SlideShare a Scribd company logo

Hardening Docker daemon with Rootless mode

A
Akihiro Suda

Rootless Docker runs the Docker daemon as a non-root user to protect the host system from potential vulnerabilities and misconfigurations. It uses user namespaces to emulate root privileges within containers without granting actual root access. Recent updates have added support for cgroups, improved snapshotting techniques, and user-mode networking to improve the security and functionality of running Docker without root privileges. Rootless Docker is now considered stable and provides most of the same features and performance as the traditional Docker installation.

Software
1 of 40
Download to read offline
Akihiro Suda Hardening Docker daemon with Rootless mode NTT Corporation @_AkihiroSuda_
● Run Docker daemon as a non-root user on the host ● Protect the host from potential Docker vulnerabilities and misconfiguration Rootless Docker
● Docker is designed to be safe by default ○ Namespaces, capabilities, cgroups, seccomp, AppArmor, SELinux... ● But there is no such thing as vulnerability-free software ● root-in-container could break out with an exploit Why do we need rootless?
● CVE-2019-5736: A malicious container could replace the runc binary via /proc/self/exe ● CVE-2019-14271: Running docker cp against a malicious container could result in loading a malicious library onto the host Why do we need rootless?
● And people often make misconfiguration! ● “We found 3,822 Docker hosts with the remote API exposed publicly.” -- Vitaly Simonovich and Ori Nakar (March 4, 2019) https://www.imperva.com/blog/hundreds-of-vulnerable-docker-hosts-exploited-by-cryptocurrency-miners/ Why do we need rootless?
● Rootless mode per se doesn’t fix vulns and misconfigurations ● But it can mitigate attacks Why do we need rootless?
● Even if the host gets compromised, the attacker won’t be able to: ○ access files owned by other users ○ modify firmware and kernel (→ undetectable malware) ○ ARP spoofing (→ DNS spoofing) Why do we need rootless?
Don’t confuse with... $ sudo docker
Don’t confuse with... $ sudo docker $ usermod -aG docker <username>
Don’t confuse with... $ sudo docker $ usermod -aG docker <username> $ docker run --user <uid>
Don’t confuse with... $ sudo docker $ usermod -aG docker <username> $ docker run --user <uid> $ dockerd --userns-remap
All of them run the daemon as the root! Don’t confuse with... $ sudo docker $ usermod -aG docker <username> $ docker run --user <uid> $ dockerd --userns-remap
All of them run the daemon as the root! Don’t confuse with... $ sudo docker $ usermod -aG docker <username> $ docker run --user <uid> $ dockerd --userns-remap $ docker run -v /:/host
Demo
Getting started
Getting started $ curl -fsSL https://get.docker.com/rootless | sh $ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock $ docker run hello-world
● sudo is NOT required ● Binaries are installed under ~/bin ● The daemon can be start/stopped with systemctl --user <start|stop> docker.service Getting started
There are some prerequisites, but the installer shows helpful guide if prerequisites are unsatisfied ● /etc/subuid and /etc/subgid need to configured ○ Typically configured by default ● Debian and CentOS 7 requires adjusting sysctl values Getting started
Katacoda scenario available! https://www.katacoda.com/courses/docker/rootless
How it works under the hood
User Namespaces [user@localhost] $ whoami user [user@localhost] $ unshare --user --map-root-user [root@localhost] # whoami root
● Did I gain the root? User Namespaces
User Namespaces [user@localhost] $ whoami user [user@localhost] $ unshare --user --map-root-user [root@localhost] # whoami root [root@localhost] # touch /evil touch: cannot touch '/evil': Permission denied
● Did I gain the root? → No! ● It’s just a “fake root” environment for emulating root privileges enough to run containers ○ Create other namespaces (mnt, net, uts, ipc, …) ○ Change hostname ○ Mount bind-mount and tmpfs User Namespaces
User Namespaces [user@localhost] $ whoami user [user@localhost] $ unshare --user --map-root-user [root@localhost] # whoami root [root@localhost] # unshare --uts [root@localhost] # hostname customhost [root@customhost]# hostname customhost
● “Rootful” Docker uses OverlayFS for creating containers from an image without duplicating files ● But vanilla kernel doesn’t allow non-root users to use OverlayFS Snapshotting
● On Ubuntu kernel and Debian kernel: OverlayFS is used ● On other distros w/ kernel >= 4.18: FUSE-OverlayFS is used instead (if installed) ● On older kernel: files are just duplicated (“vfs” mode; slow and wasteful!) Snapshotting NEW! (Docker 20.0X)
● Setting vEth interfaces require real root ● User-mode TCP/IP stack is used instead of vEth ○ VPNKit (spun out from MirageOS) ■ Also used by Docker for Mac/Win ○ slirp4netns (spun out from QEMU) ● SETUID helper (lxc-user-nic) is also experimentally supported for the best performance (sacrificing security) Unprivileged networking
● Now rootless mode supports cgroups for limiting resources such as CPU and memory ● Requires cgroup v2 and systemd ○ Fedora: enabled by default since Fedora 31 ○ Others: require kernel cmdline systemd.unified_cgroup_hierarchy=1 Cgroup (--cpus, --memory, --pids-limit, …) NEW! (Docker 20.0X)
● Unsupported features: ○ AppArmor ○ docker checkpoint create ○ docker run --net=host ○ SCTP ports ○ Overlay network (Swarm-mode) Caveats
FAQs
● No, since the next version Q. Is rootless mode still experimental? NEW! (Docker 20.0X)
● No ● If Docker had a vuln, attackers still might be able to: ○ Mine cryptocurrencies ○ Springboard-attack to other hosts ● Not effective for potential vulns on kernel / VM / HW side Q. Is rootless mode the panacea?
● The port numbers below 1024 are called “privileged ports” ● Use unprivileged numbers (>= 1024) instead e.g. docker run -p 8080:80 Q. docker run -p 80:80 doesn’t work?
● Or write “0” to /proc/sys/net/ipv4/ip_unprivileged_port_start ○ Default: 1024 ● Or set CAP_NET_BIND_SERVICE on rootlesskit binary Q. docker run -p 80:80 doesn’t work?
● The two projects have been mutually exchanging a lot of codes for supporting rootless since 2018 ○ Basis and network: Docker/Moby → Podman ○ FUSE and Cgroup: Docker/Moby ← Podman ● Almost same features ● Almost same performance Q. Rootless Docker vs Rootless Podman?
● But the life cycles of the NetNS are different ● Rootless Docker lacks: docker run --net=host ● Rootless Podman lacks: docker network create Q. Rootless Docker vs Rootless Podman?
Recap
Recap ● Rootless mode protects the root from vulnerabilities and misconfigurations ● Now out of experimental, with full support for cgroups (--cpus, --memory, …) NEW! (Docker 20.0X) $ curl -fsSL https://get.docker.com/rootless | sh
https://docs.docker.com/engine/security/rootless/ https://rootlesscontaine.rs/ Further information

Recommended

[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...Akihiro Suda
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtimeDocker, Inc.
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...Akihiro Suda
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingSreenivas Makam
 
Containerd + buildkit breakout
Containerd + buildkit breakoutContainerd + buildkit breakout
Containerd + buildkit breakoutDocker, Inc.
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
 

Recommended

[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...Akihiro Suda
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtimeDocker, Inc.
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...Akihiro Suda
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingSreenivas Makam
 
Containerd + buildkit breakout
Containerd + buildkit breakoutContainerd + buildkit breakout
Containerd + buildkit breakoutDocker, Inc.
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
 
KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usagevincentvdk
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingFaster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingKohei Tokunaga
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & SecurityVietnam Open Infrastructure User Group
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Dockerを支える技術
Dockerを支える技術Dockerを支える技術
Dockerを支える技術Etsuji Nakai
 
Using QEMU for cross development
Using QEMU for cross developmentUsing QEMU for cross development
Using QEMU for cross developmentTetsuyuki Kobayashi
 
Intro to docker
Intro to dockerIntro to docker
Intro to dockerAbderrahmane Mechri
 
Docker swarm
Docker swarmDocker swarm
Docker swarmAlberto Guimarães Viana
 
Docker Compose Explained
Docker Compose ExplainedDocker Compose Explained
Docker Compose ExplainedShawn Sorichetti
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Keystone at openstack multi sites
Keystone at openstack multi sitesKeystone at openstack multi sites
Keystone at openstack multi sitesVietnam Open Infrastructure User Group
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesMichael Klishin
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containersGiuseppe Scrivano
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] LimaAkihiro Suda
 
OpenStack DevStack Configuration localrc local.conf Tutorial
OpenStack DevStack Configuration localrc local.conf TutorialOpenStack DevStack Configuration localrc local.conf Tutorial
OpenStack DevStack Configuration localrc local.conf TutorialSaju Madhavan
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbgFrank Boldewin
 
Vulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers DockerVulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers DockerFlorian Bobin
 
コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)
コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)
コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)NTT DATA Technology & Innovation
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDocker, Inc.
 

More Related Content

What's hot

KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usagevincentvdk
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingFaster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingKohei Tokunaga
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Dockerを支える技術
Dockerを支える技術Dockerを支える技術
Dockerを支える技術Etsuji Nakai
 
Using QEMU for cross development
Using QEMU for cross developmentUsing QEMU for cross development
Using QEMU for cross developmentTetsuyuki Kobayashi
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesMichael Klishin
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] LimaAkihiro Suda
 
OpenStack DevStack Configuration localrc local.conf Tutorial
OpenStack DevStack Configuration localrc local.conf TutorialOpenStack DevStack Configuration localrc local.conf Tutorial
OpenStack DevStack Configuration localrc local.conf TutorialSaju Madhavan
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbgFrank Boldewin
 
Vulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers DockerVulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers DockerFlorian Bobin
 
コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)
コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)
コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)NTT DATA Technology & Innovation
 

What's hot (20)

KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usage
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingFaster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Dockerを支える技術
Dockerを支える技術Dockerを支える技術
Dockerを支える技術
 
Using QEMU for cross development
Using QEMU for cross developmentUsing QEMU for cross development
Using QEMU for cross development
 
Intro to docker
Intro to dockerIntro to docker
Intro to docker
 
Docker swarm
Docker swarmDocker swarm
Docker swarm
 
Docker Compose Explained
Docker Compose ExplainedDocker Compose Explained
Docker Compose Explained
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Keystone at openstack multi sites
Keystone at openstack multi sitesKeystone at openstack multi sites
Keystone at openstack multi sites
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issues
 
Container Security
Container SecurityContainer Security
Container Security
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
OpenStack DevStack Configuration localrc local.conf Tutorial
OpenStack DevStack Configuration localrc local.conf TutorialOpenStack DevStack Configuration localrc local.conf Tutorial
OpenStack DevStack Configuration localrc local.conf Tutorial
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbg
 
Vulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers DockerVulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers Docker
 
コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)
コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)
コンテナセキュリティにおける権限制御(OCHaCafe5 #3 Kubernetes のセキュリティ 発表資料)
 

Similar to Hardening Docker daemon with Rootless mode

[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDocker, Inc.
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and ContainersDocker, Inc.
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on DockerRightScale
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionBen Hall
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesAkihiro Suda
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewiredotCloud
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersDocker, Inc.
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
Powercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptxPowercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptxIgnacioTamayo2
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containersNitish Jadia
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniTheFamily
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux DevelopersOpersys inc.
 

Similar to Hardening Docker daemon with Rootless mode (20)

[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless mode
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
 
Docker linuxday 2015
Docker linuxday 2015Docker linuxday 2015
Docker linuxday 2015
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on Docker
 
Docker Insight
Docker InsightDocker Insight
Docker Insight
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and Containers
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Powercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptxPowercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptx
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
 

More from Akihiro Suda

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdfAkihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdfAkihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless PodmanAkihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilionAkihiro Suda
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilionAkihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdfAkihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2Akihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilionAkihiro Suda
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilionAkihiro Suda
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with DockerfileAkihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Akihiro Suda
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10Akihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into ContainerdAkihiro Suda
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較Akihiro Suda
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep DiveAkihiro Suda
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container imagesAkihiro Suda
 

More from Akihiro Suda (20)

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images
 

Recently uploaded

VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 

Recently uploaded (20)

VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 

Hardening Docker daemon with Rootless mode

  • 1. Akihiro Suda Hardening Docker daemon with Rootless mode NTT Corporation @_AkihiroSuda_
  • 2. ● Run Docker daemon as a non-root user on the host ● Protect the host from potential Docker vulnerabilities and misconfiguration Rootless Docker
  • 3. ● Docker is designed to be safe by default ○ Namespaces, capabilities, cgroups, seccomp, AppArmor, SELinux... ● But there is no such thing as vulnerability-free software ● root-in-container could break out with an exploit Why do we need rootless?
  • 4. ● CVE-2019-5736: A malicious container could replace the runc binary via /proc/self/exe ● CVE-2019-14271: Running docker cp against a malicious container could result in loading a malicious library onto the host Why do we need rootless?
  • 5. ● And people often make misconfiguration! ● “We found 3,822 Docker hosts with the remote API exposed publicly.” -- Vitaly Simonovich and Ori Nakar (March 4, 2019) https://www.imperva.com/blog/hundreds-of-vulnerable-docker-hosts-exploited-by-cryptocurrency-miners/ Why do we need rootless?
  • 6. ● Rootless mode per se doesn’t fix vulns and misconfigurations ● But it can mitigate attacks Why do we need rootless?
  • 7. ● Even if the host gets compromised, the attacker won’t be able to: ○ access files owned by other users ○ modify firmware and kernel (→ undetectable malware) ○ ARP spoofing (→ DNS spoofing) Why do we need rootless?
  • 9. Don’t confuse with... $ sudo docker $ usermod -aG docker <username>
  • 10. Don’t confuse with... $ sudo docker $ usermod -aG docker <username> $ docker run --user <uid>
  • 11. Don’t confuse with... $ sudo docker $ usermod -aG docker <username> $ docker run --user <uid> $ dockerd --userns-remap
  • 12. All of them run the daemon as the root! Don’t confuse with... $ sudo docker $ usermod -aG docker <username> $ docker run --user <uid> $ dockerd --userns-remap
  • 13. All of them run the daemon as the root! Don’t confuse with... $ sudo docker $ usermod -aG docker <username> $ docker run --user <uid> $ dockerd --userns-remap $ docker run -v /:/host
  • 14. Demo
  • 16. Getting started $ curl -fsSL https://get.docker.com/rootless | sh $ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock $ docker run hello-world
  • 17. ● sudo is NOT required ● Binaries are installed under ~/bin ● The daemon can be start/stopped with systemctl --user <start|stop> docker.service Getting started
  • 18. There are some prerequisites, but the installer shows helpful guide if prerequisites are unsatisfied ● /etc/subuid and /etc/subgid need to configured ○ Typically configured by default ● Debian and CentOS 7 requires adjusting sysctl values Getting started
  • 20. How it works under the hood
  • 21. User Namespaces [user@localhost] $ whoami user [user@localhost] $ unshare --user --map-root-user [root@localhost] # whoami root
  • 22. ● Did I gain the root? User Namespaces
  • 23. User Namespaces [user@localhost] $ whoami user [user@localhost] $ unshare --user --map-root-user [root@localhost] # whoami root [root@localhost] # touch /evil touch: cannot touch '/evil': Permission denied
  • 24. ● Did I gain the root? → No! ● It’s just a “fake root” environment for emulating root privileges enough to run containers ○ Create other namespaces (mnt, net, uts, ipc, …) ○ Change hostname ○ Mount bind-mount and tmpfs User Namespaces
  • 25. User Namespaces [user@localhost] $ whoami user [user@localhost] $ unshare --user --map-root-user [root@localhost] # whoami root [root@localhost] # unshare --uts [root@localhost] # hostname customhost [root@customhost]# hostname customhost
  • 26. ● “Rootful” Docker uses OverlayFS for creating containers from an image without duplicating files ● But vanilla kernel doesn’t allow non-root users to use OverlayFS Snapshotting
  • 27. ● On Ubuntu kernel and Debian kernel: OverlayFS is used ● On other distros w/ kernel >= 4.18: FUSE-OverlayFS is used instead (if installed) ● On older kernel: files are just duplicated (“vfs” mode; slow and wasteful!) Snapshotting NEW! (Docker 20.0X)
  • 28. ● Setting vEth interfaces require real root ● User-mode TCP/IP stack is used instead of vEth ○ VPNKit (spun out from MirageOS) ■ Also used by Docker for Mac/Win ○ slirp4netns (spun out from QEMU) ● SETUID helper (lxc-user-nic) is also experimentally supported for the best performance (sacrificing security) Unprivileged networking
  • 29. ● Now rootless mode supports cgroups for limiting resources such as CPU and memory ● Requires cgroup v2 and systemd ○ Fedora: enabled by default since Fedora 31 ○ Others: require kernel cmdline systemd.unified_cgroup_hierarchy=1 Cgroup (--cpus, --memory, --pids-limit, …) NEW! (Docker 20.0X)
  • 30. ● Unsupported features: ○ AppArmor ○ docker checkpoint create ○ docker run --net=host ○ SCTP ports ○ Overlay network (Swarm-mode) Caveats
  • 31. FAQs
  • 32. ● No, since the next version Q. Is rootless mode still experimental? NEW! (Docker 20.0X)
  • 33. ● No ● If Docker had a vuln, attackers still might be able to: ○ Mine cryptocurrencies ○ Springboard-attack to other hosts ● Not effective for potential vulns on kernel / VM / HW side Q. Is rootless mode the panacea?
  • 34. ● The port numbers below 1024 are called “privileged ports” ● Use unprivileged numbers (>= 1024) instead e.g. docker run -p 8080:80 Q. docker run -p 80:80 doesn’t work?
  • 35. ● Or write “0” to /proc/sys/net/ipv4/ip_unprivileged_port_start ○ Default: 1024 ● Or set CAP_NET_BIND_SERVICE on rootlesskit binary Q. docker run -p 80:80 doesn’t work?
  • 36. ● The two projects have been mutually exchanging a lot of codes for supporting rootless since 2018 ○ Basis and network: Docker/Moby → Podman ○ FUSE and Cgroup: Docker/Moby ← Podman ● Almost same features ● Almost same performance Q. Rootless Docker vs Rootless Podman?
  • 37. ● But the life cycles of the NetNS are different ● Rootless Docker lacks: docker run --net=host ● Rootless Podman lacks: docker network create Q. Rootless Docker vs Rootless Podman?
  • 38. Recap
  • 39. Recap ● Rootless mode protects the root from vulnerabilities and misconfigurations ● Now out of experimental, with full support for cgroups (--cpus, --memory, …) NEW! (Docker 20.0X) $ curl -fsSL https://get.docker.com/rootless | sh