SlideShare a Scribd company logo

Docker Security in Production Overview

Delve Labs
Delve Labs

Delve Labs was present during the GoSec 2016 conference, where our lead DevOps engineer presented an overview of the current options available for securing Docker in production environments. https://www.delve-labs.com

1 of 19
Downloaded 38 times
Docker Security In Production #DevOps #Infrastructure #Deployment #Security
➔ CI/CD chain security ( git / notary / registry ) ◆ … export DOCKER_CONTENT_TRUST=1 ➔ Microservices architecture ◆ … secret management (Vault & al.) ◆ … Orchestration & Deployment Strategies ➔ Keeping binaries & libs. up to date in production ➔ Monitoring / Alerting / Metric / SOC / SIEM / etc. What this talk is NOT about
Docker Security in Production Overview
Infrastructure information leak Denial of Service Data corruption Software & Crypto exploit Container escape Root / Kernel exploit Hypervisor escape Hardware Implant, etc. Reconnaissance Loss of Availability Loss of Integrity Loss of Confidentiality Privilege Escalation to Host Host Auditability compromised Pivot to other Host Tin foil hat & Cryptopocalypse ! Type of attack Threat “hierarchy” ⇦ ⇦ ⇦ ⇦ ⇦ ⇦ ⇦ ⇦
Docker builds on Kernel & Host Security ➔ Grsecurity kernel Randomization++, Bound checking, Fork delay, Hardened seccomp BPF ➔ SELinux / AppArmor Complex execution profiles, {White,Black}-listing ➔ Sysctl settings fd limit, IP stack, sysrq, buffers, etc. ➔ Unattended-upgrades And all the typical hardening & distro compile flags!
Docker Daemon ➔ Limit docker group : docker.sock Access to socket = root ➔ Authorization plugin API Docker 1.10+: --authorization-plugin should help mitigate previous issue soon ➔ docker-machine & TLS Use --tls-verify (port 2376) ➔ SELinux / AppArmor Profile apparmor.d/docker + restrictions limit path, resources, etc. ➔ Export logs outside of host --log-driver= (syslog, fluentd, ...)
cgroups hardware resource limits ➔ Mitigate potential DoS attacks Limit memory, disk, network I/O & CPU share ➔ cgroups only limit resources share, not access Not blocking access to: kcore, modprobe, sysrq, mknod, eth0, ... ➔ You can define your own initial cgroup --cgroup-parent to inherit a previous context
Limiting CPU usage ➔ Limit the total or relative amount of CPU time share --cpu-shares relative weight (== cpu_shares: 100) --cpu-period CFS (QoS) period --cpu-quota CFS (QoS) quota ➔ Limit which CPU or RAM node can be used --cpuset-cpus CPU affinity (== cpu_set: 0,1) --cpuset-mems Memory NUMA node (ie: 0-3, 0,1)
Limiting memory usage ➔ Limit a container’s memory usage Limit: --memory=1g (== mem_limit:) Soft Limit: --memory-reservation ➔ Limit swap usage Total Limit: --memory-swap (== memswap_limit:) Swapiness: --memory-swapiness ** GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1" ** ➔ Limit container’s kernel memory usage --kernel-memory limit ➔ Verify the Out Of Memory kernel policy --oom-kill-disable & --oom-score-adj
Device I/O & Filesystems ➔ Put docker on its own partition /var/lib/docker as a ZFS/BTRFS volume (snapshots, quotas) ➔ Minimum rights “rwm” options, i.e: --device=/dev/zero:/dev/zero:r ➔ Mount root & volumes as read-only For volumes: /path:roz (Zz = SELinux label) for root (/): read_only: true Use with --shm-size & /dev/shm for pid files, scratch, tmp, etc. --tmpfs /run:rw,noexec,nodev,nosuid,size=8m ➔ Limit allocated I/O bandwidth --device-read-bps, --device-write-bps --device-read-iops, --device-write-iops --blkio-weight-device 10 -> 1000
➔ Create an internal N-Tier architecture networks: ( docker-compose 1.6+ & version: ‘2’ ) || --net= ➔ Think about inter-container communication --icc=false + --link= (but deprecated), --ip-forward= ➔ Disable userland-proxy --userland-proxy=false … saves memory & faster ➔ Use iptables and tc Limit access and use QoS if necessary. Networking
➔ Set your typical soft & hard limits Daemon: --default-ulimit nofile=50:100 Container: --ulimit nofile=50:100 compose 1.6+: ulimit: nofile: soft:50 hard:100 ➔ Prevent fork bombs: threads / process limits compose 1.6+: ulimits: nproc: soft:32 hard:64 Docker 1.11+ & Kernel 4.3+: --pids-limit (cgroup support) ➔ Think about your restart policy restart: always? no? System resources & ulimits
Namespaces ➔ Currently namespaced resources Audit, cgroups, IPC, mount, NET, PID, Syslog, UID, UTS --userns-remap=default (new in 1.10+), *but*: Per daemon, not per container (--userns=host not yet in compose) Volumes UID/GID also remapped... Incompatible with IPC/PID/NET NS sharing... i.e. --net=container:app1, --readonly filesystem... ➔ NOT (yet) Namespaced The Kernel, LSM, UID (by default), keyring, ring buffer (dmesg), /proc/{sys}, /sys, /dev/{shm} ... ➔ A lot of work & cleanup still required for namespaces Many holes over the years: CVE-2010-0006, CVE-2011-2189, CVE-2013-1858, CVE-2013-1956, CVE-2013-4205, CVE-2014-4014, CVE-2014-5206, CVE-2014-5207, CVE-2014-8989, CVE-2015-8709, (!)
Capabilities Default Capabilities cap_chown cap_dac_override cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_net_bind_service cap_net_raw cap_sys_chroot cap_mknod cap_audit_write cap_setfcap ➔ Useful but incomplete security model Some are very granular: MKNOD Others give you root: SYS_ADMIN ➔ Use whitelisting: --cap-drop=all Then --cap-add=SETUID etc, until it runs ➔ RUN setcap cap_mknod /bin/mknod Use instead of suid binaries ➔ Default Capabilities are inadequate SETUID, SETGID, MKNOD, ...
Seccomp (Secure Computing) ➔ Extremely granular filter BPF filters of syscalls + arguments Docker default blacklist (whitelist in the future) ➔ Use tools to create profiles dockersl.im, genSeccomp.sh, etc. strace -c -f -S name ls 2>&1 >/dev/null | tail -n +3 | head -n -2 | awk '{print $(NF)}' ➔ --seccomp:/path/profile.json Disable default Seccomp filtering --seccomp:unconfined ➔ Use security_opt: - no-new-privileges Keeps UID, GID & LSM Labels + can’t gain Capabilities/SUID
➔ Swarm init / join Expose master nodes carefully (hold cluster’s secrets) Mutually auth. TLS, AES-GCM, 12 hours key rotation (Gossip / Raft) ➔ Use overlay network encryption docker network create -d overlay -o encrypted mynet - Keys shared with tasks & services, but not «docker run» ➔ Mutually authenticate your microservices too Microservices should not rely on overlay encryption: Authenticate & Encrypt [container ↔ container] communications ➔ «docker-compose bundle» - experimental status Lacks support for most useful runtime security options, maybe in 1.13+? Swarm Networking [1.12+]
➔ Never use --privileged Use granular solutions previously described ➔ Run process as a user Don’t run inside container as root: use nobody Remove SUID, strip unused files, etc. ➔ Layer as many security features Not all of them will apply, work, be enabled, etc. ➔ Don’t forget to harden applications! NGINX configs, exposed services, databases, etc. Containers Runtime Security
References: https://www.youtube.com/watch?v=UywECF0h3eg (new in 1.10) https://www.youtube.com/watch?v=7ouzigqFUWU (defcon docker) https://www.youtube.com/watch?v=iN6QbszB1R8 (defcon container) https://www.youtube.com/watch?v=_SwxuMGQI2o (microXchg) https://docs.docker.com/engine/security/security/ https://blog.docker.com/2016/02/docker-engine-1-10-security/ https://github.com/konstruktoid/Docker/blob/master/Security/CheatSheet.md http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/ https://gallery.mailchimp.com/979c70339150d05eec1531104/files/Docker_Security_Red_Hat.pdf https://www.sans.org/reading-room/whitepapers/linux/securing-linux-containers-36142 https://www.alfresco.com/blogs/devops/2015/12/03/docker-security-tools-audit-and-vulnerability-assessment/ http://doger.io http://www.slideshare.net/Docker/docker-security-workshop-slides https://www.infoq.com/news/2016/08/secure-docker-microservices (Grattafiori TL;DR for youtube) https://www.youtube.com/watch?v=346WmxQ5xtk (Grattafiori Docker & High Security) Tools: https://github.com/docker/docker-bench-security (Good practices) http://dockersl.im (Seccomp, etc.) https://github.com/konstruktoid/Docker/blob/master/Scripts/genSeccomp.sh (Seccomp Profile Generator) https://github.com/jfrazelle/bane (AppArmor)
Alexandre Guédon LEAD INFRASTRUCTURE ARCHITECT alexandre@delvelabs.ca @peerprod
Ad

Recommended

Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016
Ricardo Gerardi
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
Sreenivas Makam
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
DevOps.com
 
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, DockerUnder the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, Docker
Docker, Inc.
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
Jim Barlow
 
Exploring Docker Security
Exploring Docker SecurityExploring Docker Security
Exploring Docker Security
Patrick Kleindienst
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
Walid Ashraf
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Docker, Inc.
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Sematext Group, Inc.
 
dockerizing web application
dockerizing web applicationdockerizing web application
dockerizing web application
Walid Ashraf
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
Sreenivas Makam
 
The state of the swarm
The state of the swarmThe state of the swarm
The state of the swarm
Mathieu Buffenoir
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
allingeek
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
Docker toolbox
Docker toolboxDocker toolbox
Docker toolbox
Yonghwee Kim
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Amazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionAmazon EC2 Container Service in Action
Amazon EC2 Container Service in Action
Remotty
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containers
Ben Hall
 
Docker up and running
Docker up and runningDocker up and running
Docker up and running
Victor S. Recio
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource Consulting
Open Source Consulting
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online Operations E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online Operations
E-Government Center Moldova
 
Ad

More Related Content

What's hot (20)

Exploring Docker Security
Exploring Docker SecurityExploring Docker Security
Exploring Docker Security
Patrick Kleindienst
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
Walid Ashraf
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Docker, Inc.
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Sematext Group, Inc.
 
dockerizing web application
dockerizing web applicationdockerizing web application
dockerizing web application
Walid Ashraf
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
Sreenivas Makam
 
The state of the swarm
The state of the swarmThe state of the swarm
The state of the swarm
Mathieu Buffenoir
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
allingeek
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
Docker toolbox
Docker toolboxDocker toolbox
Docker toolbox
Yonghwee Kim
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Amazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionAmazon EC2 Container Service in Action
Amazon EC2 Container Service in Action
Remotty
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containers
Ben Hall
 
Docker up and running
Docker up and runningDocker up and running
Docker up and running
Victor S. Recio
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource Consulting
Open Source Consulting
 
Exploring Docker Security
Exploring Docker SecurityExploring Docker Security
Exploring Docker Security
Patrick Kleindienst
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
Walid Ashraf
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Docker, Inc.
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Sematext Group, Inc.
 
dockerizing web application
dockerizing web applicationdockerizing web application
dockerizing web application
Walid Ashraf
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
Sreenivas Makam
 
The state of the swarm
The state of the swarmThe state of the swarm
The state of the swarm
Mathieu Buffenoir
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
allingeek
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
Docker toolbox
Docker toolboxDocker toolbox
Docker toolbox
Yonghwee Kim
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Amazon EC2 Container Service in Action
Amazon EC2 Container Service in ActionAmazon EC2 Container Service in Action
Amazon EC2 Container Service in Action
Remotty
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containers
Ben Hall
 
Docker up and running
Docker up and runningDocker up and running
Docker up and running
Victor S. Recio
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource Consulting
Open Source Consulting
 

Viewers also liked (16)

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online Operations E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online Operations
E-Government Center Moldova
 
Data validation - Excel
Data validation - ExcelData validation - Excel
Data validation - Excel
Yi Chiao Cheng
 
Docker Platform and Ecosystem Nov 2015
Docker Platform and Ecosystem Nov 2015Docker Platform and Ecosystem Nov 2015
Docker Platform and Ecosystem Nov 2015
Patrick Chanezon
 
Validation for different kind of data
Validation for different kind of dataValidation for different kind of data
Validation for different kind of data
song_lachinhminh_smile
 
Excel presentation data validation
Excel presentation data validationExcel presentation data validation
Excel presentation data validation
Nagamani Y R
 
Data validation option
Data validation optionData validation option
Data validation option
maheshwarpoloju
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
Patrick Chanezon
 
Validation and Verification
Validation and VerificationValidation and Verification
Validation and Verification
mrmwood
 
Validation and verification
Validation and verificationValidation and verification
Validation and verification
De La Salle University-Manila
 
Types of Data Validation
Types of Data ValidationTypes of Data Validation
Types of Data Validation
Metric Fox
 
Harden Your Linux
Harden Your LinuxHarden Your Linux
Harden Your Linux
Tim Hsu
 
Redis, another step on the road
Redis, another step on the roadRedis, another step on the road
Redis, another step on the road
Yi-Feng Tzeng
 
Deploy at scale with CoreOS Kubernetes and Apache Stratos
Deploy at scale with CoreOS Kubernetes and Apache StratosDeploy at scale with CoreOS Kubernetes and Apache Stratos
Deploy at scale with CoreOS Kubernetes and Apache Stratos
Chris Haddad
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
MS EXCEL PPT PRESENTATION
MS EXCEL PPT PRESENTATIONMS EXCEL PPT PRESENTATION
MS EXCEL PPT PRESENTATION
Mridul Bansal
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online Operations E-Notary - From Paper to Online Operations
E-Notary - From Paper to Online Operations
E-Government Center Moldova
 
Data validation - Excel
Data validation - ExcelData validation - Excel
Data validation - Excel
Yi Chiao Cheng
 
Docker Platform and Ecosystem Nov 2015
Docker Platform and Ecosystem Nov 2015Docker Platform and Ecosystem Nov 2015
Docker Platform and Ecosystem Nov 2015
Patrick Chanezon
 
Validation for different kind of data
Validation for different kind of dataValidation for different kind of data
Validation for different kind of data
song_lachinhminh_smile
 
Excel presentation data validation
Excel presentation data validationExcel presentation data validation
Excel presentation data validation
Nagamani Y R
 
Data validation option
Data validation optionData validation option
Data validation option
maheshwarpoloju
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
Patrick Chanezon
 
Validation and Verification
Validation and VerificationValidation and Verification
Validation and Verification
mrmwood
 
Validation and verification
Validation and verificationValidation and verification
Validation and verification
De La Salle University-Manila
 
Types of Data Validation
Types of Data ValidationTypes of Data Validation
Types of Data Validation
Metric Fox
 
Harden Your Linux
Harden Your LinuxHarden Your Linux
Harden Your Linux
Tim Hsu
 
Redis, another step on the road
Redis, another step on the roadRedis, another step on the road
Redis, another step on the road
Yi-Feng Tzeng
 
Deploy at scale with CoreOS Kubernetes and Apache Stratos
Deploy at scale with CoreOS Kubernetes and Apache StratosDeploy at scale with CoreOS Kubernetes and Apache Stratos
Deploy at scale with CoreOS Kubernetes and Apache Stratos
Chris Haddad
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
MS EXCEL PPT PRESENTATION
MS EXCEL PPT PRESENTATIONMS EXCEL PPT PRESENTATION
MS EXCEL PPT PRESENTATION
Mridul Bansal
 
Ad

Similar to Docker Security in Production Overview (20)

Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
10 things i wish i'd known before using spark in production
10 things i wish i'd known before using spark in production10 things i wish i'd known before using spark in production
10 things i wish i'd known before using spark in production
Paris Data Engineers !
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)
Masami Hiramatsu
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + Puppet
Omar Reygaert
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
Akihiro Suda
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
drupal ci cd concept cornel univercity.pptx
drupal ci cd concept cornel univercity.pptxdrupal ci cd concept cornel univercity.pptx
drupal ci cd concept cornel univercity.pptx
rukuntravel
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Android memory analysis Debug slides.pdf
Android memory analysis Debug slides.pdfAndroid memory analysis Debug slides.pdf
Android memory analysis Debug slides.pdf
VishalKumarJha10
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
joshuasoundcloud
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
Mohammed Farrag
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
Security Session
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
10 things i wish i'd known before using spark in production
10 things i wish i'd known before using spark in production10 things i wish i'd known before using spark in production
10 things i wish i'd known before using spark in production
Paris Data Engineers !
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)
Masami Hiramatsu
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + Puppet
Omar Reygaert
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
Akihiro Suda
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
drupal ci cd concept cornel univercity.pptx
drupal ci cd concept cornel univercity.pptxdrupal ci cd concept cornel univercity.pptx
drupal ci cd concept cornel univercity.pptx
rukuntravel
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Android memory analysis Debug slides.pdf
Android memory analysis Debug slides.pdfAndroid memory analysis Debug slides.pdf
Android memory analysis Debug slides.pdf
VishalKumarJha10
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
joshuasoundcloud
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
Mohammed Farrag
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
Security Session
 
Ad

Recently uploaded (20)

Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 

Docker Security in Production Overview

  • 1. Docker Security In Production #DevOps #Infrastructure #Deployment #Security
  • 2. ➔ CI/CD chain security ( git / notary / registry ) ◆ … export DOCKER_CONTENT_TRUST=1 ➔ Microservices architecture ◆ … secret management (Vault & al.) ◆ … Orchestration & Deployment Strategies ➔ Keeping binaries & libs. up to date in production ➔ Monitoring / Alerting / Metric / SOC / SIEM / etc. What this talk is NOT about
  • 4. Infrastructure information leak Denial of Service Data corruption Software & Crypto exploit Container escape Root / Kernel exploit Hypervisor escape Hardware Implant, etc. Reconnaissance Loss of Availability Loss of Integrity Loss of Confidentiality Privilege Escalation to Host Host Auditability compromised Pivot to other Host Tin foil hat & Cryptopocalypse ! Type of attack Threat “hierarchy” ⇦ ⇦ ⇦ ⇦ ⇦ ⇦ ⇦ ⇦
  • 5. Docker builds on Kernel & Host Security ➔ Grsecurity kernel Randomization++, Bound checking, Fork delay, Hardened seccomp BPF ➔ SELinux / AppArmor Complex execution profiles, {White,Black}-listing ➔ Sysctl settings fd limit, IP stack, sysrq, buffers, etc. ➔ Unattended-upgrades And all the typical hardening & distro compile flags!
  • 6. Docker Daemon ➔ Limit docker group : docker.sock Access to socket = root ➔ Authorization plugin API Docker 1.10+: --authorization-plugin should help mitigate previous issue soon ➔ docker-machine & TLS Use --tls-verify (port 2376) ➔ SELinux / AppArmor Profile apparmor.d/docker + restrictions limit path, resources, etc. ➔ Export logs outside of host --log-driver= (syslog, fluentd, ...)
  • 7. cgroups hardware resource limits ➔ Mitigate potential DoS attacks Limit memory, disk, network I/O & CPU share ➔ cgroups only limit resources share, not access Not blocking access to: kcore, modprobe, sysrq, mknod, eth0, ... ➔ You can define your own initial cgroup --cgroup-parent to inherit a previous context
  • 8. Limiting CPU usage ➔ Limit the total or relative amount of CPU time share --cpu-shares relative weight (== cpu_shares: 100) --cpu-period CFS (QoS) period --cpu-quota CFS (QoS) quota ➔ Limit which CPU or RAM node can be used --cpuset-cpus CPU affinity (== cpu_set: 0,1) --cpuset-mems Memory NUMA node (ie: 0-3, 0,1)
  • 9. Limiting memory usage ➔ Limit a container’s memory usage Limit: --memory=1g (== mem_limit:) Soft Limit: --memory-reservation ➔ Limit swap usage Total Limit: --memory-swap (== memswap_limit:) Swapiness: --memory-swapiness ** GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1" ** ➔ Limit container’s kernel memory usage --kernel-memory limit ➔ Verify the Out Of Memory kernel policy --oom-kill-disable & --oom-score-adj
  • 10. Device I/O & Filesystems ➔ Put docker on its own partition /var/lib/docker as a ZFS/BTRFS volume (snapshots, quotas) ➔ Minimum rights “rwm” options, i.e: --device=/dev/zero:/dev/zero:r ➔ Mount root & volumes as read-only For volumes: /path:roz (Zz = SELinux label) for root (/): read_only: true Use with --shm-size & /dev/shm for pid files, scratch, tmp, etc. --tmpfs /run:rw,noexec,nodev,nosuid,size=8m ➔ Limit allocated I/O bandwidth --device-read-bps, --device-write-bps --device-read-iops, --device-write-iops --blkio-weight-device 10 -> 1000
  • 11. ➔ Create an internal N-Tier architecture networks: ( docker-compose 1.6+ & version: ‘2’ ) || --net= ➔ Think about inter-container communication --icc=false + --link= (but deprecated), --ip-forward= ➔ Disable userland-proxy --userland-proxy=false … saves memory & faster ➔ Use iptables and tc Limit access and use QoS if necessary. Networking
  • 12. ➔ Set your typical soft & hard limits Daemon: --default-ulimit nofile=50:100 Container: --ulimit nofile=50:100 compose 1.6+: ulimit: nofile: soft:50 hard:100 ➔ Prevent fork bombs: threads / process limits compose 1.6+: ulimits: nproc: soft:32 hard:64 Docker 1.11+ & Kernel 4.3+: --pids-limit (cgroup support) ➔ Think about your restart policy restart: always? no? System resources & ulimits
  • 13. Namespaces ➔ Currently namespaced resources Audit, cgroups, IPC, mount, NET, PID, Syslog, UID, UTS --userns-remap=default (new in 1.10+), *but*: Per daemon, not per container (--userns=host not yet in compose) Volumes UID/GID also remapped... Incompatible with IPC/PID/NET NS sharing... i.e. --net=container:app1, --readonly filesystem... ➔ NOT (yet) Namespaced The Kernel, LSM, UID (by default), keyring, ring buffer (dmesg), /proc/{sys}, /sys, /dev/{shm} ... ➔ A lot of work & cleanup still required for namespaces Many holes over the years: CVE-2010-0006, CVE-2011-2189, CVE-2013-1858, CVE-2013-1956, CVE-2013-4205, CVE-2014-4014, CVE-2014-5206, CVE-2014-5207, CVE-2014-8989, CVE-2015-8709, (!)
  • 14. Capabilities Default Capabilities cap_chown cap_dac_override cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_net_bind_service cap_net_raw cap_sys_chroot cap_mknod cap_audit_write cap_setfcap ➔ Useful but incomplete security model Some are very granular: MKNOD Others give you root: SYS_ADMIN ➔ Use whitelisting: --cap-drop=all Then --cap-add=SETUID etc, until it runs ➔ RUN setcap cap_mknod /bin/mknod Use instead of suid binaries ➔ Default Capabilities are inadequate SETUID, SETGID, MKNOD, ...
  • 15. Seccomp (Secure Computing) ➔ Extremely granular filter BPF filters of syscalls + arguments Docker default blacklist (whitelist in the future) ➔ Use tools to create profiles dockersl.im, genSeccomp.sh, etc. strace -c -f -S name ls 2>&1 >/dev/null | tail -n +3 | head -n -2 | awk '{print $(NF)}' ➔ --seccomp:/path/profile.json Disable default Seccomp filtering --seccomp:unconfined ➔ Use security_opt: - no-new-privileges Keeps UID, GID & LSM Labels + can’t gain Capabilities/SUID
  • 16. ➔ Swarm init / join Expose master nodes carefully (hold cluster’s secrets) Mutually auth. TLS, AES-GCM, 12 hours key rotation (Gossip / Raft) ➔ Use overlay network encryption docker network create -d overlay -o encrypted mynet - Keys shared with tasks & services, but not «docker run» ➔ Mutually authenticate your microservices too Microservices should not rely on overlay encryption: Authenticate & Encrypt [container ↔ container] communications ➔ «docker-compose bundle» - experimental status Lacks support for most useful runtime security options, maybe in 1.13+? Swarm Networking [1.12+]
  • 17. ➔ Never use --privileged Use granular solutions previously described ➔ Run process as a user Don’t run inside container as root: use nobody Remove SUID, strip unused files, etc. ➔ Layer as many security features Not all of them will apply, work, be enabled, etc. ➔ Don’t forget to harden applications! NGINX configs, exposed services, databases, etc. Containers Runtime Security
  • 18. References: https://www.youtube.com/watch?v=UywECF0h3eg (new in 1.10) https://www.youtube.com/watch?v=7ouzigqFUWU (defcon docker) https://www.youtube.com/watch?v=iN6QbszB1R8 (defcon container) https://www.youtube.com/watch?v=_SwxuMGQI2o (microXchg) https://docs.docker.com/engine/security/security/ https://blog.docker.com/2016/02/docker-engine-1-10-security/ https://github.com/konstruktoid/Docker/blob/master/Security/CheatSheet.md http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/ https://gallery.mailchimp.com/979c70339150d05eec1531104/files/Docker_Security_Red_Hat.pdf https://www.sans.org/reading-room/whitepapers/linux/securing-linux-containers-36142 https://www.alfresco.com/blogs/devops/2015/12/03/docker-security-tools-audit-and-vulnerability-assessment/ http://doger.io http://www.slideshare.net/Docker/docker-security-workshop-slides https://www.infoq.com/news/2016/08/secure-docker-microservices (Grattafiori TL;DR for youtube) https://www.youtube.com/watch?v=346WmxQ5xtk (Grattafiori Docker & High Security) Tools: https://github.com/docker/docker-bench-security (Good practices) http://dockersl.im (Seccomp, etc.) https://github.com/konstruktoid/Docker/blob/master/Scripts/genSeccomp.sh (Seccomp Profile Generator) https://github.com/jfrazelle/bane (AppArmor)