1. copyright 2014 1
Docker, DevOps, Security
Chris Swan, CTO
@cpswan
Cloud native networking

2. copyright 2014 2
TL;DR
Dockerfile is awesomely productive
Great for DevOps
Containers don’t contain
At least not yet
Images have a manifest problem
Keep track of your stuff

3. copyright 2014 3
Why me?

4. copyright 2014 4

5. copyright 2014 5
Let’s start with a demo

6. copyright 2014 6
What do I mean by ‘DevOps’?

7. copyright 2014
John Boyd’s OODA loop

8. copyright 2014
Industrial design maturity - cars
Design for purpose
Design for manufacture
Design for operations

9. copyright 2014
Industrial design maturity - software
Design for purpose
Design for manufacture
Design for operations
DevOps is an artefact

10. copyright 2014 10
Containers and containment

11. copyright 2014 11
With thanks to Dan Walsh @rhatdan
Watch his DockerCon 2014 presentation at http://is.gd/dcrhdw

12. copyright 2014
Shocker
12
The issue
The response
http://stealth.openwall.net/xSports/shocker.c
https://news.ycombinator.com/item?id=7910117

13. copyright 2014
Because containers aren’tVMs
and this has yet to come:
13

14. copyright 2014
Possible to have our cake and eat it?
14

15. copyright 2014
cgroups
15

16. copyright 2014
namespaces
mnt mount points, filesystems
pid processes
net network
ipc inter process communication
uts hostname
device devices
user UIDs
16

17. copyright 2014
capabilities
Fine grained control over ‘root’ privileges:
•deny all "mount" operations;
•deny access to raw sockets (to prevent packet spoofing);
•deny access to some filesystem operations, like creating new
device nodes, changing the owner of files, or altering attributes
(including the immutable flag);
•deny module loading;
•etc.
17

18. copyright 2014
Mandatory Access Control (MAC):
AppArmor and SELinux
18

19. copyright 2014
<optimist>Containers will contain</optimist>
• Use of namespaces, capabilities and MAC will
improve
• Might be a game of ‘whack a mole’
• Hard to tell when we’re done (is @solomonstre’s word going to be
enough?)
• Libcontainer can drive other mechanisms
• More secure options might come
• Hardware support might come
• Existing rings 1 & 2 aren’t used much, but aren’t really suitable
• VT-x introduced ring -1, do we need a ring 0.5?
19

20. copyright 2014 20
The manifest problem

21. copyright 2014
My Dockerfile from earlier
21

22. copyright 2014
Each active line creates a layer
22
Base OS
Sources
Update repos
Install nginx
Mod nginx.conf
Mod index.html

23. copyright 2014
An image binds layers together
23
Base OS
Sources
Update repos
Install nginx
Mod nginx.conf
Mod index.html

24. copyright 2014
Nginx example
The image is the unit of deployment
24

25. copyright 2014
Nginx example
What version of nginx is that?
25

26. copyright 2014
Nginx example
What version of OpenSSL installed?
26
?

27. copyright 2014
Nginx example
and which bash?
27
?

28. copyright 2014
Problem 1 – non determinism
Whilst we want this to be cached in the short term:
apt-get install nginx
We perhaps don’t want it cached in the long term
What are those durations?
28

29. copyright 2014
2 – the manifest problem
When I run
apt-get install nginx
I don’t know which version of nginx I just got
Should I?
nginx –v > some_log.txt
Or maybe?
apt-cache policy nginx > some_log.txt
29

30. copyright 2014
Again, Solomon promises to fix things
30

31. copyright 2014
There is another way
31

32. copyright 2014 32
TL;DR
Dockerfile is awesomely productive
Great for DevOps
Containers don’t contain
At least not yet
Images have a manifest problem
Keep track of your stuff

33. copyright 2014 33
Chicago, US
ContactMe@cohesiveft.com
+1 888 444 3962
Questions?