SlideShare une entreprise Scribd logo

Tokyo OpenStack Summit 2015: Unraveling Docker Security

Phil Estes
Phil Estes

A Docker security talk that Salman Baset and Phil Estes presented at the Tokyo OpenStack Summit on October 29th, 2015. In this talk we provided an overview of the security constraints available to Docker cloud operators and users and then walked through a "lessons learned" from experiences operating IBM's public Bluemix container cloud based on Docker container technology.

Logiciels
1  sur  25
Télécharger pour lire hors ligne
Unraveling Docker Security: Lessons From a Production Cloud Salman Baset1, Stefan Berger2, Dimitrios Pendarakis3 1Research Staff Member, 2STSM, 3Manager and Research Staff Member IBM Research @salman_baset flickr.com/68397968@N07 Philip Estes STSM, IBM Cloud @estesp
Outline •  What is Docker? •  Deployment models for Docker •  Threat model •  Protection against threats •  Docker registry and engine configuration •  Possible attacks •  Putting it all together Acknowledgements: IBM Containers on Bluemix & Docker, OpenStack, and Linux community
engine What is Docker? This talk will focus on Docker container security REST API Shared Linux kernel Client/end user DockerHub Isolation relies on core Linux kernel technologies: cgroups, namespaces, capabilities, LSM restrictions, etc. Build, ship and run distributed applications via a common toolbox... “Docker” is now a fast-growing ecosystem of related projects: •  Compose •  Swarm •  Machine •  Advanced networking •  Registry (DTR) •  Kubernetes/Mesos •  ..among many others $ docker run redis $ docker run nginx $ docker run ..
Deployment Model HostHost Single tenant, known code Containers run inside a machine (VM or baremetal) A model like VM-based multi-tenant clouds Security challenge Focus of this talk HostHost Multi-tenant, unknown code Containers of different tenants run on same machine, virtual nets Expose Docker API to tenants tenant 1 tenant 2
Threat Model – Containers Attacks on Other Containers Running on Same Machine Physical or virtual machine ls /root myfile PID TTY TIME CMD 1 pts/0 00:00:00 bash 1. Which other containers are running and which processes others containers are running? 2. Which files are used by other containers? ifconfig, route, iptables, netstat3. Which network stack is used by other containers? sethostname(), gethostname()4. What is the hostname of other containers? Containers overview: http://www.slideshare.net/jpetazzo/anatomy-of-a-container-namespaces-cgroups-some-filesystem-magic-linuxcon pipe, semaphore, shared memory, memory-mapped file5. Are processes of other containers doing any IPC? Examples
Threat Model – Containers Attacks on Host Machine Misconfigured container Malicious container Physical or virtual machine 1. Is root inside a container also root inside host? 2. Are CPU, memory, disk, and network limits obeyed? 3. Can a container gain privileged capabilities? 4. Are other limits obeyed, e.g., fork(), file descriptors? 5. Can a container mount or DOS host file systems? Examples
Threat Model – Attacks Launched from Public Internet Threat model similar to a VM cloud Not covered in this talk Docker cloud 1. Scan open ports 2. Guess passwords of common services (e.g., ssh) 3. (D)DOS Examples
Isolating from Other Containers •  Kernel namespaces for limited system view – PID space: Process IDs – Mount space: Mount points – Network space: network interfaces/devices, stacks, ports, etc. – UTS space: sethostname(), gethostname() – IPC space: System V IPC, POSIX message queues •  In unprivileged containers, devices must be explicitly passed inside container using --device option Necessary but not sufficient A container started with privileged capabilities can sneak into other containers and load modules Useful links: http://man7.org/linux/man-pages/man7/namespaces.7.html
Isolating from Host •  User namespaces •  cgroups •  Linux capabilities •  Linux security modules AppArmor/SELINUX •  Seccomp •  Docker API •  Docker engine and storage configuration Physical or virtual machine
Isolating from Host – User namespaces •  Key benefit of user namespaces: deprivileged root user 10 $  docker  run  –name  cntr  -­‐v  /bin:/host/bin  -­‐ti  busybox   /  #  id   uid=0(root)  gid=0(root)  groups=10(wheel)   /  #  cd  /host/bin   /host/bin  #  mv  sh  old   mv:  can't  rename  'sh':  Permission  denied   /host/bin  #  cp  /bin/busybox  ./sh   cp:  can't  create  './sh':  File  exists       Host root ≠ Container root $  docker  inspect  -­‐f  ‘{{  .State.Pid  }}’  cntr   8851   $  ps  -­‐u  200000      PID  TTY                    TIME  CMD    8851  pts/7        00:00:00  sh   Will be available in Docker 1.9
•  Resource control - CPU - Memory - Swap - Blkio - Network Physical or virtual machine 0% Isolating from Host (and other containers) – control groups Useful links https://docs.docker.com/reference/run/ https://docs.docker.com/installation/ubuntulinux/ https://lwn.net/Articles/648292/ (cgroups) docker run --cpuset-cpus=0,1 --cpu-shares=512 -m 2G --memory-swap 2G --blkio-weight 500
•  Docker’s cgroup support is a work in progress – New command line options being added – Network cgroup: currently not implemented – Linux kernel. cgroups for PID coming in 4.3 •  cgroup current limitations – Blkio: Bps enforcement seems difficult – Memory: needs configuration tweaking to ensure swap limits – No accounting for size of PID space •  cgroup v2 added to Linux now – Redesigned and improved interface – New hierarchical organization Isolating from Host (and other containers) – cgroups Useful links: http://events.linuxfoundation.org/sites/events/files/slides/2014-KLF.pdf http://events.linuxfoundation.org/sites/events/files/slides/2015-LCJ-cgroup-writeback.pdf
Isolating from Host (and other containers) – Linux Capabilities 13 •  Linux capabilities: fine-grained access control mechanism besides root/non-root •  Restrict the ‘capabilities’ available for a process (or a thread) – e.g., load kernel modules, mount, network admin operations, set time •  Docker by default drops majority (24 out of 37) •  Capabilities can be added to a Docker container – e.g., docker run –cap-add=mount … Physical or virtual machine System Call Interface open() mount() Useful link: https://github.com/docker/docker/blob/master/daemon/execdriver/native/template/default_template.go https://docs.docker.com/reference/run/ http://linux.die.net/man/7/capabilities cat /proc/self/status | grep Cap CapInh: 00000000a80425fb CapPrm: 00000000a80425fb CapEff: 00000000a80425fb CapBnd: 00000000a80425fb Default Docker capabilities chown, dac_override, fsetid, fowner, mknod, net_raw, setgid, setuid, setfcap, setpcap, net_bind_service, sys_chroot, kill, audit_write
Isolating from Host (and other containers) – LSM 14 Physical or virtual machine •  Linux security modules for Mandatory access control •  AppArmor defines restrictions on – file access, capability, network, mount AppArmor Policy open(‘/etc/hosts’,…) open(‘/dev/kmem’,…) Default Docker AppArmor Profile for Containers •  Denies to sensitive data, e.g., LSM path on host, kernel memory •  Denies unmount •  One single profile for all containers •  Can define custom profile per container Useful links: http://manpages.ubuntu.com/manpages/raring/man5/apparmor.d.5.html
Isolating from Host – Seccomp 15 •  Strict the system calls that the calling thread is permitted to execute •  Example: CAP_SETUID capability is implemented using four system calls –  setuid(), setreuid(), setresuid(), setfsuid() –  Can restrict which calls within CAP_SETUID capability are called Physical or virtual machine System Call Interface setuid() setreuid() Useful link: http://man7.org/linux/man-pages/man2/seccomp.2.html
Isolating from Host – Restrict Docker API •  Docker engine exposes an API •  API is powerful – and can perform admin operations, e.g., create privileged containers •  In near future, each API call will have authentication and authorization •  Until then, – Restrict the APIs available to an end user, e.g., •  Prevent privileged container creation •  Prevent addition of capabilities •  Ensure appropriate AppArmor profile is used Container clouddocker run --cap-add docker run –security-opt=“apparmor:profile” docker run --privileged
Isolating from Host – Docker Engine and Storage Configuration Docker Engine •  Configure TLS for Docker Engine •  Set appropriate limits, e.g., nproc, file descriptors •  Docker Security Checklist and Docker Bench – https://benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.6_Benchmark_v1.0.0.pdf https://github.com/docker/docker-bench-security Docker Storage •  Consider using devicemapper as storage •  Consider setting the default filesystem of containers as read only •  Bind mounted files in Docker have no quota. Consider making them read only.
Docker Registry Security •  Python-based Docker registry V1 weaknesses: – Image IDs are secrets (effectively) – No content verification; audit/validation difficult – Layer IDs randomly assigned, linked via “parent” entries (poor performance) •  Docker Registry V2 API and implementation in Docker 1.6 – All content is addressable via strong cryptographic hash – Content and naming separated – Safe distribution over untrusted channels, data is verifiable – Signing and verification now enabled via Docker Content Trust – Digests and manifests together uniquely define content+relationships
•  Forkbomb. DOS on host. Host unusable within seconds •  Multiple solutions, e.g., – limit number of processes in each container using nproc (handled per Linux user) – cgroup PID space – coming in Linux kernel 4.3 – watchdog fork() fork()fork() ………… Possible Attacks on Containers (1/3)
•  Resource exhaustion on host storage due to bind-mounted files -> DOS. – /etc/hosts, /etc/resolv.conf, /etc/hostname (used during container linking) •  Multiple solutions: – readonly, pass as Docker volume, watchdog Physical or virtual machine Hard Disk Full … Pass as volume: https://github.com/docker/docker/pull/14613 Possible Attacks on Containers (2/3)
•  Application level vulnerabilities (e.g., weak credentials) – Not a Docker issue •  Security bad practice: specify passwords in a Dockerfile – Passwords are then baked into a Docker image – Recommended best practice to not include passwords in a Dockerfile •  If applications with vulnerabilities or weak passwords deployed in Docker containers are exposed to the Internet – Potential for getting hacked •  Follow security best practices for application as well Possible Attacks on Containers (3/3)
Limited set of Linux capabilities each container is started with. A Change of capabilities must be appropriately authorized.Capability limitation Isolation from other containers Kernel sharing among containers Resource isolation Kernel namespaces for isolating from other containers: pid, net, ipc, mnt, utc, uts Leverage cgroups for resource isolation. Network traffic shaping is an issue with default networking. All Docker containers share host kernel, but not all syscalls and capabilities exposed to docker containers Coloring: Black: is out of box Red: inherent issue with Docker Orange: Not implemented in Docker yet Restrict Docker API Calls Users should not create privileged containers or change capabilities without authorization Docker Registry Use v2 registry that has signatures for images and layers Putting It All Together (1/2)
Follow best practice for securing a host (e.g., STIG firewall, auditd) Linux Security Module Host root isolation Hardware Assisted Verification and Isolation Use Trusted computing and TPM for host integrity verification and VT-d for better isolation … User namespaces Docker Engine Configuration Configure Docker engine appropriately Host Security User LSM (AppArmor/SELINUX) for container and Docker engine confinement Coloring: Black: is out of box Red: inherent issue with Docker Orange: Not implemented in Docker yet Putting It All Together (2/2) Define security tests for checking various aspects of the system
Useful Links (1/2) Docker configuration •  https://docs.docker.com/reference/run/ •  https://docs.docker.com/installation/ubuntulinux/ •  https://github.com/docker/docker/blob/master/daemon/execdriver/ native/template/default_template.go Docker security checklist •  https://benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.6_Benchmark_v1.0.0.pdf •  https://github.com/docker/docker-bench-security cgroups •  https://lwn.net/Articles/648292/ •  https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt •  https://github.com/torvalds/linux/blob/master/kernel/cgroup_pids.c Docker cpu constraints •  http://docs.docker.com/engine/reference/run/#cpu-share-constraint •  http://docs.docker.com/engine/reference/run/#cpu-period-constraint •  http://docs.docker.com/engine/reference/run/#cpu-quota-constraint •  http://docs.docker.com/engine/reference/run/#cpuset-constraint 24
Useful Links (2/2) 25 AppArmor •  http://manpages.ubuntu.com/manpages/raring/man5/apparmor.d.5.html Linux capabilities •  http://linux.die.net/man/7/capabilities Linux user namespaces •  http://man7.org/linux/man-pages/man7/user_namespaces.7.html Linux Completely Fair Scheduler •  http://www.ibm.com/developerworks/library/l-completely-fair-scheduler/ Seccomp •  http://man7.org/linux/man-pages/man2/seccomp.2.html Red Hat Security Technical Implementation Guide •  https://www.stigviewer.com/stig/red_hat_enterprise_linux_6 Side channel attacks against multi-core processors •  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in- cross-vm-scenarios-part-i/ •  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in- cross-vm-scenarios-part-ii/ •  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in- cross-vm-scenarios-part-iii/

Recommandé

Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 

Recommandé

Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 
Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackBoden Russell
 
Docker introduction
Docker introductionDocker introduction
Docker introductiondotCloud
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Boden Russell
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
docker installation and basics
docker installation and basicsdocker installation and basics
docker installation and basicsWalid Ashraf
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionSparkbit
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionPatrick Chanezon
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production OverviewDelve Labs
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesYigal Elefant
 
Introduction To Docker
Introduction To DockerIntroduction To Docker
Introduction To DockerDr. Syed Hassan Amin
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to productionmuayyad alsadi
 
MBA_SERVICES MARKETING
MBA_SERVICES MARKETINGMBA_SERVICES MARKETING
MBA_SERVICES MARKETINGM V
 
What is Docker
What is DockerWhat is Docker
What is DockerPavel Klimiankou
 

Contenu connexe

Tendances

Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackBoden Russell
 
Docker introduction
Docker introductionDocker introduction
Docker introductiondotCloud
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Boden Russell
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
docker installation and basics
docker installation and basicsdocker installation and basics
docker installation and basicsWalid Ashraf
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionSparkbit
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionPatrick Chanezon
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production OverviewDelve Labs
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesYigal Elefant
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to productionmuayyad alsadi
 

Tendances (20)

Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Container security
Container securityContainer security
Container security
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
docker installation and basics
docker installation and basicsdocker installation and basics
docker installation and basics
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
 
Introduction To Docker
Introduction To DockerIntroduction To Docker
Introduction To Docker
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
 

En vedette

MBA_SERVICES MARKETING
MBA_SERVICES MARKETINGMBA_SERVICES MARKETING
MBA_SERVICES MARKETINGM V
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)DynamicInfraDays
 
Docker - Build, Ship, and Run Any App, Anywhere
Docker - Build, Ship, and Run Any App, AnywhereDocker - Build, Ship, and Run Any App, Anywhere
Docker - Build, Ship, and Run Any App, AnywhereCodibly - Software House
 
Pycon Australia 2015: Docker + Python
Pycon Australia 2015: Docker + PythonPycon Australia 2015: Docker + Python
Pycon Australia 2015: Docker + PythonTim Butler
 
DevOps MeetUp NL - Docker (Oct 2014)
DevOps MeetUp NL - Docker (Oct 2014)DevOps MeetUp NL - Docker (Oct 2014)
DevOps MeetUp NL - Docker (Oct 2014)Laurent Guérin
 
Orchestrating Docker containers at scale
Orchestrating Docker containers at scaleOrchestrating Docker containers at scale
Orchestrating Docker containers at scaleMaciej Lasyk
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 

En vedette (8)

MBA_SERVICES MARKETING
MBA_SERVICES MARKETINGMBA_SERVICES MARKETING
MBA_SERVICES MARKETING
 
What is Docker
What is DockerWhat is Docker
What is Docker
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
 
Docker - Build, Ship, and Run Any App, Anywhere
Docker - Build, Ship, and Run Any App, AnywhereDocker - Build, Ship, and Run Any App, Anywhere
Docker - Build, Ship, and Run Any App, Anywhere
 
Pycon Australia 2015: Docker + Python
Pycon Australia 2015: Docker + PythonPycon Australia 2015: Docker + Python
Pycon Australia 2015: Docker + Python
 
DevOps MeetUp NL - Docker (Oct 2014)
DevOps MeetUp NL - Docker (Oct 2014)DevOps MeetUp NL - Docker (Oct 2014)
DevOps MeetUp NL - Docker (Oct 2014)
 
Orchestrating Docker containers at scale
Orchestrating Docker containers at scaleOrchestrating Docker containers at scale
Orchestrating Docker containers at scale
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
 

Similaire à Tokyo OpenStack Summit 2015: Unraveling Docker Security

Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesAkihiro Suda
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesAkihiro Suda
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime SecuritySysdig
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisorChing-Hsuan Yen
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless ContainersAkihiro Suda
 
Resource Management of Docker
Resource Management of DockerResource Management of Docker
Resource Management of DockerSpeedyCloud
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetesKrishna-Kumar
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetesDongwon Kim
 
Cloud Native Computing - Part III - Containers
Cloud Native Computing - Part III - ContainersCloud Native Computing - Part III - Containers
Cloud Native Computing - Part III - ContainersLinjith Kunnon
 

Similaire à Tokyo OpenStack Summit 2015: Unraveling Docker Security (20)

Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
 
Resource Management of Docker
Resource Management of DockerResource Management of Docker
Resource Management of Docker
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Cloud Native Computing - Part III - Containers
Cloud Native Computing - Part III - ContainersCloud Native Computing - Part III - Containers
Cloud Native Computing - Part III - Containers
 

Plus de Phil Estes

Enabling Security via Container Runtimes
Enabling Security via Container RuntimesEnabling Security via Container Runtimes
Enabling Security via Container RuntimesPhil Estes
 
Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesPhil Estes
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerPhil Estes
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A PrimerPhil Estes
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A PrimerPhil Estes
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesPhil Estes
 
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?Phil Estes
 
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...Phil Estes
 
Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019Phil Estes
 
What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.Phil Estes
 
Docker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionDocker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionPhil Estes
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdatePhil Estes
 
CRI Runtimes Deep-Dive: Who's Running My Pod!?
CRI Runtimes Deep-Dive: Who's Running My Pod!?CRI Runtimes Deep-Dive: Who's Running My Pod!?
CRI Runtimes Deep-Dive: Who's Running My Pod!?Phil Estes
 
Docker Athens: Docker Engine Evolution & Containerd Use Cases
Docker Athens: Docker Engine Evolution & Containerd Use CasesDocker Athens: Docker Engine Evolution & Containerd Use Cases
Docker Athens: Docker Engine Evolution & Containerd Use CasesPhil Estes
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?Phil Estes
 
Docker Engine Evolution: From Monolith to Discrete Components
Docker Engine Evolution: From Monolith to Discrete ComponentsDocker Engine Evolution: From Monolith to Discrete Components
Docker Engine Evolution: From Monolith to Discrete ComponentsPhil Estes
 
An Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open CommunitiesAn Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open CommunitiesPhil Estes
 
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesWhose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesPhil Estes
 
Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018Phil Estes
 
Embedding Containerd For Fun and Profit
Embedding Containerd For Fun and ProfitEmbedding Containerd For Fun and Profit
Embedding Containerd For Fun and ProfitPhil Estes
 

Plus de Phil Estes (20)

Enabling Security via Container Runtimes
Enabling Security via Container RuntimesEnabling Security via Container Runtimes
Enabling Security via Container Runtimes
 
Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use cases
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications Primer
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for Kubernetes
 
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
 
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
 
Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019
 
What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.
 
Docker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionDocker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine Evolution
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project Update
 
CRI Runtimes Deep-Dive: Who's Running My Pod!?
CRI Runtimes Deep-Dive: Who's Running My Pod!?CRI Runtimes Deep-Dive: Who's Running My Pod!?
CRI Runtimes Deep-Dive: Who's Running My Pod!?
 
Docker Athens: Docker Engine Evolution & Containerd Use Cases
Docker Athens: Docker Engine Evolution & Containerd Use CasesDocker Athens: Docker Engine Evolution & Containerd Use Cases
Docker Athens: Docker Engine Evolution & Containerd Use Cases
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?
 
Docker Engine Evolution: From Monolith to Discrete Components
Docker Engine Evolution: From Monolith to Discrete ComponentsDocker Engine Evolution: From Monolith to Discrete Components
Docker Engine Evolution: From Monolith to Discrete Components
 
An Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open CommunitiesAn Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open Communities
 
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesWhose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
 
Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018
 
Embedding Containerd For Fun and Profit
Embedding Containerd For Fun and ProfitEmbedding Containerd For Fun and Profit
Embedding Containerd For Fun and Profit
 

Dernier

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 

Dernier (20)

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 

Tokyo OpenStack Summit 2015: Unraveling Docker Security

  • 1. Unraveling Docker Security: Lessons From a Production Cloud Salman Baset1, Stefan Berger2, Dimitrios Pendarakis3 1Research Staff Member, 2STSM, 3Manager and Research Staff Member IBM Research @salman_baset flickr.com/68397968@N07 Philip Estes STSM, IBM Cloud @estesp
  • 2. Outline •  What is Docker? •  Deployment models for Docker •  Threat model •  Protection against threats •  Docker registry and engine configuration •  Possible attacks •  Putting it all together Acknowledgements: IBM Containers on Bluemix & Docker, OpenStack, and Linux community
  • 3. engine What is Docker? This talk will focus on Docker container security REST API Shared Linux kernel Client/end user DockerHub Isolation relies on core Linux kernel technologies: cgroups, namespaces, capabilities, LSM restrictions, etc. Build, ship and run distributed applications via a common toolbox... “Docker” is now a fast-growing ecosystem of related projects: •  Compose •  Swarm •  Machine •  Advanced networking •  Registry (DTR) •  Kubernetes/Mesos •  ..among many others $ docker run redis $ docker run nginx $ docker run ..
  • 4. Deployment Model HostHost Single tenant, known code Containers run inside a machine (VM or baremetal) A model like VM-based multi-tenant clouds Security challenge Focus of this talk HostHost Multi-tenant, unknown code Containers of different tenants run on same machine, virtual nets Expose Docker API to tenants tenant 1 tenant 2
  • 5. Threat Model – Containers Attacks on Other Containers Running on Same Machine Physical or virtual machine ls /root myfile PID TTY TIME CMD 1 pts/0 00:00:00 bash 1. Which other containers are running and which processes others containers are running? 2. Which files are used by other containers? ifconfig, route, iptables, netstat3. Which network stack is used by other containers? sethostname(), gethostname()4. What is the hostname of other containers? Containers overview: http://www.slideshare.net/jpetazzo/anatomy-of-a-container-namespaces-cgroups-some-filesystem-magic-linuxcon pipe, semaphore, shared memory, memory-mapped file5. Are processes of other containers doing any IPC? Examples
  • 6. Threat Model – Containers Attacks on Host Machine Misconfigured container Malicious container Physical or virtual machine 1. Is root inside a container also root inside host? 2. Are CPU, memory, disk, and network limits obeyed? 3. Can a container gain privileged capabilities? 4. Are other limits obeyed, e.g., fork(), file descriptors? 5. Can a container mount or DOS host file systems? Examples
  • 7. Threat Model – Attacks Launched from Public Internet Threat model similar to a VM cloud Not covered in this talk Docker cloud 1. Scan open ports 2. Guess passwords of common services (e.g., ssh) 3. (D)DOS Examples
  • 8. Isolating from Other Containers •  Kernel namespaces for limited system view – PID space: Process IDs – Mount space: Mount points – Network space: network interfaces/devices, stacks, ports, etc. – UTS space: sethostname(), gethostname() – IPC space: System V IPC, POSIX message queues •  In unprivileged containers, devices must be explicitly passed inside container using --device option Necessary but not sufficient A container started with privileged capabilities can sneak into other containers and load modules Useful links: http://man7.org/linux/man-pages/man7/namespaces.7.html
  • 9. Isolating from Host •  User namespaces •  cgroups •  Linux capabilities •  Linux security modules AppArmor/SELINUX •  Seccomp •  Docker API •  Docker engine and storage configuration Physical or virtual machine
  • 10. Isolating from Host – User namespaces •  Key benefit of user namespaces: deprivileged root user 10 $  docker  run  –name  cntr  -­‐v  /bin:/host/bin  -­‐ti  busybox   /  #  id   uid=0(root)  gid=0(root)  groups=10(wheel)   /  #  cd  /host/bin   /host/bin  #  mv  sh  old   mv:  can't  rename  'sh':  Permission  denied   /host/bin  #  cp  /bin/busybox  ./sh   cp:  can't  create  './sh':  File  exists       Host root ≠ Container root $  docker  inspect  -­‐f  ‘{{  .State.Pid  }}’  cntr   8851   $  ps  -­‐u  200000      PID  TTY                    TIME  CMD    8851  pts/7        00:00:00  sh   Will be available in Docker 1.9
  • 11. •  Resource control - CPU - Memory - Swap - Blkio - Network Physical or virtual machine 0% Isolating from Host (and other containers) – control groups Useful links https://docs.docker.com/reference/run/ https://docs.docker.com/installation/ubuntulinux/ https://lwn.net/Articles/648292/ (cgroups) docker run --cpuset-cpus=0,1 --cpu-shares=512 -m 2G --memory-swap 2G --blkio-weight 500
  • 12. •  Docker’s cgroup support is a work in progress – New command line options being added – Network cgroup: currently not implemented – Linux kernel. cgroups for PID coming in 4.3 •  cgroup current limitations – Blkio: Bps enforcement seems difficult – Memory: needs configuration tweaking to ensure swap limits – No accounting for size of PID space •  cgroup v2 added to Linux now – Redesigned and improved interface – New hierarchical organization Isolating from Host (and other containers) – cgroups Useful links: http://events.linuxfoundation.org/sites/events/files/slides/2014-KLF.pdf http://events.linuxfoundation.org/sites/events/files/slides/2015-LCJ-cgroup-writeback.pdf
  • 13. Isolating from Host (and other containers) – Linux Capabilities 13 •  Linux capabilities: fine-grained access control mechanism besides root/non-root •  Restrict the ‘capabilities’ available for a process (or a thread) – e.g., load kernel modules, mount, network admin operations, set time •  Docker by default drops majority (24 out of 37) •  Capabilities can be added to a Docker container – e.g., docker run –cap-add=mount … Physical or virtual machine System Call Interface open() mount() Useful link: https://github.com/docker/docker/blob/master/daemon/execdriver/native/template/default_template.go https://docs.docker.com/reference/run/ http://linux.die.net/man/7/capabilities cat /proc/self/status | grep Cap CapInh: 00000000a80425fb CapPrm: 00000000a80425fb CapEff: 00000000a80425fb CapBnd: 00000000a80425fb Default Docker capabilities chown, dac_override, fsetid, fowner, mknod, net_raw, setgid, setuid, setfcap, setpcap, net_bind_service, sys_chroot, kill, audit_write
  • 14. Isolating from Host (and other containers) – LSM 14 Physical or virtual machine •  Linux security modules for Mandatory access control •  AppArmor defines restrictions on – file access, capability, network, mount AppArmor Policy open(‘/etc/hosts’,…) open(‘/dev/kmem’,…) Default Docker AppArmor Profile for Containers •  Denies to sensitive data, e.g., LSM path on host, kernel memory •  Denies unmount •  One single profile for all containers •  Can define custom profile per container Useful links: http://manpages.ubuntu.com/manpages/raring/man5/apparmor.d.5.html
  • 15. Isolating from Host – Seccomp 15 •  Strict the system calls that the calling thread is permitted to execute •  Example: CAP_SETUID capability is implemented using four system calls –  setuid(), setreuid(), setresuid(), setfsuid() –  Can restrict which calls within CAP_SETUID capability are called Physical or virtual machine System Call Interface setuid() setreuid() Useful link: http://man7.org/linux/man-pages/man2/seccomp.2.html
  • 16. Isolating from Host – Restrict Docker API •  Docker engine exposes an API •  API is powerful – and can perform admin operations, e.g., create privileged containers •  In near future, each API call will have authentication and authorization •  Until then, – Restrict the APIs available to an end user, e.g., •  Prevent privileged container creation •  Prevent addition of capabilities •  Ensure appropriate AppArmor profile is used Container clouddocker run --cap-add docker run –security-opt=“apparmor:profile” docker run --privileged
  • 17. Isolating from Host – Docker Engine and Storage Configuration Docker Engine •  Configure TLS for Docker Engine •  Set appropriate limits, e.g., nproc, file descriptors •  Docker Security Checklist and Docker Bench – https://benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.6_Benchmark_v1.0.0.pdf https://github.com/docker/docker-bench-security Docker Storage •  Consider using devicemapper as storage •  Consider setting the default filesystem of containers as read only •  Bind mounted files in Docker have no quota. Consider making them read only.
  • 18. Docker Registry Security •  Python-based Docker registry V1 weaknesses: – Image IDs are secrets (effectively) – No content verification; audit/validation difficult – Layer IDs randomly assigned, linked via “parent” entries (poor performance) •  Docker Registry V2 API and implementation in Docker 1.6 – All content is addressable via strong cryptographic hash – Content and naming separated – Safe distribution over untrusted channels, data is verifiable – Signing and verification now enabled via Docker Content Trust – Digests and manifests together uniquely define content+relationships
  • 19. •  Forkbomb. DOS on host. Host unusable within seconds •  Multiple solutions, e.g., – limit number of processes in each container using nproc (handled per Linux user) – cgroup PID space – coming in Linux kernel 4.3 – watchdog fork() fork()fork() ………… Possible Attacks on Containers (1/3)
  • 20. •  Resource exhaustion on host storage due to bind-mounted files -> DOS. – /etc/hosts, /etc/resolv.conf, /etc/hostname (used during container linking) •  Multiple solutions: – readonly, pass as Docker volume, watchdog Physical or virtual machine Hard Disk Full … Pass as volume: https://github.com/docker/docker/pull/14613 Possible Attacks on Containers (2/3)
  • 21. •  Application level vulnerabilities (e.g., weak credentials) – Not a Docker issue •  Security bad practice: specify passwords in a Dockerfile – Passwords are then baked into a Docker image – Recommended best practice to not include passwords in a Dockerfile •  If applications with vulnerabilities or weak passwords deployed in Docker containers are exposed to the Internet – Potential for getting hacked •  Follow security best practices for application as well Possible Attacks on Containers (3/3)
  • 22. Limited set of Linux capabilities each container is started with. A Change of capabilities must be appropriately authorized.Capability limitation Isolation from other containers Kernel sharing among containers Resource isolation Kernel namespaces for isolating from other containers: pid, net, ipc, mnt, utc, uts Leverage cgroups for resource isolation. Network traffic shaping is an issue with default networking. All Docker containers share host kernel, but not all syscalls and capabilities exposed to docker containers Coloring: Black: is out of box Red: inherent issue with Docker Orange: Not implemented in Docker yet Restrict Docker API Calls Users should not create privileged containers or change capabilities without authorization Docker Registry Use v2 registry that has signatures for images and layers Putting It All Together (1/2)
  • 23. Follow best practice for securing a host (e.g., STIG firewall, auditd) Linux Security Module Host root isolation Hardware Assisted Verification and Isolation Use Trusted computing and TPM for host integrity verification and VT-d for better isolation … User namespaces Docker Engine Configuration Configure Docker engine appropriately Host Security User LSM (AppArmor/SELINUX) for container and Docker engine confinement Coloring: Black: is out of box Red: inherent issue with Docker Orange: Not implemented in Docker yet Putting It All Together (2/2) Define security tests for checking various aspects of the system
  • 24. Useful Links (1/2) Docker configuration •  https://docs.docker.com/reference/run/ •  https://docs.docker.com/installation/ubuntulinux/ •  https://github.com/docker/docker/blob/master/daemon/execdriver/ native/template/default_template.go Docker security checklist •  https://benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.6_Benchmark_v1.0.0.pdf •  https://github.com/docker/docker-bench-security cgroups •  https://lwn.net/Articles/648292/ •  https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt •  https://github.com/torvalds/linux/blob/master/kernel/cgroup_pids.c Docker cpu constraints •  http://docs.docker.com/engine/reference/run/#cpu-share-constraint •  http://docs.docker.com/engine/reference/run/#cpu-period-constraint •  http://docs.docker.com/engine/reference/run/#cpu-quota-constraint •  http://docs.docker.com/engine/reference/run/#cpuset-constraint 24
  • 25. Useful Links (2/2) 25 AppArmor •  http://manpages.ubuntu.com/manpages/raring/man5/apparmor.d.5.html Linux capabilities •  http://linux.die.net/man/7/capabilities Linux user namespaces •  http://man7.org/linux/man-pages/man7/user_namespaces.7.html Linux Completely Fair Scheduler •  http://www.ibm.com/developerworks/library/l-completely-fair-scheduler/ Seccomp •  http://man7.org/linux/man-pages/man2/seccomp.2.html Red Hat Security Technical Implementation Guide •  https://www.stigviewer.com/stig/red_hat_enterprise_linux_6 Side channel attacks against multi-core processors •  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in- cross-vm-scenarios-part-i/ •  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in- cross-vm-scenarios-part-ii/ •  https://securityintelligence.com/side-channel-attacks-against-multicore-processors-in- cross-vm-scenarios-part-iii/