- 本月热门
-
2015年创业者调查报告(State of Startups) by FirstRound -
JavaScript闭包你也懂 -
MongoDB Best Practices(最佳实践) by Jay Runkel -
Scaling & securing node.js apps(扩展和加强NodeJS应用的安全性) by Maciej Lasyk -
ASP.NET5快速入門[繁] by 小朱 -
Lua 在 Nginx 中的应用 by 章亦春@淘宝 -
基于Node.JS的全栈开发 by 张雪峰@携程 -
去哪儿SPA(面向服务)分享 by 蔡欢@Qunar -
指数级增长业务下的服务架构改造 by 梁宇鹏@环信 -
How Change Happens(如何拥抱变化,鼓励创新) by Openlab
加收藏
Docker 1.10 Security Improvements(Docker安全改进) by Diogo Mónica
第1页
Docker 1.10 Security Improvements
Diogo Mónica - Security Lead
Diogo Mónica - Security Lead
第2页
What we will cover today
• Show how Docker provides an additional layer of isolation, making your infrastructure safer by default.
• A look at the new Security features that came out with Docker 1.10.
• Demo creating a simple Seccomp policy.
• Show how Docker provides an additional layer of isolation, making your infrastructure safer by default.
• A look at the new Security features that came out with Docker 1.10.
• Demo creating a simple Seccomp policy.
第3页
Under the hood
Namespaces
Capabilities
Cgroups
Namespaces
Capabilities
Cgroups
第4页
Under the hood
• Namespaces: provides an isolated view of the system. – IPC, network, mount, PID, etc.
• Namespaces: provides an isolated view of the system. – IPC, network, mount, PID, etc.
第5页
Under the hood
• Cgroups: kernel feature that limits and isolates the resource usage of a collection of processes.
– CPU, memory, disk I/O, network, etc.
• Cgroups: kernel feature that limits and isolates the resource usage of a collection of processes.
– CPU, memory, disk I/O, network, etc.
第6页
Under the hood
• Capabilities: divides the privileges of root into distinct units. – mount, kill, chown, bind, setuid, etc.
• Capabilities: divides the privileges of root into distinct units. – mount, kill, chown, bind, setuid, etc.
第7页
Process restrictions
• Docker containers have reduced capabilities
– Less than half of the capabilities of normal processes by default.
– Reduced capabilities help mitigate impact of escalation to root.
• Docker containers have reduced capabilities
– Less than half of the capabilities of normal processes by default.
– Reduced capabilities help mitigate impact of escalation to root.
第8页
User Namespaces (Docker 1.10)
• What are userns?
• User namespaces allow per-namespace mappings of user and group IDs.
• A processes’s user and group IDs inside a user namespace can be different from its IDs outside of the namespace.
uid 10000
uid 0
container
https://integratedcode.us/2016/02/05/docker-1-10-security-userns/
• What are userns?
• User namespaces allow per-namespace mappings of user and group IDs.
• A processes’s user and group IDs inside a user namespace can be different from its IDs outside of the namespace.
uid 10000
uid 0
container
https://integratedcode.us/2016/02/05/docker-1-10-security-userns/
第9页
User Namespaces (Docker 1.10)
“Most notably, a process can have a nonzero user ID outside a namespace while at the same time having a user ID of zero inside the namespace; in other words, the process is unprivileged for operations outside the user namespace but has root privileges inside the namespace.”
Michael Kerrisk
https://lwn.net/Articles/532593/
“Most notably, a process can have a nonzero user ID outside a namespace while at the same time having a user ID of zero inside the namespace; in other words, the process is unprivileged for operations outside the user namespace but has root privileges inside the namespace.”
Michael Kerrisk
https://lwn.net/Articles/532593/
第10页
Authorization Plugins (Docker 1.10)
• What are AuthZ plugins?
• Plugin that decides on the execution of every API call to the engine.
• Allows the creation of granular access policies for managing access to the daemon.
daemon
plugin
docker run —it —privileged alpine sh
https://github.com/docker/docker/blob/master/docs/extend/authorization.md
• What are AuthZ plugins?
• Plugin that decides on the execution of every API call to the engine.
• Allows the creation of granular access policies for managing access to the daemon.
daemon
plugin
docker run —it —privileged alpine sh
https://github.com/docker/docker/blob/master/docs/extend/authorization.md
第11页
Seccomp Filtering Support (Docker 1.10)
• What is it?
– Allows a berkeley packet filter policy to be defined around what system calls your container is allowed to execute.
– Allows several actions: “allow”, “deny”, “trap”, “kill”, or “trace”.
– Supports further filtering based on the arguments passed to the system call.
nanosleep(&ts, NULL) { "name": “nanosleep”, "action": "SCMP_ACT_ERRNO", }
• What is it?
– Allows a berkeley packet filter policy to be defined around what system calls your container is allowed to execute.
– Allows several actions: “allow”, “deny”, “trap”, “kill”, or “trace”.
– Supports further filtering based on the arguments passed to the system call.
nanosleep(&ts, NULL) { "name": “nanosleep”, "action": "SCMP_ACT_ERRNO", }
第12页
Default Seccomp Profile (Docker 1.10)
• Ships with Docker by Default • Blocks 54 syscalls that aren’t needed, or are too dangerous. • Remember CVE-2016-0728? Doesn’t work on Docker 1.10 by default, due to keyctl being blocked.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728 https://github.com/docker/docker/blob/master/docs/security/seccomp.md
• Ships with Docker by Default • Blocks 54 syscalls that aren’t needed, or are too dangerous. • Remember CVE-2016-0728? Doesn’t work on Docker 1.10 by default, due to keyctl being blocked.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728 https://github.com/docker/docker/blob/master/docs/security/seccomp.md
第13页
PID Control Group (Docker 1.11)
• Solution to Fork Bomb attacks • Limits the number of processes that can be forked inside of a group. • Shipped with Linux Kernel 4.3. • Turned on by default.
https://github.com/docker/docker/pull/18697
• Solution to Fork Bomb attacks • Limits the number of processes that can be forked inside of a group. • Shipped with Linux Kernel 4.3. • Turned on by default.
https://github.com/docker/docker/pull/18697
第14页
Q&A