SlideShare a Scribd company logo

LXC, Docker, security: is it safe to run applications in Linux Containers?

Jérôme Petazzoni
Jérôme Petazzoni

The document discusses the security of running applications in Linux containers. It begins by acknowledging that containers were not originally designed with security in mind. However, it then outlines several techniques that can be used to improve security, such as running containers without root privileges, dropping capabilities, enabling security modules like SELinux, and limiting access to devices and system calls. For the most security-sensitive tasks, it recommends running containers inside virtual machines to isolate them further. In the end, it argues that with the right precautions, containers can be used securely for many applications.

Technology
1 of 53
Download to read offline
Is it safe to run applications in Linux Containers? Jérôme Petazzoni Docker Inc. @jpetazzo @docker
...
Yes
/* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer * * Demonstrates that any given docker image someone is asking * you to run in your docker setup can access ANY file on your host, * e.g. dumping hosts /etc/shadow or other sensitive info, compromising * security of the host and any other docker VM's on it. * * docker using container based VMM: Sebarate pid and net namespace, * stripped caps and RO bind mounts into container's /. However * as its only a bind-mount the fs struct from the task is shared * with the host which allows to open files by file handles * (open_by_handle_at()). As we thankfully have dac_override and * dac_read_search we can do this. The handle is usually a 64bit * string with 32bit inodenumber inside (tested with ext4). * Inode of / is always 2, so we have a starting point to walk * the FS path and brute force the remaining 32bit until we find the * desired file (It's probably easier, depending on the fhandle export * function used for the FS in question: it could be a parent inode# or * the inode generation which can be obtained via an ioctl). * [In practise the remaining 32bit are all 0 :]
Wait
No!
Docker has changed its security status to It's complicated
Who am I? Why am I here? Jérôme Petazzoni (@jpetazzo) - Grumpy French Linux DevOps Operated dotCloud PAAS for 3+ years - hosts arbitrary code for arbitrary users - each service of each app runs in a container - no major security issue yet (fingers crossed) Containerize all the things! - VPN-in-Docker, KVM-in-Docker, Xorg-in-Docker, Docker-in-Docker...
What are those “containers” ? (1/3) Technically: ~chroot on steroids - a container is a set of processes (running on top of common kernel) - isolated* from the rest of the machine (cannot see/affect/harm host or other containers) - using namespaces to have private view of the system (network interfaces, PID tree, mountpoints...) - and cgroups to have metered/limited/reserved resources (to mitigate “bad neighbor” effect) *Limitations may apply.
What are those “containers” ? (2/3) From a distance: looks like a VM - I can SSH into my container - I can have root access in it - I can install packages in it - I have my own eth0 interface - I can tweak routing table, iptables rules - I can mount filesystems - etc.
What are those “containers” ? (3/3) Lightweight, fast, disposable... virtual environments - boot in milliseconds - just a few MB of intrinsic disk/memory usage - bare metal performance is possible The new way to build, ship, deploy, run your apps!
Why is this a hot topic? Containers have been around for decades LXC (Linux Containers) have been around for years So, what?
Blame Docker
Why is this a hot topic? Containers have been around for decades LXC (Linux Containers) have been around for years Tools like Docker made containers very easy to use Everybody* wants to deploy containers now But, oops, LXC wasn't made for security We want containers, and we want them now; how can we do that safely? *Okay, almost everybody. If you're not convinced yet of the general awesomeness of Docker and containers, give them a second chance by checking my other talk this afternoon; or the Docker meet-up tomorrow at New Relic.
Some inspirational quotes
“LXC is not yet secure. If I want real security I will use KVM.” —Dan Berrangé (famous LXC hacker) This was in 2011. The Linux Kernel has changed a tiny little bit since then.
“From security point of view lxc is terrible and may not be consider as security solution.” —someone on Reddit (original spelling and grammar) Common opinion among security experts and paranoid people. To be fair, they have to play safe & can't take risks.
“Basically containers are not functional as security containers at present, in that if you have root on a container you have root on the whole box.” —Gentoo Wiki That's just plain false, or misleading, and we'll see why.
“Containers do not contain.” —Dan Walsh (Mr SELinux) This was earlier this year, and this guy knows what he's talking about. Are we in trouble?
“For the fashion of Minas Tirith was such that it was built on seven levels, each delved into a hill, and about each was set a wall, and in each wall was a gate.” —J.R.R. Tolkien (also quoted in VAX/VMS Internals and Data Structures, ca. 1980)
Keyword: levels
Let's revisit one of those quotes... “If you have root on a container you have root on the whole box.” Don't give root in the container in the first place If you really have to give root, give looks-like-root If that's not enough, give root but build another wall
Root in the host Root in the container Uruks (intruders)
There is more than one threat model Regular applications - web servers, databases, caches, message queues, ... System services (high level) - logging, remote access, periodic command execution, ... System services (low level) - manage physical devices, networking, filesystems, ... Kernel - security policies, drivers, ... The special case of immutable infrastructure
Regular applications
Regular applications Apache, Nginx, MySQL, PostgreSQL, MongoDB, Redis, Memcached, Cassandra, Hadoop, RabbitMQ... Virtually all your programs in any language (services, web services, workers, everything!) They never ever need any kind of root privilege (except to install packages) Don't run them as root! Ever!
Regular applications Risk: they run arbitrary code - vector: by definition, they are arbitrary code - vector: security breach causes execution of malicious code Fix: nothing - by definition, we are willing to execute arbitrary code here Consequence: assume those apps can try anything to break out
Regular applications Risk: escalate from non-root to root - vector: vulnerabilities in SUID binaries Fix: defang SUID binaries - remove them - remove suid bit - mount filesystem with nosuid
Regular applications Risk: execute arbitrary kernel code - vector: bogus syscall (e.g. vmsplice* in 2008) Fix: limit available syscalls - seccomp-bpf = whitelist/blacklist syscalls Fix: run stronger kernels - GRSEC is a good idea (stable patches for 3.14 since July 4th) - update often (i.e. have efficient way to roll out kernel upgrades) *More details about that: http://lwn.net/Articles/268783/
Regular applications Risk: leak to another container - vector: bug in namespace code; filesystem leak* Fix: user namespaces - map UID in container to a different UID outside - two containers run a process with UID 1000, but it's 14298 and 15398 outside Fix: security modules (e.g. SELinux) - assign different security contexts to containers - those mechanisms were designed to isolate! *Like the one showed in the beginning of this talk!
System services (high level)
System services (high level) SSH, cron, syslog... You use/need them all the time Bad news: they typically run as root Good news: they don't really need root Bad news: it's hard to run them as non-root Good news: they are not arbitrary code
System services (high level) Risk: running arbitrary code as root - vector: malformed data or similar (note: risk is pretty low for syslog/cron; much higher for SSH) Fix: isolate sensitive services - run SSH on bastion host, or in a VM - note: this is not container-specific (if someone hacks into your SSH server, you'll have a bad time)
System services (high level) Risk: messing with /dev - vector: malicious code Fix: “devices” control group - whitelist/blacklist devices - fine-grained: can allow only read, write, none, or both - fine-grained: can specify major+minor number of device
System services (high level) Risk: use of root calls (mount, chmod, iptables...) - vector: malicious code Fix: capabilities - break down “root” into many permissions - e.g. CAP_NET_ADMIN (network configuration) - e.g. CAP_NET_RAW (generate and sniff traffic) - e.g. CAP_SYS_ADMIN (big can of worms )☹ - see capabilities(7)
Interlude: CAP_SYS_ADMIN Operations controlled by CAP_SYS_ADMIN...  quotactl, mount, umount, swapon, swapoff  sethostname, setdomainname  IPC_SET, IPC_RMID on arbitrary System V IPC resources  perform operations on trusted and security Extended Attributes  set realtime priority (ioprio_set + IOPRIO_CLASS_RT)  create new namespaces (clone and unshare + CLONE_NEWNS)
System services (high level) Risk: messing with /proc, /sys - vector: malicious code Fix: prevent unauthorized access control - Mandatory Access Control (AppArmor, SELinux) - remount read-only, then drop CAP_SYS_ADMIN to prevent remount Fix: wider implementation of namespaces - some parts of procfs/sysfs are “namespace-aware” - some aren't, but can be fixed (by writing kernel code)
System services (high level) Risk: leaking with UID 0 - vector: malicious code Fix: user namespaces - already mentioned earlier - UID 0 in the container is mapped to some random UID outside - you break out: you're not root - you manage to issue weird syscalls: they're done as unprivileged UID Caveat: user namespaces are still new. We have to see how they behave with that!
System services (low level)
System services (low level) Device management (keyboard, mouse, screen), network and firewall config, filesystem mounts... You use/need some of them all the time But you don't need any of them in your containers - physical device management is done by the host - network configuration and filesystems are setup by the host Exceptions: - custom mounts (FUSE) - network appliances
System services (low level) Risk: running arbitrary code as root - vector: malformed data or similar Fix: isolate sensitive functions - “one-shot” commands can be fenced in privileged context (think “sudo” but without even requiring “sudo”) - everything else (especially processes that are long-running, or handle arbitrary input) runs in non-privileged context - works well for FUSE, some VPN services
System services (low level) Risk: run arbitrary code with full privileges - vector: needs a process running with full privileges (rare!) - vector: malformed data, unchecked input… classic exploit Fix: treat it as “kernel” - we'll see that immediately in the next section
Kernel
Kernel Drivers - they can talk to the hardware, so they can do pretty much anything - except: virtualize the bus and use e.g. driver domains (Xen) Network stacks - this probably has to live into the kernel for good performance - except: DPDK, OpenOnload... (networking stacks in userspace) Security policies - by definition, they control everything else - except: there might be nested security contexts some day
Kernel Risk: run arbitrary code with absolute privileges Fix: ?
Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
Kernel Risk: run arbitrary code with absolute privileges Fix: give it its own kernel and (virtual) hardware - i.e. run it in a virtual machine - that VM can run in a container - that VM can hold a container - run a privileged container in Docker in a VM in a container in Docker https://github.com/jpetazzo/docker2docker - inb4 xzibit meme
Immutable immutable infrastructure
Immutable immutable infrastructure New rule: the whole container is read-only Compromise: if we must write, write to a noexec area Scalability has never been easier (if totally read-only) It's even harder for malicious users to do evil things
Recap (in no specific order!)  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs
Thank you! Questions?  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs See also: - Docker in Production (1:40pm today) - Office hour (10:40am tomorrow, expo hall Table A) - Docker meet-up at New Relic (tomorrow evening)

Recommended

Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questions
Kavya Sri
 
Terraform OpenStack : Mise en pratique sur infrastructure OVH (Rennes devops)
Terraform OpenStack : Mise en pratique sur infrastructure OVH (Rennes devops) Terraform OpenStack : Mise en pratique sur infrastructure OVH (Rennes devops)
Terraform OpenStack : Mise en pratique sur infrastructure OVH (Rennes devops)
Joël Séguillon
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
Michal Sedlak
 
Linux-HA with Pacemaker
Linux-HA with PacemakerLinux-HA with Pacemaker
Linux-HA with Pacemaker
Kris Buytaert
 
How to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration MistakesHow to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration Mistakes
NGINX, Inc.
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
Akihiro Suda
 
Lisa 2015-gluster fs-hands-on
Lisa 2015-gluster fs-hands-onLisa 2015-gluster fs-hands-on
Lisa 2015-gluster fs-hands-on
Gluster.org
 

Recommended

Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questions
Kavya Sri
 
Terraform OpenStack : Mise en pratique sur infrastructure OVH (Rennes devops)
Terraform OpenStack : Mise en pratique sur infrastructure OVH (Rennes devops) Terraform OpenStack : Mise en pratique sur infrastructure OVH (Rennes devops)
Terraform OpenStack : Mise en pratique sur infrastructure OVH (Rennes devops)
Joël Séguillon
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
Michal Sedlak
 
Linux-HA with Pacemaker
Linux-HA with PacemakerLinux-HA with Pacemaker
Linux-HA with Pacemaker
Kris Buytaert
 
How to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration MistakesHow to Avoid the Top 5 NGINX Configuration Mistakes
How to Avoid the Top 5 NGINX Configuration Mistakes
NGINX, Inc.
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
Akihiro Suda
 
Lisa 2015-gluster fs-hands-on
Lisa 2015-gluster fs-hands-onLisa 2015-gluster fs-hands-on
Lisa 2015-gluster fs-hands-on
Gluster.org
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
From printk to QEMU: Xen/Linux Kernel debugging
From printk to QEMU: Xen/Linux Kernel debuggingFrom printk to QEMU: Xen/Linux Kernel debugging
From printk to QEMU: Xen/Linux Kernel debugging
The Linux Foundation
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
Installing and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerInstalling and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker Container
Docker, Inc.
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
Araf Karsh Hamid
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Red Hat Global File System (GFS)
Red Hat Global File System (GFS)Red Hat Global File System (GFS)
Red Hat Global File System (GFS)
Schubert Zhang
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux
Harish R
 
Comparison between OCFS2 and GFS2
Comparison between OCFS2 and GFS2Comparison between OCFS2 and GFS2
Comparison between OCFS2 and GFS2
Gang He
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
Patrick Coble
 
Linux Basic Commands
Linux Basic CommandsLinux Basic Commands
Linux Basic Commands
Hanan Nmr
 
Applied Computer Science Concepts in Android
Applied Computer Science Concepts in AndroidApplied Computer Science Concepts in Android
Applied Computer Science Concepts in Android
National Cheng Kung University
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Linux basics part 1
Linux basics part 1Linux basics part 1
Linux basics part 1
Lilesh Pathe
 
KubeConEU - NATS Deep Dive
KubeConEU - NATS Deep DiveKubeConEU - NATS Deep Dive
KubeConEU - NATS Deep Dive
wallyqs
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 

More Related Content

What's hot

From printk to QEMU: Xen/Linux Kernel debugging
From printk to QEMU: Xen/Linux Kernel debuggingFrom printk to QEMU: Xen/Linux Kernel debugging
From printk to QEMU: Xen/Linux Kernel debugging
The Linux Foundation
 
Installing and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerInstalling and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker Container
Docker, Inc.
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Red Hat Global File System (GFS)
Red Hat Global File System (GFS)Red Hat Global File System (GFS)
Red Hat Global File System (GFS)
Schubert Zhang
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
Patrick Coble
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 

What's hot (20)

Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
From printk to QEMU: Xen/Linux Kernel debugging
From printk to QEMU: Xen/Linux Kernel debuggingFrom printk to QEMU: Xen/Linux Kernel debugging
From printk to QEMU: Xen/Linux Kernel debugging
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
 
Installing and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerInstalling and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker Container
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Red Hat Global File System (GFS)
Red Hat Global File System (GFS)Red Hat Global File System (GFS)
Red Hat Global File System (GFS)
 
Introduction to Linux
Introduction to Linux Introduction to Linux
Introduction to Linux
 
Comparison between OCFS2 and GFS2
Comparison between OCFS2 and GFS2Comparison between OCFS2 and GFS2
Comparison between OCFS2 and GFS2
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
 
Linux Basic Commands
Linux Basic CommandsLinux Basic Commands
Linux Basic Commands
 
Applied Computer Science Concepts in Android
Applied Computer Science Concepts in AndroidApplied Computer Science Concepts in Android
Applied Computer Science Concepts in Android
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Linux basics part 1
Linux basics part 1Linux basics part 1
Linux basics part 1
 
KubeConEU - NATS Deep Dive
KubeConEU - NATS Deep DiveKubeConEU - NATS Deep Dive
KubeConEU - NATS Deep Dive
 

Viewers also liked

Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
Tom Purves: Designing for An Augmented Reality World
Tom Purves: Designing for An Augmented Reality WorldTom Purves: Designing for An Augmented Reality World
Tom Purves: Designing for An Augmented Reality World
Refresh Events
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Black Duck by Synopsys
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
Yandex
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of us
Jérôme Petazzoni
 

Viewers also liked (20)

Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
 
Tom Purves: Designing for An Augmented Reality World
Tom Purves: Designing for An Augmented Reality WorldTom Purves: Designing for An Augmented Reality World
Tom Purves: Designing for An Augmented Reality World
 
Docker security - TASK Jan 2016
Docker security - TASK Jan 2016Docker security - TASK Jan 2016
Docker security - TASK Jan 2016
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
 
Introduzione a Docker (parte 2 - Pratica)
Introduzione a Docker (parte 2 - Pratica)Introduzione a Docker (parte 2 - Pratica)
Introduzione a Docker (parte 2 - Pratica)
 
Alla scoperta di Ubuntu Phone, lo smartphone open-source - Codemotion techmee...
Alla scoperta di Ubuntu Phone, lo smartphone open-source - Codemotion techmee...Alla scoperta di Ubuntu Phone, lo smartphone open-source - Codemotion techmee...
Alla scoperta di Ubuntu Phone, lo smartphone open-source - Codemotion techmee...
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux Containers
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Docker Fudamentals
Docker FudamentalsDocker Fudamentals
Docker Fudamentals
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of us
 
Docker at Spotify - Dockercon14
Docker at Spotify - Dockercon14Docker at Spotify - Dockercon14
Docker at Spotify - Dockercon14
 
[Impact Lab] IT инструменты для проекта
[Impact Lab] IT инструменты для проекта[Impact Lab] IT инструменты для проекта
[Impact Lab] IT инструменты для проекта
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12X
 
Performance comparison between Linux Containers and Virtual Machines
Performance comparison between Linux Containers and Virtual MachinesPerformance comparison between Linux Containers and Virtual Machines
Performance comparison between Linux Containers and Virtual Machines
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger Hunt
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 

Similar to LXC, Docker, security: is it safe to run applications in Linux Containers?

Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
UltraUploader
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
Jérôme Petazzoni
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09
Angelill0
 
Scale11x lxc talk
Scale11x lxc talkScale11x lxc talk
Scale11x lxc talk
dotCloud
 

Similar to LXC, Docker, security: is it safe to run applications in Linux Containers? (20)

Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09
 
.ppt
.ppt.ppt
.ppt
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
 
Scale11x lxc talk
Scale11x lxc talkScale11x lxc talk
Scale11x lxc talk
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
 

More from Jérôme Petazzoni

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
Jérôme Petazzoni
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
Jérôme Petazzoni
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Jérôme Petazzoni
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)
Jérôme Petazzoni
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
Jérôme Petazzoni
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
Jérôme Petazzoni
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
Jérôme Petazzoni
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific Trio
Jérôme Petazzoni
 

More from Jérôme Petazzoni (20)

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
 
Orchestration for the rest of us
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of us
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
 
Docker Non Technical Presentation
Docker Non Technical PresentationDocker Non Technical Presentation
Docker Non Technical Presentation
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific Trio
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing Meetup
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

LXC, Docker, security: is it safe to run applications in Linux Containers?

  • 1. Is it safe to run applications in Linux Containers? Jérôme Petazzoni Docker Inc. @jpetazzo @docker
  • 2. ...
  • 3. Yes
  • 4. /* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer * * Demonstrates that any given docker image someone is asking * you to run in your docker setup can access ANY file on your host, * e.g. dumping hosts /etc/shadow or other sensitive info, compromising * security of the host and any other docker VM's on it. * * docker using container based VMM: Sebarate pid and net namespace, * stripped caps and RO bind mounts into container's /. However * as its only a bind-mount the fs struct from the task is shared * with the host which allows to open files by file handles * (open_by_handle_at()). As we thankfully have dac_override and * dac_read_search we can do this. The handle is usually a 64bit * string with 32bit inodenumber inside (tested with ext4). * Inode of / is always 2, so we have a starting point to walk * the FS path and brute force the remaining 32bit until we find the * desired file (It's probably easier, depending on the fhandle export * function used for the FS in question: it could be a parent inode# or * the inode generation which can be obtained via an ioctl). * [In practise the remaining 32bit are all 0 :]
  • 6. No!
  • 7. Docker has changed its security status to It's complicated
  • 8. Who am I? Why am I here? Jérôme Petazzoni (@jpetazzo) - Grumpy French Linux DevOps Operated dotCloud PAAS for 3+ years - hosts arbitrary code for arbitrary users - each service of each app runs in a container - no major security issue yet (fingers crossed) Containerize all the things! - VPN-in-Docker, KVM-in-Docker, Xorg-in-Docker, Docker-in-Docker...
  • 9. What are those “containers” ? (1/3) Technically: ~chroot on steroids - a container is a set of processes (running on top of common kernel) - isolated* from the rest of the machine (cannot see/affect/harm host or other containers) - using namespaces to have private view of the system (network interfaces, PID tree, mountpoints...) - and cgroups to have metered/limited/reserved resources (to mitigate “bad neighbor” effect) *Limitations may apply.
  • 10. What are those “containers” ? (2/3) From a distance: looks like a VM - I can SSH into my container - I can have root access in it - I can install packages in it - I have my own eth0 interface - I can tweak routing table, iptables rules - I can mount filesystems - etc.
  • 11. What are those “containers” ? (3/3) Lightweight, fast, disposable... virtual environments - boot in milliseconds - just a few MB of intrinsic disk/memory usage - bare metal performance is possible The new way to build, ship, deploy, run your apps!
  • 12. Why is this a hot topic? Containers have been around for decades LXC (Linux Containers) have been around for years So, what?
  • 14. Why is this a hot topic? Containers have been around for decades LXC (Linux Containers) have been around for years Tools like Docker made containers very easy to use Everybody* wants to deploy containers now But, oops, LXC wasn't made for security We want containers, and we want them now; how can we do that safely? *Okay, almost everybody. If you're not convinced yet of the general awesomeness of Docker and containers, give them a second chance by checking my other talk this afternoon; or the Docker meet-up tomorrow at New Relic.
  • 16. “LXC is not yet secure. If I want real security I will use KVM.” —Dan Berrangé (famous LXC hacker) This was in 2011. The Linux Kernel has changed a tiny little bit since then.
  • 17. “From security point of view lxc is terrible and may not be consider as security solution.” —someone on Reddit (original spelling and grammar) Common opinion among security experts and paranoid people. To be fair, they have to play safe & can't take risks.
  • 18. “Basically containers are not functional as security containers at present, in that if you have root on a container you have root on the whole box.” —Gentoo Wiki That's just plain false, or misleading, and we'll see why.
  • 19. “Containers do not contain.” —Dan Walsh (Mr SELinux) This was earlier this year, and this guy knows what he's talking about. Are we in trouble?
  • 20. “For the fashion of Minas Tirith was such that it was built on seven levels, each delved into a hill, and about each was set a wall, and in each wall was a gate.” —J.R.R. Tolkien (also quoted in VAX/VMS Internals and Data Structures, ca. 1980)
  • 22. Let's revisit one of those quotes... “If you have root on a container you have root on the whole box.” Don't give root in the container in the first place If you really have to give root, give looks-like-root If that's not enough, give root but build another wall
  • 23. Root in the host Root in the container Uruks (intruders)
  • 24. There is more than one threat model Regular applications - web servers, databases, caches, message queues, ... System services (high level) - logging, remote access, periodic command execution, ... System services (low level) - manage physical devices, networking, filesystems, ... Kernel - security policies, drivers, ... The special case of immutable infrastructure
  • 26. Regular applications Apache, Nginx, MySQL, PostgreSQL, MongoDB, Redis, Memcached, Cassandra, Hadoop, RabbitMQ... Virtually all your programs in any language (services, web services, workers, everything!) They never ever need any kind of root privilege (except to install packages) Don't run them as root! Ever!
  • 27. Regular applications Risk: they run arbitrary code - vector: by definition, they are arbitrary code - vector: security breach causes execution of malicious code Fix: nothing - by definition, we are willing to execute arbitrary code here Consequence: assume those apps can try anything to break out
  • 28. Regular applications Risk: escalate from non-root to root - vector: vulnerabilities in SUID binaries Fix: defang SUID binaries - remove them - remove suid bit - mount filesystem with nosuid
  • 29. Regular applications Risk: execute arbitrary kernel code - vector: bogus syscall (e.g. vmsplice* in 2008) Fix: limit available syscalls - seccomp-bpf = whitelist/blacklist syscalls Fix: run stronger kernels - GRSEC is a good idea (stable patches for 3.14 since July 4th) - update often (i.e. have efficient way to roll out kernel upgrades) *More details about that: http://lwn.net/Articles/268783/
  • 30. Regular applications Risk: leak to another container - vector: bug in namespace code; filesystem leak* Fix: user namespaces - map UID in container to a different UID outside - two containers run a process with UID 1000, but it's 14298 and 15398 outside Fix: security modules (e.g. SELinux) - assign different security contexts to containers - those mechanisms were designed to isolate! *Like the one showed in the beginning of this talk!
  • 32. System services (high level) SSH, cron, syslog... You use/need them all the time Bad news: they typically run as root Good news: they don't really need root Bad news: it's hard to run them as non-root Good news: they are not arbitrary code
  • 33. System services (high level) Risk: running arbitrary code as root - vector: malformed data or similar (note: risk is pretty low for syslog/cron; much higher for SSH) Fix: isolate sensitive services - run SSH on bastion host, or in a VM - note: this is not container-specific (if someone hacks into your SSH server, you'll have a bad time)
  • 34. System services (high level) Risk: messing with /dev - vector: malicious code Fix: “devices” control group - whitelist/blacklist devices - fine-grained: can allow only read, write, none, or both - fine-grained: can specify major+minor number of device
  • 35. System services (high level) Risk: use of root calls (mount, chmod, iptables...) - vector: malicious code Fix: capabilities - break down “root” into many permissions - e.g. CAP_NET_ADMIN (network configuration) - e.g. CAP_NET_RAW (generate and sniff traffic) - e.g. CAP_SYS_ADMIN (big can of worms )☹ - see capabilities(7)
  • 36. Interlude: CAP_SYS_ADMIN Operations controlled by CAP_SYS_ADMIN...  quotactl, mount, umount, swapon, swapoff  sethostname, setdomainname  IPC_SET, IPC_RMID on arbitrary System V IPC resources  perform operations on trusted and security Extended Attributes  set realtime priority (ioprio_set + IOPRIO_CLASS_RT)  create new namespaces (clone and unshare + CLONE_NEWNS)
  • 37. System services (high level) Risk: messing with /proc, /sys - vector: malicious code Fix: prevent unauthorized access control - Mandatory Access Control (AppArmor, SELinux) - remount read-only, then drop CAP_SYS_ADMIN to prevent remount Fix: wider implementation of namespaces - some parts of procfs/sysfs are “namespace-aware” - some aren't, but can be fixed (by writing kernel code)
  • 38. System services (high level) Risk: leaking with UID 0 - vector: malicious code Fix: user namespaces - already mentioned earlier - UID 0 in the container is mapped to some random UID outside - you break out: you're not root - you manage to issue weird syscalls: they're done as unprivileged UID Caveat: user namespaces are still new. We have to see how they behave with that!
  • 40. System services (low level) Device management (keyboard, mouse, screen), network and firewall config, filesystem mounts... You use/need some of them all the time But you don't need any of them in your containers - physical device management is done by the host - network configuration and filesystems are setup by the host Exceptions: - custom mounts (FUSE) - network appliances
  • 41. System services (low level) Risk: running arbitrary code as root - vector: malformed data or similar Fix: isolate sensitive functions - “one-shot” commands can be fenced in privileged context (think “sudo” but without even requiring “sudo”) - everything else (especially processes that are long-running, or handle arbitrary input) runs in non-privileged context - works well for FUSE, some VPN services
  • 42. System services (low level) Risk: run arbitrary code with full privileges - vector: needs a process running with full privileges (rare!) - vector: malformed data, unchecked input… classic exploit Fix: treat it as “kernel” - we'll see that immediately in the next section
  • 44. Kernel Drivers - they can talk to the hardware, so they can do pretty much anything - except: virtualize the bus and use e.g. driver domains (Xen) Network stacks - this probably has to live into the kernel for good performance - except: DPDK, OpenOnload... (networking stacks in userspace) Security policies - by definition, they control everything else - except: there might be nested security contexts some day
  • 45. Kernel Risk: run arbitrary code with absolute privileges Fix: ?
  • 46. Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
  • 47. Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
  • 48. Kernel Risk: run arbitrary code with absolute privileges Fix: give it its own kernel and (virtual) hardware - i.e. run it in a virtual machine - that VM can run in a container - that VM can hold a container - run a privileged container in Docker in a VM in a container in Docker https://github.com/jpetazzo/docker2docker - inb4 xzibit meme
  • 49.
  • 51. Immutable immutable infrastructure New rule: the whole container is read-only Compromise: if we must write, write to a noexec area Scalability has never been easier (if totally read-only) It's even harder for malicious users to do evil things
  • 52. Recap (in no specific order!)  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs
  • 53. Thank you! Questions?  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs See also: - Docker in Production (1:40pm today) - Office hour (10:40am tomorrow, expo hall Table A) - Docker meet-up at New Relic (tomorrow evening)