dockercon sf 2015: docker security
TRANSCRIPT
![Page 1: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/1.jpg)
Least-privilege Microservices
Diogo Mónica Nathan McCauley
![Page 2: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/2.jpg)
Agenda
• Why least-privilege
• History of least-privilege
• Least-privilege with Docker
• Ongoing and future work
• Conclusions
![Page 3: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/3.jpg)
“Every process must be able to access only the information and resources that are necessary for its legitimate purpose”
![Page 4: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/4.jpg)
Front-endServer
Database
Auth Service
![Page 5: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/5.jpg)
1990
Internet
All-in-one
![Page 6: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/6.jpg)
2000
Internet
DatabasesServicesFront-end
![Page 7: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/7.jpg)
2010
Internet
![Page 8: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/8.jpg)
![Page 9: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/9.jpg)
Server
Host OS
Docker Engine
App A
App B
App C
App D
App E
App F
libraries
Container
One Process
![Page 10: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/10.jpg)
Today
Internet
![Page 11: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/11.jpg)
‣A FE server has a very different security profile than a database or a worker host
‣ Imagine that each container only has access exactly to the resources and APIs it needs. No more, no less.
Front-end Server Back-end Server
‣Access to a lot of downstream services ‣Most exposed
‣ I/O intensive ‣Limited network access
Worker Host
‣CPU Intensive ‣Wide range of workloads
Profiles
![Page 12: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/12.jpg)
‣A container is a process. Let’s find out what syscalls it needs.
Process Monitoring
![Page 13: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/13.jpg)
‣Namespaces provide an isolated view of the system (Network, PID, etc)
‣Cgroups limit and isolate the resource usage of a collection of processes
‣Linux Security Modules give us a MAC (AppArmor, SELinux)
Fine-grained controls
![Page 14: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/14.jpg)
Fine-grained controls‣Capabilities divides the privileges of root into distinct units (bind, chown, etc)
‣Per-container ulimit (since 1.6)
‣User-namespaces: root inside is not root outside (remapped root for 1.8)
‣Seccomp: Individual syscall filtering (working on my laptop)
![Page 15: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/15.jpg)
Safer by default
‣Less than half the Linux capabilities by default
‣Copy-on-write ensures immutability
‣No device access by default
‣Default AppArmor and SELinux profiles for an increasing number of containers
![Page 16: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/16.jpg)
Safer by default
‣Smaller footprint
‣Remove all unneeded packages
‣Remove all unneeded users
‣Remove all suid binaries
…
Debian
![Page 17: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/17.jpg)
Security Profiles
Debian
‣Producers of containers should be responsible for creating adequate profiles
‣Profile gets shipped with the container
‣Aggregates all of the different isolation mechanisms into one single profile
![Page 18: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/18.jpg)
Securing the Ecosystem
Debian
User-namespaces Seccomp Provenance
Selinux Kerberos
![Page 20: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/20.jpg)
Docker Bench
Debian
https://dockerbench.com/
‣Fully automated
‣Shipped as a container that tests containers
![Page 21: DockerCon SF 2015: Docker Security](https://reader030.vdocument.in/reader030/viewer/2022032618/55ba8da6bb61eb2a0a8b47d0/html5/thumbnails/21.jpg)
Conclusion
‣Docker is on the path to support least-privilege microservices, since it allows fine-grained control over what access each container should have.
‣We will need easier tooling to define per-container security profiles
‣You can help!
#docker-security on Freenode