMetric Fox
 
Harden Your Linux
Harden Your LinuxHarden Your Linux
Harden Your LinuxTim Hsu
 
Redis, another step on the road
Redis, another step on the roadRedis, another step on the road
Redis, another step on the roadYi-Feng Tzeng
 
Deploy at scale with CoreOS Kubernetes and Apache Stratos
Deploy at scale with CoreOS Kubernetes and Apache StratosDeploy at scale with CoreOS Kubernetes and Apache Stratos
Deploy at scale with CoreOS Kubernetes and Apache StratosChris Haddad
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
MS EXCEL PPT PRESENTATION
MS EXCEL PPT PRESENTATIONMS EXCEL PPT PRESENTATION
MS EXCEL PPT PRESENTATIONMridul Bansal
 

Viewers also liked (16)

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online Operations E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online Operations
 
Data validation - Excel
Data validation - ExcelData validation - Excel
Data validation - Excel
 
Docker Platform and Ecosystem Nov 2015
Docker Platform and Ecosystem Nov 2015Docker Platform and Ecosystem Nov 2015
Docker Platform and Ecosystem Nov 2015
 
Validation for different kind of data
Validation for different kind of dataValidation for different kind of data
Validation for different kind of data
 
Excel presentation data validation
Excel presentation data validationExcel presentation data validation
Excel presentation data validation
 
Data validation option
Data validation optionData validation option
Data validation option
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
 
Validation and Verification
Validation and VerificationValidation and Verification
Validation and Verification
 
Validation and verification
Validation and verificationValidation and verification
Validation and verification
 
Types of Data Validation
Types of Data ValidationTypes of Data Validation
Types of Data Validation
 
Harden Your Linux
Harden Your LinuxHarden Your Linux
Harden Your Linux
 
Redis, another step on the road
Redis, another step on the roadRedis, another step on the road
Redis, another step on the road
 
Deploy at scale with CoreOS Kubernetes and Apache Stratos
Deploy at scale with CoreOS Kubernetes and Apache StratosDeploy at scale with CoreOS Kubernetes and Apache Stratos
Deploy at scale with CoreOS Kubernetes and Apache Stratos
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 
MS EXCEL PPT PRESENTATION
MS EXCEL PPT PRESENTATIONMS EXCEL PPT PRESENTATION
MS EXCEL PPT PRESENTATION
 

Similar to Docker Security in Production Overview

Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
10 things i wish i'd known before using spark in production
10 things i wish i'd known before using spark in production10 things i wish i'd known before using spark in production
10 things i wish i'd known before using spark in productionParis Data Engineers !
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)Masami Hiramatsu
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetOmar Reygaert
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless ModeAkihiro Suda
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 

Similar to Docker Security in Production Overview (20)

Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
10 things i wish i'd known before using spark in production
10 things i wish i'd known before using spark in production10 things i wish i'd known before using spark in production
10 things i wish i'd known before using spark in production
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + Puppet
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Dev ops
Dev opsDev ops
Dev ops
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 

Recently uploaded

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Docker Security in Production Overview

  • 1. Docker Security In Production #DevOps #Infrastructure #Deployment #Security
  • 2. ➔ CI/CD chain security ( git / notary / registry ) ◆ … export DOCKER_CONTENT_TRUST=1 ➔ Microservices architecture ◆ … secret management (Vault & al.) ◆ … Orchestration & Deployment Strategies ➔ Keeping binaries & libs. up to date in production ➔ Monitoring / Alerting / Metric / SOC / SIEM / etc. What this talk is NOT about
  • 3.
  • 4. Infrastructure information leak Denial of Service Data corruption Software & Crypto exploit Container escape Root / Kernel exploit Hypervisor escape Hardware Implant, etc. Reconnaissance Loss of Availability Loss of Integrity Loss of Confidentiality Privilege Escalation to Host Host Auditability compromised Pivot to other Host Tin foil hat & Cryptopocalypse ! Type of attack Threat “hierarchy” ⇦ ⇦ ⇦ ⇦ ⇦ ⇦ ⇦ ⇦
  • 5. Docker builds on Kernel & Host Security ➔ Grsecurity kernel Randomization++, Bound checking, Fork delay, Hardened seccomp BPF ➔ SELinux / AppArmor Complex execution profiles, {White,Black}-listing ➔ Sysctl settings fd limit, IP stack, sysrq, buffers, etc. ➔ Unattended-upgrades And all the typical hardening & distro compile flags!
  • 6. Docker Daemon ➔ Limit docker group : docker.sock Access to socket = root ➔ Authorization plugin API Docker 1.10+: --authorization-plugin should help mitigate previous issue soon ➔ docker-machine & TLS Use --tls-verify (port 2376) ➔ SELinux / AppArmor Profile apparmor.d/docker + restrictions limit path, resources, etc. ➔ Export logs outside of host --log-driver= (syslog, fluentd, ...)
  • 7. cgroups hardware resource limits ➔ Mitigate potential DoS attacks Limit memory, disk, network I/O & CPU share ➔ cgroups only limit resources share, not access Not blocking access to: kcore, modprobe, sysrq, mknod, eth0, ... ➔ You can define your own initial cgroup --cgroup-parent to inherit a previous context
  • 8. Limiting CPU usage ➔ Limit the total or relative amount of CPU time share --cpu-shares relative weight (== cpu_shares: 100) --cpu-period CFS (QoS) period --cpu-quota CFS (QoS) quota ➔ Limit which CPU or RAM node can be used --cpuset-cpus CPU affinity (== cpu_set: 0,1) --cpuset-mems Memory NUMA node (ie: 0-3, 0,1)
  • 9. Limiting memory usage ➔ Limit a container’s memory usage Limit: --memory=1g (== mem_limit:) Soft Limit: --memory-reservation ➔ Limit swap usage Total Limit: --memory-swap (== memswap_limit:) Swapiness: --memory-swapiness ** GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1" ** ➔ Limit container’s kernel memory usage --kernel-memory limit ➔ Verify the Out Of Memory kernel policy --oom-kill-disable & --oom-score-adj
  • 10. Device I/O & Filesystems ➔ Put docker on its own partition /var/lib/docker as a ZFS/BTRFS volume (snapshots, quotas) ➔ Minimum rights “rwm” options, i.e: --device=/dev/zero:/dev/zero:r ➔ Mount root & volumes as read-only For volumes: /path:roz (Zz = SELinux label) for root (/): read_only: true Use with --shm-size & /dev/shm for pid files, scratch, tmp, etc. --tmpfs /run:rw,noexec,nodev,nosuid,size=8m ➔ Limit allocated I/O bandwidth --device-read-bps, --device-write-bps --device-read-iops, --device-write-iops --blkio-weight-device 10 -> 1000
  • 11. ➔ Create an internal N-Tier architecture networks: ( docker-compose 1.6+ & version: ‘2’ ) || --net= ➔ Think about inter-container communication --icc=false + --link= (but deprecated), --ip-forward= ➔ Disable userland-proxy --userland-proxy=false … saves memory & faster ➔ Use iptables and tc Limit access and use QoS if necessary. Networking
  • 12. ➔ Set your typical soft & hard limits Daemon: --default-ulimit nofile=50:100 Container: --ulimit nofile=50:100 compose 1.6+: ulimit: nofile: soft:50 hard:100 ➔ Prevent fork bombs: threads / process limits compose 1.6+: ulimits: nproc: soft:32 hard:64 Docker 1.11+ & Kernel 4.3+: --pids-limit (cgroup support) ➔ Think about your restart policy restart: always? no? System resources & ulimits
  • 13. Namespaces ➔ Currently namespaced resources Audit, cgroups, IPC, mount, NET, PID, Syslog, UID, UTS --userns-remap=default (new in 1.10+), *but*: Per daemon, not per container (--userns=host not yet in compose) Volumes UID/GID also remapped... Incompatible with IPC/PID/NET NS sharing... i.e. --net=container:app1, --readonly filesystem... ➔ NOT (yet) Namespaced The Kernel, LSM, UID (by default), keyring, ring buffer (dmesg), /proc/{sys}, /sys, /dev/{shm} ... ➔ A lot of work & cleanup still required for namespaces Many holes over the years: CVE-2010-0006, CVE-2011-2189, CVE-2013-1858, CVE-2013-1956, CVE-2013-4205, CVE-2014-4014, CVE-2014-5206, CVE-2014-5207, CVE-2014-8989, CVE-2015-8709, (!)
  • 14. Capabilities Default Capabilities cap_chown cap_dac_override cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_net_bind_service cap_net_raw cap_sys_chroot cap_mknod cap_audit_write cap_setfcap ➔ Useful but incomplete security model Some are very granular: MKNOD Others give you root: SYS_ADMIN ➔ Use whitelisting: --cap-drop=all Then --cap-add=SETUID etc, until it runs ➔ RUN setcap cap_mknod /bin/mknod Use instead of suid binaries ➔ Default Capabilities are inadequate SETUID, SETGID, MKNOD, ...
  • 15. Seccomp (Secure Computing) ➔ Extremely granular filter BPF filters of syscalls + arguments Docker default blacklist (whitelist in the future) ➔ Use tools to create profiles dockersl.im, genSeccomp.sh, etc. strace -c -f -S name ls 2>&1 >/dev/null | tail -n +3 | head -n -2 | awk '{print $(NF)}' ➔ --seccomp:/path/profile.json Disable default Seccomp filtering --seccomp:unconfined ➔ Use security_opt: - no-new-privileges Keeps UID, GID & LSM Labels + can’t gain Capabilities/SUID
  • 16. ➔ Swarm init / join Expose master nodes carefully (hold cluster’s secrets) Mutually auth. TLS, AES-GCM, 12 hours key rotation (Gossip / Raft) ➔ Use overlay network encryption docker network create -d overlay -o encrypted mynet - Keys shared with tasks & services, but not «docker run» ➔ Mutually authenticate your microservices too Microservices should not rely on overlay encryption: Authenticate & Encrypt [container ↔ container] communications ➔ «docker-compose bundle» - experimental status Lacks support for most useful runtime security options, maybe in 1.13+? Swarm Networking [1.12+]
  • 17. ➔ Never use --privileged Use granular solutions previously described ➔ Run process as a user Don’t run inside container as root: use nobody Remove SUID, strip unused files, etc. ➔ Layer as many security features Not all of them will apply, work, be enabled, etc. ➔ Don’t forget to harden applications! NGINX configs, exposed services, databases, etc. Containers Runtime Security
  • 18. References: https://www.youtube.com/watch?v=UywECF0h3eg (new in 1.10) https://www.youtube.com/watch?v=7ouzigqFUWU (defcon docker) https://www.youtube.com/watch?v=iN6QbszB1R8 (defcon container) https://www.youtube.com/watch?v=_SwxuMGQI2o (microXchg) https://docs.docker.com/engine/security/security/ https://blog.docker.com/2016/02/docker-engine-1-10-security/ https://github.com/konstruktoid/Docker/blob/master/Security/CheatSheet.md http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/ https://gallery.mailchimp.com/979c70339150d05eec1531104/files/Docker_Security_Red_Hat.pdf https://www.sans.org/reading-room/whitepapers/linux/securing-linux-containers-36142 https://www.alfresco.com/blogs/devops/2015/12/03/docker-security-tools-audit-and-vulnerability-assessment/ http://doger.io http://www.slideshare.net/Docker/docker-security-workshop-slides https://www.infoq.com/news/2016/08/secure-docker-microservices (Grattafiori TL;DR for youtube) https://www.youtube.com/watch?v=346WmxQ5xtk (Grattafiori Docker & High Security) Tools: https://github.com/docker/docker-bench-security (Good practices) http://dockersl.im (Seccomp, etc.) https://github.com/konstruktoid/Docker/blob/master/Scripts/genSeccomp.sh (Seccomp Profile Generator) https://github.com/jfrazelle/bane (AppArmor)
  • 19. Alexandre Guédon LEAD INFRASTRUCTURE ARCHITECT alexandre@delvelabs.ca @peerprod