Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Docker 1.10 Security Improvements
Diogo Mónica - Security Lead
What we will cover today
• Show how Docker provides an additional layer
of isolation, making your infrastructure safer
by ...
Under the hood
3
Namespaces
Cgroups
Capabilities
Under the hood
• Namespaces: provides an isolated view of the system.
– IPC, network, mount, PID, etc.
4
Under the hood
• Cgroups: kernel feature that limits and isolates the resource usage of a
collection of processes.
– CPU, ...
Under the hood
• Capabilities: divides the privileges of root into distinct units.
– mount, kill, chown, bind, setuid, etc...
Process restrictions
7
• Docker containers have reduced capabilities
– Less than half of the capabilities of normal
proces...
User Namespaces (Docker 1.10)
8
• What are userns?
• User namespaces allow per-namespace
mappings of user and group IDs.
•...
User Namespaces (Docker 1.10)
9
“Most notably, a process can have a nonzero user ID outside
a namespace while at the same ...
Authorization Plugins (Docker 1.10)
10
• What are AuthZ plugins?
• Plugin that decides on the execution of
every API call ...
Seccomp Filtering Support (Docker 1.10)
11
• What is it?
– Allows a berkeley packet filter policy to be defined
around wha...
Default Seccomp Profile (Docker 1.10)
12
• Ships with Docker by Default
• Blocks 54 syscalls that aren’t needed, or are to...
PID Control Group (Docker 1.11)
13
• Solution to Fork Bomb attacks
• Limits the number of processes that can be forked ins...
Q&A
Prochain SlideShare
Chargement dans…5
×

Docker Online Meetup #33: Docker Engine 1.10 Security Enhancements

4 119 vues

Publié le

In this Docker Online Meetup, Security Lead Dr. Diogo Mónica discusses Docker 1.10's huge leap forward for container security.

All the big security features you’ve been asking for are now available to use: user namespacing for isolating system users, seccomp profiles for filtering syscalls, and an authorization plugin system for restricting access to Engine features. Check out this blog post for all the details: https://blog.docker.com/2016/02/docker-engine-1-10-security/

Publié dans : Technologie
  • Soyez le premier à commenter

Docker Online Meetup #33: Docker Engine 1.10 Security Enhancements

  1. 1. Docker 1.10 Security Improvements Diogo Mónica - Security Lead
  2. 2. What we will cover today • Show how Docker provides an additional layer of isolation, making your infrastructure safer by default. • A look at the new Security features that came out with Docker 1.10. • Demo creating a simple Seccomp policy. 2
  3. 3. Under the hood 3 Namespaces Cgroups Capabilities
  4. 4. Under the hood • Namespaces: provides an isolated view of the system. – IPC, network, mount, PID, etc. 4
  5. 5. Under the hood • Cgroups: kernel feature that limits and isolates the resource usage of a collection of processes. – CPU, memory, disk I/O, network, etc. 5
  6. 6. Under the hood • Capabilities: divides the privileges of root into distinct units. – mount, kill, chown, bind, setuid, etc. 6
  7. 7. Process restrictions 7 • Docker containers have reduced capabilities – Less than half of the capabilities of normal processes by default. – Reduced capabilities help mitigate impact of escalation to root.
  8. 8. User Namespaces (Docker 1.10) 8 • What are userns? • User namespaces allow per-namespace mappings of user and group IDs. • A processes’s user and group IDs inside a user namespace can be different from its IDs outside of the namespace. uid 0uid 10000 container https://integratedcode.us/2016/02/05/docker-1-10-security-userns/
  9. 9. User Namespaces (Docker 1.10) 9 “Most notably, a process can have a nonzero user ID outside a namespace while at the same time having a user ID of zero inside the namespace; in other words, the process is unprivileged for operations outside the user namespace but has root privileges inside the namespace.” Michael Kerrisk https://lwn.net/Articles/532593/
  10. 10. Authorization Plugins (Docker 1.10) 10 • What are AuthZ plugins? • Plugin that decides on the execution of every API call to the engine. • Allows the creation of granular access policies for managing access to the daemon. docker run —it —privileged alpine sh daemon plugin https://github.com/docker/docker/blob/master/docs/extend/authorization.md
  11. 11. Seccomp Filtering Support (Docker 1.10) 11 • What is it? – Allows a berkeley packet filter policy to be defined around what system calls your container is allowed to execute. – Allows several actions: “allow”, “deny”, “trap”, “kill”, or “trace”. – Supports further filtering based on the arguments passed to the system call. { "name": “nanosleep”, "action": "SCMP_ACT_ERRNO", } nanosleep(&ts, NULL)
  12. 12. Default Seccomp Profile (Docker 1.10) 12 • Ships with Docker by Default • Blocks 54 syscalls that aren’t needed, or are too dangerous. • Remember CVE-2016-0728? Doesn’t work on Docker 1.10 by default, due to keyctl being blocked. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728 https://github.com/docker/docker/blob/master/docs/security/seccomp.md
  13. 13. PID Control Group (Docker 1.11) 13 • Solution to Fork Bomb attacks • Limits the number of processes that can be forked inside of a group. • Shipped with Linux Kernel 4.3. • Turned on by default. https://github.com/docker/docker/pull/18697
  14. 14. Q&A

×