Securing Docker on the Cheap - LFNW 2018 - Chris Foster

Chris Foster

• at LO3 Energy, formerly Autodesk
• LO3 wanted SOC compliance with Docker, using $$$ security tools: How can some of the same be achieved with what is publicly available?

Docker

• Docker is the predominate container runtime, talk focused on underlying systems w/ Docker userland

contianer is:

1. linux namespaces, limits resources: net/disk/file visibility
2. linux cgroups, limit process communicate
3. linux setcomp, limit other capabilities

• contianer package contains the app + root filesystem required (libs, files, etc)
• container runtime provides shim for access to the 3 kernel features
• Docker made it easy in ways nobody did before, mostly to solve distribution

Security fundamentals

service containers: web server/DB run in a container, shouldn't quit on its own

tool container: build pipeline, tools, batch jobs run in a container, run to completion and finish

talk focus on service containers

Security starts at the top (of the Dockerfile): FROM

• make sure the base image is something... safe-ish
• Quay.io image security scanner: ubuntu (60) vs. node (634) vulnerabilities

or, custom base container - somebody has to own it, but you have control to minimize surface

• start tiny (alpine, etc)
• patch as part of your build (apk update/apt upgrade/yum upgrade)
• plan build process for your non-base applications so they know when to rebuild
• build as a shared base, include common tools & language runtime
• leave app specifics out of your base
• but still keep it minimal

test with: docker run -it --rm alpine:latest /bin/sh

FROM ubuntu:16.04

RUN apt-get update && apt upgrade -y && apt install -y curl && curl 

Scratch containers

• You may not need base OS at all:

FROM scratch

• works well for statically-linked apps: Go, Rust
• just app & config files
• hard to scan: scanner in build system may fail

capabilities: DROPCAP/SECCOMP

docker --cap-drop docker --cap-drop SETUID --cap-drop CHOWN ubuntu

SETUID - process can't change users CHOWN - process can't change file ownership

docker --cap-add RAW_IO

• could drop all capabilities and add back only what you need
• sidecars may need extra capabilities
• default capabilities: CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FSETID, CAP_FOWNER, CAP_MKNOD, etc in moby/moby/ defaults.go

SECCOMP

• from Google
• in kernel now
• JSON profile to template allowing capabilites

docker run --security-opt seccomp=profile.json ubuntu:16.04

Immutable containers

• Docker default is top layer is rw, can make read-only
• Then there are no writes, including /tmp
• volumes are RW even with --read-only by default

docker run --read-only

• can give yourself a tmp docker run --read-only --tmpfs /tmp:rw,noexec,nosuid ubuntu

cgroups: allocation budgets

• "control group"
• limit cpu/mem/net bandwidth/ I/O bandwidth
• --cgroup-parent to join a cgroup
• or, assign a limit directly: --cpu*, --blkio*, --device*, --memory*

don't run as root user inside the container

• don't
• USER in Dockerfile
• UID in volume needs to match

avoid --priviledged

• only needed for security tools, agents
• net=host allows all network capabilities

be intentional about security

• make conscious choices about security

slides

How to secure running off-the-shelf services in a container?

• drop capabilities
• loook for minimal base version on Docker Hub e.g. node-alpine

How to share vars?

• just like process envs, env vars can be sniffed
• cgroups injection > env vars