SlideShare ist ein Scribd-Unternehmen logo

Docker Security: Rolling out trust in your container

Ronak Kogta
Ronak Kogta

State of Docker Security and newly released Docker CONTENT TRUST explained

Ingenieurwesen
1 von 28
Downloaden Sie, um offline zu lesen
Ronak Kogta Docker Security Rolling out trust in your container
Buzz is catching on, and so is technology Neatly packs multiple applications on one operating system Gives you way to compose clusters, manage them and play with them at the scale of 100,000 Docker Docker Docker
 A very secure system which is not user-friendly will not be secure for long. (because people will find a way to go around it)  Usable Security is a principle of building security systems while considering human workflows.  Speed  Efficiency  Learnability  Memorability  User Preference Idea of Usable Security
Its going to be everywhere  Your Desktop, Workstation & Cloud Infrastructure.  Your Production, Development & Testing Cycles. It is going to be used by everyone  Your team, clients, and partners.  Independent developers and teams who are using your images. We should definitely think about #docker-security Docker Space
 How safe is docker isolation ?  If some malicious user has docker daemon access, what to do ?  Can I use security policies over docker ?  SELINUX,APPARMOR,GRSEC  Can I really trust docker image I install ?  Can i ssh to docker container ? Lets think..
Every process must be able to access only the information and resources that are necessary for its legitimate purpose - Diogo Mónica, Docker  Linux namespaces (isolated view of system.)  Cgroups (limit and isolate the resource usage.)  Linux Security Modules (Apparmor,SELINUX)  Capabilities  Per-container ulimit  User-namespaces: root inside is not root outside  Seccomp: Individual syscall filtering (like chrome sandbox) Enter Least Privilege
Linux Namespaces
Linux Namespaces
Cgroups, ulimit & User Namespaces  Docker root is not real root. (User Namespaces)  Docker ulimit  With cgroups, you can control on the resource usage of container docker run --lxc-conf=lxc.cgroup.cpuset.cpus = 0,1 ..
 Root has certain capabilities, but we don’t want our container to have all those capabilities  Each container can have some of the capabilities of root, but not all.  Mounting operations  Access to raw sockets (prevent opening privileged ports, spoofing)  Some file system operations (mkdev, chown, chattrs)  Loading kernel modules Capabilites
 man 7 capabilities  Docker by default drops some capabilities  sys_admin, sys_time, sys_nice,..... Capabilites docker run –cap-drop=CHOWN ... docker run –cap-add=MKNOD ...
Seccomp & Syscalls System Calls OS Utilities IP Tables Other User Programs Device Drivers NetFilter Other Kernel Components
Seccomp & Syscalls
Seccomp & Syscalls  You can block system calls from seccomp. Quite like sandboxing.  Supports syscall filtering by using BPF  SIGKILL signal to process, who made blocked syscall docker run –lxc-conf=common.seccomp ...
More...  Combine Docker with AppArmor/SELinux/TOMOYO Profiles  These profiles help you in deciding minimal privilege for each application.  Preventing permission escalation and unauthorized information disclosure (or worse).  Within the container configuration the related AppArmor profile can be defined with lxc.aa_profile. docker run –security-opt label:type:svirt_apche ...
 GRSEC and PaX  Use a hardened Linux kernel for host, with kernel patches.  User Mappings  Map user/group ids  lxc.id_map = u 0 1000000 65536  lxc.id_map = g 0 1000000 65536  Couple it with docker run –lxc-conf= More...
Can you really trust your images ? Docker Notary
 Trusted Cross Platform content distribution  Trusted Client – Server Interaction  Publisher signed content  Publisher Key validates integrity of content  Platform Agnostic to distribute any content https://github.com/docker/notary Docker Notary
Docker Content Trust Publisher Registry User User User
Two keys are generated when publisher first pushes image.  Tagging Key  Exists for each new repository that publisher owns  Can be shared with collaborators easily.  Offline Key  Users see this key as official publisher’s key  Important in establishing trust.  Only needed when creating new repository or rotating existing repository Publisher’s View
 Once Images are signed, TUF maintains ensures  Integrity  & Freshness of Content  Notion of Timestamp Key  Needed to ensure freshness guarantees  Generated at remote server.  Docker maintains it for you http://theupdateframework.com/ Trust Update Framework
Lets Attack ?
Lets Attack ?
Lets Attack ?
 export DOCKER_CONTENT_TRUST=1 Docker Content Trust
 Security Script that checks for dozens of common best- practices around deploying Docker containers in produtions. https://dockerbench.com DockerBench
Thanks
Questions ?? IRC: #docker #docker-security Google Group: Hyderabad Docker Users Join Docker Movement

Empfohlen

Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recapehazlett
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Jose Manuel Ortega Candel
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 

Empfohlen

Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recapehazlett
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Jose Manuel Ortega Candel
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network ViewNeuVector
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDieter Reuter
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
 
Devops in Networking
Devops in NetworkingDevops in Networking
Devops in NetworkingSreenivas Makam
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Networking Overview for Docker Platform
Networking Overview for Docker PlatformNetworking Overview for Docker Platform
Networking Overview for Docker PlatformAditya Patawari
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesSreenivas Makam
 
SS Introduction to Docker
SS Introduction to DockerSS Introduction to Docker
SS Introduction to DockerStephane Woillez
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Drupal workshop ist 2014
Drupal workshop ist 2014Drupal workshop ist 2014
Drupal workshop ist 2014Ricardo Amaro
 

Weitere ähnliche Inhalte

Was ist angesagt?

Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network ViewNeuVector
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDieter Reuter
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Networking Overview for Docker Platform
Networking Overview for Docker PlatformNetworking Overview for Docker Platform
Networking Overview for Docker PlatformAditya Patawari
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesSreenivas Makam
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 

Was ist angesagt? (20)

Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network View
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
 
Devops in Networking
Devops in NetworkingDevops in Networking
Devops in Networking
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Networking Overview for Docker Platform
Networking Overview for Docker PlatformNetworking Overview for Docker Platform
Networking Overview for Docker Platform
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
 
SS Introduction to Docker
SS Introduction to DockerSS Introduction to Docker
SS Introduction to Docker
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
 

Andere mochten auch

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Drupal workshop ist 2014
Drupal workshop ist 2014Drupal workshop ist 2014
Drupal workshop ist 2014Ricardo Amaro
 
Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing Ricardo Amaro
 
Microservice architecture
Microservice architectureMicroservice architecture
Microservice architectureSlim Ouertani
 
How To Train Your APIs
How To Train Your APIsHow To Train Your APIs
How To Train Your APIsAshley Roach
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntAshley Roach
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Ricardo Amaro
 
DOXLON November 2016 - Data Democratization Using Splunk
DOXLON November 2016 - Data Democratization Using SplunkDOXLON November 2016 - Data Democratization Using Splunk
DOXLON November 2016 - Data Democratization Using SplunkOutlyer
 
Priming Your Teams For Microservice Deployment to the Cloud
Priming Your Teams For Microservice Deployment to the CloudPriming Your Teams For Microservice Deployment to the Cloud
Priming Your Teams For Microservice Deployment to the CloudMatt Callanan
 
S.R.E - create ultra-scalable and highly reliable systems
S.R.E - create ultra-scalable and highly reliable systemsS.R.E - create ultra-scalable and highly reliable systems
S.R.E - create ultra-scalable and highly reliable systemsRicardo Amaro
 
Drupal workshop fcul_2014
Drupal workshop fcul_2014Drupal workshop fcul_2014
Drupal workshop fcul_2014Ricardo Amaro
 
Docker Security
Docker SecurityDocker Security
Docker SecurityBladE0341
 
Docker and Cloud - Enables for DevOps - by ACA-IT
Docker and Cloud - Enables for DevOps - by ACA-ITDocker and Cloud - Enables for DevOps - by ACA-IT
Docker and Cloud - Enables for DevOps - by ACA-ITStijn Wijndaele
 
The free software history and communities’ journey ahead
The free software history and communities’ journey aheadThe free software history and communities’ journey ahead
The free software history and communities’ journey aheadRicardo Amaro
 
DevOps meetup 16oct docker and jenkins
DevOps meetup 16oct docker and jenkinsDevOps meetup 16oct docker and jenkins
DevOps meetup 16oct docker and jenkinsBenoit Wilcox
 
Docker (compose) in devops - prague docker meetup
Docker (compose) in devops - prague docker meetupDocker (compose) in devops - prague docker meetup
Docker (compose) in devops - prague docker meetupJuraj Kojdjak
 
Dockercon Europe 2014 - Continuous Delivery leveraging on Docker CaaS
Dockercon Europe 2014 - Continuous Delivery leveraging on Docker CaaSDockercon Europe 2014 - Continuous Delivery leveraging on Docker CaaS
Dockercon Europe 2014 - Continuous Delivery leveraging on Docker CaaSAdrien Blind
 
Amplifying Docker - Alex Heneveld

Amplifying Docker - Alex Heneveld
Amplifying Docker - Alex Heneveld

Amplifying Docker - Alex Heneveld
Outlyer
 

Andere mochten auch (20)

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Drupal workshop ist 2014
Drupal workshop ist 2014Drupal workshop ist 2014
Drupal workshop ist 2014
 
Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing Docker containers & the Future of Drupal testing
Docker containers & the Future of Drupal testing
 
Microservice architecture
Microservice architectureMicroservice architecture
Microservice architecture
 
How To Train Your APIs
How To Train Your APIsHow To Train Your APIs
How To Train Your APIs
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger Hunt
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant
 
DOXLON November 2016 - Data Democratization Using Splunk
DOXLON November 2016 - Data Democratization Using SplunkDOXLON November 2016 - Data Democratization Using Splunk
DOXLON November 2016 - Data Democratization Using Splunk
 
Priming Your Teams For Microservice Deployment to the Cloud
Priming Your Teams For Microservice Deployment to the CloudPriming Your Teams For Microservice Deployment to the Cloud
Priming Your Teams For Microservice Deployment to the Cloud
 
DATA CENTER
DATA CENTER DATA CENTER
DATA CENTER
 
S.R.E - create ultra-scalable and highly reliable systems
S.R.E - create ultra-scalable and highly reliable systemsS.R.E - create ultra-scalable and highly reliable systems
S.R.E - create ultra-scalable and highly reliable systems
 
Drupal workshop fcul_2014
Drupal workshop fcul_2014Drupal workshop fcul_2014
Drupal workshop fcul_2014
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Docker and Cloud - Enables for DevOps - by ACA-IT
Docker and Cloud - Enables for DevOps - by ACA-ITDocker and Cloud - Enables for DevOps - by ACA-IT
Docker and Cloud - Enables for DevOps - by ACA-IT
 
The free software history and communities’ journey ahead
The free software history and communities’ journey aheadThe free software history and communities’ journey ahead
The free software history and communities’ journey ahead
 
DevOps meetup 16oct docker and jenkins
DevOps meetup 16oct docker and jenkinsDevOps meetup 16oct docker and jenkins
DevOps meetup 16oct docker and jenkins
 
Docker (compose) in devops - prague docker meetup
Docker (compose) in devops - prague docker meetupDocker (compose) in devops - prague docker meetup
Docker (compose) in devops - prague docker meetup
 
Dockercon Europe 2014 - Continuous Delivery leveraging on Docker CaaS
Dockercon Europe 2014 - Continuous Delivery leveraging on Docker CaaSDockercon Europe 2014 - Continuous Delivery leveraging on Docker CaaS
Dockercon Europe 2014 - Continuous Delivery leveraging on Docker CaaS
 
Amplifying Docker - Alex Heneveld

Amplifying Docker - Alex Heneveld
Amplifying Docker - Alex Heneveld

Amplifying Docker - Alex Heneveld

 

Ähnlich wie Docker Security: Rolling out trust in your container

Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekwiTTyMinds1
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesYigal Elefant
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapPatrick Chanezon
 
Accelerate your development with Docker
Accelerate your development with DockerAccelerate your development with Docker
Accelerate your development with DockerAndrey Hristov
 
Accelerate your software development with Docker
Accelerate your software development with DockerAccelerate your software development with Docker
Accelerate your software development with DockerAndrey Hristov
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker securityWalid Ashraf
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatDocker, Inc.
 
containers and virtualization tools ( Docker )
containers and virtualization tools ( Docker )containers and virtualization tools ( Docker )
containers and virtualization tools ( Docker )Imo Inyang
 
Tech talk on docker with demo
Tech talk on docker with demoTech talk on docker with demo
Tech talk on docker with demoSandeep Karnawat
 

Ähnlich wie Docker Security: Rolling out trust in your container (20)

Hack the whale
Hack the whaleHack the whale
Hack the whale
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
 
Docker
DockerDocker
Docker
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
Accelerate your development with Docker
Accelerate your development with DockerAccelerate your development with Docker
Accelerate your development with Docker
 
Accelerate your software development with Docker
Accelerate your software development with DockerAccelerate your software development with Docker
Accelerate your software development with Docker
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on Azure
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 
Docker basics
Docker basicsDocker basics
Docker basics
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
 
Docker 101 Checonf 2016
Docker 101 Checonf 2016Docker 101 Checonf 2016
Docker 101 Checonf 2016
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 
containers and virtualization tools ( Docker )
containers and virtualization tools ( Docker )containers and virtualization tools ( Docker )
containers and virtualization tools ( Docker )
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Tech talk on docker with demo
Tech talk on docker with demoTech talk on docker with demo
Tech talk on docker with demo
 

Kürzlich hochgeladen

Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...ranjana rawat
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 

Kürzlich hochgeladen (20)

Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 

Docker Security: Rolling out trust in your container

  • 1. Ronak Kogta Docker Security Rolling out trust in your container
  • 2. Buzz is catching on, and so is technology Neatly packs multiple applications on one operating system Gives you way to compose clusters, manage them and play with them at the scale of 100,000 Docker Docker Docker
  • 3.  A very secure system which is not user-friendly will not be secure for long. (because people will find a way to go around it)  Usable Security is a principle of building security systems while considering human workflows.  Speed  Efficiency  Learnability  Memorability  User Preference Idea of Usable Security
  • 4. Its going to be everywhere  Your Desktop, Workstation & Cloud Infrastructure.  Your Production, Development & Testing Cycles. It is going to be used by everyone  Your team, clients, and partners.  Independent developers and teams who are using your images. We should definitely think about #docker-security Docker Space
  • 5.  How safe is docker isolation ?  If some malicious user has docker daemon access, what to do ?  Can I use security policies over docker ?  SELINUX,APPARMOR,GRSEC  Can I really trust docker image I install ?  Can i ssh to docker container ? Lets think..
  • 6. Every process must be able to access only the information and resources that are necessary for its legitimate purpose - Diogo Mónica, Docker  Linux namespaces (isolated view of system.)  Cgroups (limit and isolate the resource usage.)  Linux Security Modules (Apparmor,SELINUX)  Capabilities  Per-container ulimit  User-namespaces: root inside is not root outside  Seccomp: Individual syscall filtering (like chrome sandbox) Enter Least Privilege
  • 9. Cgroups, ulimit & User Namespaces  Docker root is not real root. (User Namespaces)  Docker ulimit  With cgroups, you can control on the resource usage of container docker run --lxc-conf=lxc.cgroup.cpuset.cpus = 0,1 ..
  • 10.  Root has certain capabilities, but we don’t want our container to have all those capabilities  Each container can have some of the capabilities of root, but not all.  Mounting operations  Access to raw sockets (prevent opening privileged ports, spoofing)  Some file system operations (mkdev, chown, chattrs)  Loading kernel modules Capabilites
  • 11.  man 7 capabilities  Docker by default drops some capabilities  sys_admin, sys_time, sys_nice,..... Capabilites docker run –cap-drop=CHOWN ... docker run –cap-add=MKNOD ...
  • 12. Seccomp & Syscalls System Calls OS Utilities IP Tables Other User Programs Device Drivers NetFilter Other Kernel Components
  • 14. Seccomp & Syscalls  You can block system calls from seccomp. Quite like sandboxing.  Supports syscall filtering by using BPF  SIGKILL signal to process, who made blocked syscall docker run –lxc-conf=common.seccomp ...
  • 15. More...  Combine Docker with AppArmor/SELinux/TOMOYO Profiles  These profiles help you in deciding minimal privilege for each application.  Preventing permission escalation and unauthorized information disclosure (or worse).  Within the container configuration the related AppArmor profile can be defined with lxc.aa_profile. docker run –security-opt label:type:svirt_apche ...
  • 16.  GRSEC and PaX  Use a hardened Linux kernel for host, with kernel patches.  User Mappings  Map user/group ids  lxc.id_map = u 0 1000000 65536  lxc.id_map = g 0 1000000 65536  Couple it with docker run –lxc-conf= More...
  • 17. Can you really trust your images ? Docker Notary
  • 18.  Trusted Cross Platform content distribution  Trusted Client – Server Interaction  Publisher signed content  Publisher Key validates integrity of content  Platform Agnostic to distribute any content https://github.com/docker/notary Docker Notary
  • 19. Docker Content Trust Publisher Registry User User User
  • 20. Two keys are generated when publisher first pushes image.  Tagging Key  Exists for each new repository that publisher owns  Can be shared with collaborators easily.  Offline Key  Users see this key as official publisher’s key  Important in establishing trust.  Only needed when creating new repository or rotating existing repository Publisher’s View
  • 21.  Once Images are signed, TUF maintains ensures  Integrity  & Freshness of Content  Notion of Timestamp Key  Needed to ensure freshness guarantees  Generated at remote server.  Docker maintains it for you http://theupdateframework.com/ Trust Update Framework
  • 26.  Security Script that checks for dozens of common best- practices around deploying Docker containers in produtions. https://dockerbench.com DockerBench
  • 28. Questions ?? IRC: #docker #docker-security Google Group: Hyderabad Docker Users Join Docker Movement