SlideShare a Scribd company logo

SW Docker Security

Download as PPTX, PDF
Stephane Woillez
Stephane Woillez

Docker provides security for containerized applications using Linux kernel features like namespaces and cgroups to isolate processes and limit resource usage. The Docker daemon manages these Linux security mechanisms to build secure containers. Docker images can also be scanned for vulnerabilities and signed with content trust to ensure only approved container images are deployed in production.

1 of 26
Downloaded 24 times
Docker Security Security of the Docker Platform, and inside Datacenter clusters Stephane Woillez stephw@docker.com SEMEA Technical Sales Lead @swoillez
Agenda • Security & Isolation at the Linux level • Security of the Docker Production platform • Security of Dockered applications
Security at the Linux Kernel How Docker leverages Linux capabilities for security
Docker provides Containers, not VMs
Docker leverages Linux Security mechanisms • Docker uses several mechanisms for security: – Linux kernel namespaces – Linux Control Groups (cgroups) – The Docker daemon – Linux capabilities (libcap) – Linux security mechanisms like AppArmor or SELinux
What are Linux kernel NameSpaces ? • Namespaces are a way to make a global resource appear to be unique and isolated. • The namespaces that the Linux kernel can manage are: – Mount namespaces – PID namespaces – UTS namespaces – IPC namespaces – Network namespaces – User namespaces
Examples of Linux NameSpaces • Mount NameSpaces : allow a container to “think” that a directory which is actually mounted from the host OS is exclusively the container's. • PID namespaces : let the container think it's a new instance of the OS. • User NameSpaces : allow a container to think that it really has users rigths (like root) where in fact it has no right on the host OS. • Network NameSpaces : allow a container to have its own IP addresses, independent of that of the host. These addresses are not available from outside of the host, this is private networking similar to that of virtualization. The Docker service sets up an iptables masquerading rule so that the container can get to the rest of the Internet.
What are Linux Control Groups (Cgroups) ? • “Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior.” • This allows Docker to put various system resources into a group, and apply limits to it, like how much disk IO, CPU use, memory use, network use, namespaces • This ensures that, even if a container is compromised (or just spins out of control), there are limits in place which minimizes the risk of that misbehaved container impacting the host or other containers. https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt:
The Docker daemon responsabilities • The docker daemon (/usr/bin/docker) is responsible for managing the control groups, orchestrating the namespaces, and so on so that docker images can be run and secured. • Because of the need to manage kernel functions, Docker runs with root privileges. Be aware of this! • Limit the users who have control of the Docker Daemon
Linux Kernel Capabilities (libcap) • The root user historically had the ability to do anything, once authenticated. • Linux capabilities is a set of fine grained controls which allow services or even users with root equivalence to be limited in their scope. • It also allows non-root users to be granted extra privileges. • By default, Docker disallows many root capabilities, not needed by containers, including the ability to modify logs, change networking, modify kernel memory,…
11 A Container Security assessment by NCC Source: NCC Group Whitepaper - Understanding and Hardening Linux Containers Understanding and Hardening Linux Containers
Security of the Docker Production Access Control and Isolation in production clusters
Delivering Containers as a Service Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale 13
Universal Control Plane App and Cluster management Docker Trusted Registry Secure image management & distro Docker Engine Container Runtime, Orchestration, Networking, volumes, plugins Security Content Trust, RBAC, LDAP/AD NetworkingOS Volumes Monitoring LoggingConfig MgtImagesCI/CD ..more.. Docker Datacenter Integrated DevOps Platform Public Cloud Physical/ConvergedVirtualization Infrastructure
Control: Orchestration and integrations at scale Universal Control Plane High Availability Access Control 3rd Party PluginsSwarm Managed GUI Management Docker Native Integration Monitoring 15
Control: Secure Image Collaboration Trusted Registry Log Aggregator Authorization Server Registry ServiceContent Trust 16 LDAP/AD Logs Storage Image Repo Image Repo Image Repo Admin Server Notary Server Web UI CLI
• Docker 1.12 with built in orchestration (clustering and scheduling) • Strong default cluster security Secure Cluster Management
• Leader acts as CA. • Any Manager can be promoted to leader. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS. Mutual TLS by default
• Managers support BYO CA. • Forwards CSRs to external CA. Support for External CAs
UCP delivers RBAC with Permission Levels
Security of Dockered Applications Production Ready, Containers as a Service solution
Layers used by a container are readonly !!!
Control: Integrated Content Trust Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale 23 Library of signed and trusted images Enforce use of only trusted images
Docker Security Scanning Architecture
Threshold signing and gating 25 CI Security Scanning Staging Production UCP WorkerUCP Worker UCP Worker UCP Manager Sign image to “approve” passing of each stage. Policy to check for signatures before deployment
THANK YOU
Ad

Recommended

SS Introduction to Docker
SS Introduction to DockerSS Introduction to Docker
SS Introduction to Docker
Stephane Woillez
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!
Steve Wilson
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container Environments
Docker, Inc.
 
VMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungVMware@Night: Container & Virtualisierung
VMware@Night: Container & Virtualisierung
Digicomp Academy AG
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep Dive
Will Kinard
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...
All Things Open
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefits
Amit Manwade
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
wiTTyMinds1
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
Lee Calcote
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
Docker, Inc.
 
Building microservices with docker
Building microservices with dockerBuilding microservices with docker
Building microservices with docker
Roman Melnyk
 
Docker Datacenter - CaaS
Docker Datacenter - CaaSDocker Datacenter - CaaS
Docker Datacenter - CaaS
Harish Jayakumar
 
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Edureka!
 
Docker - Portable Deployment
Docker - Portable DeploymentDocker - Portable Deployment
Docker - Portable Deployment
javaonfly
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Odinot Stanislas
 
Docker Container Introduction
Docker Container IntroductionDocker Container Introduction
Docker Container Introduction
Innfinision Cloud and BigData Solutions
 
Containers for Lawyers Richard Fontana
Containers for Lawyers Richard FontanaContainers for Lawyers Richard Fontana
Containers for Lawyers Richard Fontana
Black Duck by Synopsys
 
Docker 101
Docker 101Docker 101
Docker 101
Lâm Đào
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT Campus
Ajeet Singh Raina
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life Observations
Docker, Inc.
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
Paras Jain
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
John Zaccone
 
Docker 101 - High level introduction to docker
Docker 101 - High level introduction to dockerDocker 101 - High level introduction to docker
Docker 101 - High level introduction to docker
Dr Ganesh Iyer
 
Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
Hugo González Labrador
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Ad

More Related Content

What's hot (20)

Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...
All Things Open
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefits
Amit Manwade
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
wiTTyMinds1
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
Lee Calcote
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
Docker, Inc.
 
Building microservices with docker
Building microservices with dockerBuilding microservices with docker
Building microservices with docker
Roman Melnyk
 
Docker Datacenter - CaaS
Docker Datacenter - CaaSDocker Datacenter - CaaS
Docker Datacenter - CaaS
Harish Jayakumar
 
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Edureka!
 
Docker - Portable Deployment
Docker - Portable DeploymentDocker - Portable Deployment
Docker - Portable Deployment
javaonfly
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Odinot Stanislas
 
Docker Container Introduction
Docker Container IntroductionDocker Container Introduction
Docker Container Introduction
Innfinision Cloud and BigData Solutions
 
Containers for Lawyers Richard Fontana
Containers for Lawyers Richard FontanaContainers for Lawyers Richard Fontana
Containers for Lawyers Richard Fontana
Black Duck by Synopsys
 
Docker 101
Docker 101Docker 101
Docker 101
Lâm Đào
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT Campus
Ajeet Singh Raina
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life Observations
Docker, Inc.
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
Paras Jain
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
John Zaccone
 
Docker 101 - High level introduction to docker
Docker 101 - High level introduction to dockerDocker 101 - High level introduction to docker
Docker 101 - High level introduction to docker
Dr Ganesh Iyer
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...
All Things Open
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefits
Amit Manwade
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
wiTTyMinds1
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
Lee Calcote
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
Docker, Inc.
 
Building microservices with docker
Building microservices with dockerBuilding microservices with docker
Building microservices with docker
Roman Melnyk
 
Docker Datacenter - CaaS
Docker Datacenter - CaaSDocker Datacenter - CaaS
Docker Datacenter - CaaS
Harish Jayakumar
 
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Edureka!
 
Docker - Portable Deployment
Docker - Portable DeploymentDocker - Portable Deployment
Docker - Portable Deployment
javaonfly
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Odinot Stanislas
 
Docker Container Introduction
Docker Container IntroductionDocker Container Introduction
Docker Container Introduction
Innfinision Cloud and BigData Solutions
 
Containers for Lawyers Richard Fontana
Containers for Lawyers Richard FontanaContainers for Lawyers Richard Fontana
Containers for Lawyers Richard Fontana
Black Duck by Synopsys
 
Docker 101
Docker 101Docker 101
Docker 101
Lâm Đào
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT Campus
Ajeet Singh Raina
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life ObservationsDockerCon EU 2015: Nesting Containers: Real Life Observations
DockerCon EU 2015: Nesting Containers: Real Life Observations
Docker, Inc.
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
Paras Jain
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
John Zaccone
 
Docker 101 - High level introduction to docker
Docker 101 - High level introduction to dockerDocker 101 - High level introduction to docker
Docker 101 - High level introduction to docker
Dr Ganesh Iyer
 

Similar to SW Docker Security (20)

Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
Hugo González Labrador
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Docker
Docker Docker
Docker
Mindstorm Studios
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Understanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsUnderstanding the container landscape and it associated projects
Understanding the container landscape and it associated projects
Anthony Chow
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Docker, Inc.
 
Devoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsDevoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and Bolts
Patrick Chanezon
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
Kevin Lee
 
Docker Online Training
Docker Online TrainingDocker Online Training
Docker Online Training
navyatejavisualpath
 
An Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersAn Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux Containers
Kento Aoyama
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Patrick Chanezon
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
Marco Ferrigno
 
Docker training
Docker trainingDocker training
Docker training
Kiran Kumar
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
WSO2
 
Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
Hugo González Labrador
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Docker
Docker Docker
Docker
Mindstorm Studios
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Understanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsUnderstanding the container landscape and it associated projects
Understanding the container landscape and it associated projects
Anthony Chow
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Docker, Inc.
 
Devoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsDevoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and Bolts
Patrick Chanezon
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
Kevin Lee
 
Docker Online Training
Docker Online TrainingDocker Online Training
Docker Online Training
navyatejavisualpath
 
An Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersAn Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux Containers
Kento Aoyama
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Patrick Chanezon
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
Marco Ferrigno
 
Docker training
Docker trainingDocker training
Docker training
Kiran Kumar
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
WSO2
 
Ad

Recently uploaded (20)

Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Ad

SW Docker Security

  • 1. Docker Security Security of the Docker Platform, and inside Datacenter clusters Stephane Woillez [email protected] SEMEA Technical Sales Lead @swoillez
  • 2. Agenda • Security & Isolation at the Linux level • Security of the Docker Production platform • Security of Dockered applications
  • 3. Security at the Linux Kernel How Docker leverages Linux capabilities for security
  • 5. Docker leverages Linux Security mechanisms • Docker uses several mechanisms for security: – Linux kernel namespaces – Linux Control Groups (cgroups) – The Docker daemon – Linux capabilities (libcap) – Linux security mechanisms like AppArmor or SELinux
  • 6. What are Linux kernel NameSpaces ? • Namespaces are a way to make a global resource appear to be unique and isolated. • The namespaces that the Linux kernel can manage are: – Mount namespaces – PID namespaces – UTS namespaces – IPC namespaces – Network namespaces – User namespaces
  • 7. Examples of Linux NameSpaces • Mount NameSpaces : allow a container to “think” that a directory which is actually mounted from the host OS is exclusively the container's. • PID namespaces : let the container think it's a new instance of the OS. • User NameSpaces : allow a container to think that it really has users rigths (like root) where in fact it has no right on the host OS. • Network NameSpaces : allow a container to have its own IP addresses, independent of that of the host. These addresses are not available from outside of the host, this is private networking similar to that of virtualization. The Docker service sets up an iptables masquerading rule so that the container can get to the rest of the Internet.
  • 8. What are Linux Control Groups (Cgroups) ? • “Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior.” • This allows Docker to put various system resources into a group, and apply limits to it, like how much disk IO, CPU use, memory use, network use, namespaces • This ensures that, even if a container is compromised (or just spins out of control), there are limits in place which minimizes the risk of that misbehaved container impacting the host or other containers. https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt:
  • 9. The Docker daemon responsabilities • The docker daemon (/usr/bin/docker) is responsible for managing the control groups, orchestrating the namespaces, and so on so that docker images can be run and secured. • Because of the need to manage kernel functions, Docker runs with root privileges. Be aware of this! • Limit the users who have control of the Docker Daemon
  • 10. Linux Kernel Capabilities (libcap) • The root user historically had the ability to do anything, once authenticated. • Linux capabilities is a set of fine grained controls which allow services or even users with root equivalence to be limited in their scope. • It also allows non-root users to be granted extra privileges. • By default, Docker disallows many root capabilities, not needed by containers, including the ability to modify logs, change networking, modify kernel memory,…
  • 11. 11 A Container Security assessment by NCC Source: NCC Group Whitepaper - Understanding and Hardening Linux Containers Understanding and Hardening Linux Containers
  • 12. Security of the Docker Production Access Control and Isolation in production clusters
  • 13. Delivering Containers as a Service Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale 13
  • 14. Universal Control Plane App and Cluster management Docker Trusted Registry Secure image management & distro Docker Engine Container Runtime, Orchestration, Networking, volumes, plugins Security Content Trust, RBAC, LDAP/AD NetworkingOS Volumes Monitoring LoggingConfig MgtImagesCI/CD ..more.. Docker Datacenter Integrated DevOps Platform Public Cloud Physical/ConvergedVirtualization Infrastructure
  • 15. Control: Orchestration and integrations at scale Universal Control Plane High Availability Access Control 3rd Party PluginsSwarm Managed GUI Management Docker Native Integration Monitoring 15
  • 16. Control: Secure Image Collaboration Trusted Registry Log Aggregator Authorization Server Registry ServiceContent Trust 16 LDAP/AD Logs Storage Image Repo Image Repo Image Repo Admin Server Notary Server Web UI CLI
  • 17. • Docker 1.12 with built in orchestration (clustering and scheduling) • Strong default cluster security Secure Cluster Management
  • 18. • Leader acts as CA. • Any Manager can be promoted to leader. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS. Mutual TLS by default
  • 19. • Managers support BYO CA. • Forwards CSRs to external CA. Support for External CAs
  • 20. UCP delivers RBAC with Permission Levels
  • 21. Security of Dockered Applications Production Ready, Containers as a Service solution
  • 22. Layers used by a container are readonly !!!
  • 23. Control: Integrated Content Trust Developers IT Operations BUILD Development Environments SHIP Secure Content & Collaboration RUN Deploy, Manage, Scale 23 Library of signed and trusted images Enforce use of only trusted images
  • 24. Docker Security Scanning Architecture
  • 25. Threshold signing and gating 25 CI Security Scanning Staging Production UCP WorkerUCP Worker UCP Worker UCP Manager Sign image to “approve” passing of each stage. Policy to check for signatures before deployment