SlideShare una empresa de Scribd logo

Docker, Linux Containers, and Security: Does It Add Up?

Jérôme Petazzoni
Jérôme Petazzoni

Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations. In this presentation, we will: - Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code - Discuss how to mitigate those risks - Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC

Tecnología
1 de 58
Descargar para leer sin conexión
Docker, Linux Containers, Security: Does it add up? Jérôme Petazzoni @jpetazzo Docker Inc. @docker
Question: Is it safe to run applications in Linux Containers?
...
Yes
/* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer * * Demonstrates that any given docker image someone is asking * you to run in your docker setup can access ANY file on your host, * e.g. dumping hosts /etc/shadow or other sensitive info, compromising * security of the host and any other docker VM's on it. * * docker using container based VMM: Sebarate pid and net namespace, * stripped caps and RO bind mounts into container's /. However * as its only a bind-mount the fs struct from the task is shared * with the host which allows to open files by file handles * (open_by_handle_at()). As we thankfully have dac_override and * dac_read_search we can do this. The handle is usually a 64bit * string with 32bit inodenumber inside (tested with ext4). * Inode of / is always 2, so we have a starting point to walk * the FS path and brute force the remaining 32bit until we find the * desired file (It's probably easier, depending on the fhandle export * function used for the FS in question: it could be a parent inode# or * the inode generation which can be obtained via an ioctl). * [In practise the remaining 32bit are all 0 :] * * tested with docker 0.11 busybox demo image on a 3.11 kernel: * * docker run -i busybox sh * * seems to run any program inside VMM with UID 0 (some caps stripped);
Wait
No!
Docker has changed its security status to It's complicated
Who am I? Why am I here?  Jérôme Petazzoni (@jpetazzo) - Grumpy French Linux DevOps  Operated dotCloud PAAS for 3+ years - hosts arbitrary code for arbitrary users - all services, all apps, run in containers - no major security issue yet (fingers crossed)  Containerize all the things! - VPN-in-Docker, KVM-in-Docker, Xorg-in-Docker, Docker-in-Docker...
What are those “containers” ? (1/3)  Technically: ~chroot on steroids - a container is a set of processes (running on top of common kernel) - isolated* from the rest of the machine (cannot see/affect/harm host or other containers) - using namespaces to have private view of the system (network interfaces, PID tree, mountpoints...) - and cgroups to have metered/limited/reserved resources (to mitigate “bad neighbor” effect) *Limitations may apply.
What are those “containers” ? (2/3)  From a distance: looks like a VM - I can SSH into my container - I can have root access in it - I can install packages in it - I have my own eth0 interface - I can tweak routing table, iptables rules - I can mount filesystems - etc.
What are those “containers” ? (3/3)  Lightweight, fast, disposable... virtual environments - boot in milliseconds - just a few MB of intrinsic disk/memory usage - bare metal performance is possible  The new way to build, ship, deploy, run your apps!
Why is this a hot topic?  Containers: have been around for decades  LXC (Linux Containers): have been around for years So, what?
Blame Docker
Why is this a hot topic?  Containers: have been around for decades  LXC (Linux Containers): have been around for years  Tools like Docker have commoditized LXC (i.e. made it very easy to use)  Everybody wants to deploy containers now  But, oops, LXC wasn't made for security  We want containers, and we want them now; how can we do that safely?
Some inspirational quotes
“LXC is not yet secure. If I want real security I will use KVM.” —Dan Berrangé (famous LXC hacker) This was in 2011. The Linux Kernel has changed a tiny little bit since then.
“From security point of view lxc is terrible and may not be consider as security solution.” —someone on Reddit (original spelling and grammar) Common opinion among security experts and paranoid people. To be fair, they have to play safe & can't take risks.
“Basically containers are not functional as security containers at present, in that if you have root on a container you have root on the whole box.” —Gentoo Wiki That's just plain false, or misleading, and we'll see why.
“Containers do not contain.” —Dan Walsh (Mr SELinux) This was earlier this year, and this guy knows what he's talking about. Are we in trouble?
“For the fashion of Minas Tirith was such that it was built on seven levels, each delved into a hill, and about each was set a wall, and in each wall was a gate.” —J.R.R. Tolkien (also quoted in VAX/VMS Internals and Data Structures, ca. 1980)
Keyword: levels
Let's review one of those quotes: “If you have root on a container you have root on the whole box.” First things first: just don't give root in the container If you really have to give root, give looks-like-root If that's not enough, give root but build another wall
Root in the host Root in the container Uruks (intruders)
There are multiple threat models  Regular applications - web servers, databases, caches, message queues, ...  System services (high level) - logging, remote access, periodic command execution, ...  System services (low level) - manage physical devices, networking, filesystems, ...  Kernel - security policies, drivers, ...  The special case of immutable infrastructure
Regular applications
Regular applications  Apache, MySQL, PostgreSQL, MongoDB, Redis, Cassandra, Hadoop, RabbitMQ...  Virtually all your programs in any language (services/web services, workers, everything!)  They never ever need root privileges (except to install packages)  Don't run them as root! Ever!
Regular applications  Risk: they run arbitrary code - vector: by definition, they are arbitrary code - vector: security breach causes execution of malicious code  Fix: nothing - by definition, we are willing to execute arbitrary code here  Consequence: assume those apps can try anything to break out
Regular applications  Risk: escalate from non-root to root - vector: vulnerabilities in SUID binaries  Fix: defang SUID binaries - remove them - remove suid bit - mount filesystem with nosuid  Docker: - you can remove SUID binaries easily - doesn't support nosuid mount (but trivial to add)
Regular applications  Risk: execute arbitrary kernel code - vector: bogus syscall (e.g. vmsplice* in 2008)  Fix: limit available syscalls - seccomp-bpf = whitelist/blacklist syscalls - Docker: seccomp available in LXC driver; not in libcontainer  Fix: run stronger kernels - GRSEC is a good idea (stable patches for 3.14 since July 4th) - update often (i.e. have efficient way to roll out new kernels) - Docker: more experiments needed *More details about that: http://lwn.net/Articles/268783/
Regular applications  Risk: leak to another container - vector: bug in namespace code; filesystem leak (like the one showed in the beginning of this talk!)  Fix: user namespaces - map UID in container to a different UID outside - two containers run a process with UID 1000, but it's 14298 and 15398 outside - Docker: PR currently being reviewed  Fix: security modules (e.g. SELinux) - assign different security contexts to containers - those mechanisms were designed to isolate! - Docker: SELinux integration; AppArmor in the works
System services (high level)
System services (high level)  SSH, cron, syslog...  You use/need them all the time  Bad news: they typically run as root  Good news: they don't really need root  Bad news: it's hard to run them as non-root  Good news: they are not arbitrary code
System services (high level)  Risk: running arbitrary code as root - vector: malformed data or similar (note: risk is pretty low for syslog/cron; much higher for SSH)  Fix: isolate sensitive services - run SSH on bastion host, or in a VM - note: this is not container-specific (if someone hacks into your SSH server, you'll have a bad time anyway)
System services (high level)  Risk: messing with /dev - vector: malicious code  Fix: “devices” control group - whitelist/blacklist devices - fine-grained: can allow only read, write, none, or both - fine-grained: can specify major+minor number of device  Docker: ✓ - sensible defaults - support for fine-grained access to devices in the works
System services (high level)  Risk: use of root calls (mount, chmod, iptables...) - vector: malicious code  Fix: capabilities - break down “root” into many permissions - e.g. CAP_NET_ADMIN (network configuration) - e.g. CAP_NET_RAW (generate and sniff traffic) - e.g. CAP_SYS_ADMIN (big can of worms )☹ - see capabilities(7)  Docker: ✓ - sensible default capabilities - but: CAP_SYS_ADMIN! (see next slide)
Interlude: CAP_SYS_ADMIN Operations controlled by CAP_SYS_ADMIN...  quotactl, mount, umount, swapon, swapoff  sethostname, setdomainname  IPC_SET, IPC_RMID on arbitrary System V IPC  perform operations on trusted and security Extended Attributes  set realtime priority (ioprio_set + IOPRIO_CLASS_RT)  create new namespaces (clone and unshare + CLONE_NEWNS)
System services (high level)  Risk: messing with /proc, /sys - vector: malicious code  Fix: prevent unauthorized access control - Mandatory Access Control (AppArmor, SELinux) - remount read-only, then drop CAP_SYS_ADMIN to prevent remount  Fix: wider implementation of namespaces - some parts of procfs/sysfs are “namespace-aware” - some aren't, but can be fixed (by writing kernel code)  Docker: ✓ - locks down /proc and /sys
System services (high level)  Risk: leaking with UID 0 - vector: malicious code  Fix: user namespaces - already mentioned earlier - UID 0 in the container is mapped to some random UID outside - you break out: you're not root - you manage to issue weird syscalls: they're done as unprivileged UID  Docker: work in progress  Caveat: user namespaces are still new. We have to see how they behave with that!
System services (low level)
System services (low level)  Device management (keyboard, mouse, screen), network and firewall config, filesystem mounts...  You use/need some of them all the time  But you don't need any of them in containers - physical device management is done by the host - network configuration and filesystems are setup by the host  Exceptions: - custom mounts (FUSE) - network appliances
System services (low level)  Risk: running arbitrary code as root - vector: malformed data or similar  Fix: isolate sensitive functions - “one-shot” commands can be fenced in privileged context (think “sudo” but without even requiring “sudo”) - everything else (especially processes that are long-running, or handle arbitrary input) runs in non-privileged context - works well for FUSE, some VPN services  Docker: provides fine-grained sharing - e.g. docker run --net container:… for network namespace - nsenter for other out-of-band operations
System services (low level)  Risk: run arbitrary code with full privileges - vector: needs a process running with full privileges (rare!) - vector: malformed data, unchecked input… classic exploit  Fix: treat it as “kernel” - we'll see that immediately in the next section
Kernel
Kernel  Drivers - can talk to the hardware, so can do pretty much anything - except: virtualize the bus and use e.g. driver domains (Xen)  Network stacks - this probably has to live into the kernel for good performance - except: DPDK, OpenOnload... (networking stacks in userspace)  Security policies - by definition, they control everything else - except: there might be nested security contexts some day
Kernel  Risk: run arbitrary code with absolute privileges  Fix: ?
Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
Kernel  Risk: run arbitrary code with absolute privileges  Fix: give it its own kernel and (virtual) hardware - i.e. run it in a virtual machine - that VM can run in a container - that VM can hold a container - run a privileged container, in Docker, in a VM, while the VM runs in a container, in a Docker https://github.com/jpetazzo/docker2docker - inb4 xzibit meme
Immutable immutable infrastructure
Immutable immutable infrastructure  New rule: the whole container is read-only  Compromise: if we must write, write to a noexec area  Scalability has never been easier (if totally read-only)  It's even harder for malicious users to do evil things
Recap (in no specific order!)  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs
Recap (with Docker status)  don't run things as root ☑ (you do it!)  drop capabilities ☑ (but CAP_SYS_ADMIN!)  enable user namespaces ☑ (work in progress)  get rid of shady SUID binaries ☑ (but not enforced yet)  enable SELinux (or AppArmor) ☑ (SELinux)  use seccomp-bpf ☑ (on LXC driver)  get a GRSEC kernel ☑ (to be confirmed)  update kernels often ☑ (not Docker's job)  mount everything read-only ☐ (not yet)  ultimately, fence things in VMs ☑ (easy to do)
Recap (improvements needed)  don't run things as root ☒ (you do it!)  drop capabilities ☒ (but CAP_SYS_ADMIN!)  enable user namespaces ☒ (work in progress)  get rid of shady SUID binaries ☒ (but not enforced yet)  enable SELinux (or AppArmor) ☒ (SELinux)  use seccomp-bpf ☒ (on LXC driver)  get a GRSEC kernel ☒ (to be confirmed)  update kernels often ☒ (not Docker's job)  mount everything read-only ☒ (not yet)  ultimately, fence things in VMs ☒ (easy to do)
Thank you! Questions?

Recomendados

Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of usJérôme Petazzoni
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Jérôme Petazzoni
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 

Recomendados

Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of usJérôme Petazzoni
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Jérôme Petazzoni
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Boden Russell
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Jérôme Petazzoni
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentJérôme Petazzoni
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013dotCloud
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux ContainersKirill Kolyshkin
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyBoden Russell
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Jérôme Petazzoni
 
Orchestration for the rest of us
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of usJérôme Petazzoni
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerDocker, Inc.
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Jérôme Petazzoni
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackBoden Russell
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
 
Docker: the road ahead
Docker: the road aheadDocker: the road ahead
Docker: the road aheadshykes
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
 
Basic principles of Git
Basic principles of GitBasic principles of Git
Basic principles of Gitphuongvohuy
 

Más contenido relacionado

La actualidad más candente

Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Boden Russell
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Jérôme Petazzoni
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentJérôme Petazzoni
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013dotCloud
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux ContainersKirill Kolyshkin
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyBoden Russell
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Jérôme Petazzoni
 
Orchestration for the rest of us
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of usJérôme Petazzoni
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerDocker, Inc.
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Jérôme Petazzoni
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackBoden Russell
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
 
Docker: the road ahead
Docker: the road aheadDocker: the road ahead
Docker: the road aheadshykes
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 

La actualidad más candente (20)

Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme Petazzoni
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux Containers
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
 
Orchestration for the rest of us
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of us
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any container
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
 
Docker: the road ahead
Docker: the road aheadDocker: the road ahead
Docker: the road ahead
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 

Destacado

The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
 
Basic principles of Git
Basic principles of GitBasic principles of Git
Basic principles of Gitphuongvohuy
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
Amazon Web Services and Docker
Amazon Web Services and DockerAmazon Web Services and Docker
Amazon Web Services and DockerPaolo latella
 
[Impact Lab] IT инструменты для проекта
[Impact Lab] IT инструменты для проекта[Impact Lab] IT инструменты для проекта
[Impact Lab] IT инструменты для проектаDmitry Spodarets
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
Performance comparison between Linux Containers and Virtual Machines
Performance comparison between Linux Containers and Virtual MachinesPerformance comparison between Linux Containers and Virtual Machines
Performance comparison between Linux Containers and Virtual MachinesSoheila Dehghanzadeh
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
10 reasons to be excited about go
10 reasons to be excited about go10 reasons to be excited about go
10 reasons to be excited about goDvir Volk
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsEdgar Barbosa
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 

Destacado (20)

The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Basic principles of Git
Basic principles of GitBasic principles of Git
Basic principles of Git
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Rootkit
RootkitRootkit
Rootkit
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit Detection
 
Amazon Web Services and Docker
Amazon Web Services and DockerAmazon Web Services and Docker
Amazon Web Services and Docker
 
[Impact Lab] IT инструменты для проекта
[Impact Lab] IT инструменты для проекта[Impact Lab] IT инструменты для проекта
[Impact Lab] IT инструменты для проекта
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
 
Performance comparison between Linux Containers and Virtual Machines
Performance comparison between Linux Containers and Virtual MachinesPerformance comparison between Linux Containers and Virtual Machines
Performance comparison between Linux Containers and Virtual Machines
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
10 reasons to be excited about go
10 reasons to be excited about go10 reasons to be excited about go
10 reasons to be excited about go
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkits
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 

Similar a Docker, Linux Containers, and Security: Does It Add Up?

Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in LinuxSadegh Dorri N.
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker Security
Docker SecurityDocker Security
Docker SecurityBladE0341
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview Krishna-Kumar
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless ContainersAkihiro Suda
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker securityWalid Ashraf
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014Carlo Bonamico
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisorChing-Hsuan Yen
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Partner S.A.
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesYigal Elefant
 

Similar a Docker, Linux Containers, and Security: Does It Add Up? (20)

Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: Introduction
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
.ppt
.ppt.ppt
.ppt
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
 

Más de Jérôme Petazzoni

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Jérôme Petazzoni
 
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Jérôme Petazzoni
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Jérôme Petazzoni
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)Jérôme Petazzoni
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
 
Docker Non Technical Presentation
Docker Non Technical PresentationDocker Non Technical Presentation
Docker Non Technical PresentationJérôme Petazzoni
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioJérôme Petazzoni
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerJérôme Petazzoni
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyJérôme Petazzoni
 
Docker en Production (Docker Paris)
Docker en Production (Docker Paris)Docker en Production (Docker Paris)
Docker en Production (Docker Paris)Jérôme Petazzoni
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkJérôme Petazzoni
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Jérôme Petazzoni
 

Más de Jérôme Petazzoni (16)

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
 
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
 
Docker Non Technical Presentation
Docker Non Technical PresentationDocker Non Technical Presentation
Docker Non Technical Presentation
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific Trio
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing Meetup
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange County
 
Docker en Production (Docker Paris)
Docker en Production (Docker Paris)Docker en Production (Docker Paris)
Docker en Production (Docker Paris)
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and Azure
 
Killer Bugs From Outer Space
Killer Bugs From Outer SpaceKiller Bugs From Outer Space
Killer Bugs From Outer Space
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
 

Último

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 

Último (20)

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Docker, Linux Containers, and Security: Does It Add Up?

  • 1. Docker, Linux Containers, Security: Does it add up? Jérôme Petazzoni @jpetazzo Docker Inc. @docker
  • 2. Question: Is it safe to run applications in Linux Containers?
  • 3. ...
  • 4. Yes
  • 5. /* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer * * Demonstrates that any given docker image someone is asking * you to run in your docker setup can access ANY file on your host, * e.g. dumping hosts /etc/shadow or other sensitive info, compromising * security of the host and any other docker VM's on it. * * docker using container based VMM: Sebarate pid and net namespace, * stripped caps and RO bind mounts into container's /. However * as its only a bind-mount the fs struct from the task is shared * with the host which allows to open files by file handles * (open_by_handle_at()). As we thankfully have dac_override and * dac_read_search we can do this. The handle is usually a 64bit * string with 32bit inodenumber inside (tested with ext4). * Inode of / is always 2, so we have a starting point to walk * the FS path and brute force the remaining 32bit until we find the * desired file (It's probably easier, depending on the fhandle export * function used for the FS in question: it could be a parent inode# or * the inode generation which can be obtained via an ioctl). * [In practise the remaining 32bit are all 0 :] * * tested with docker 0.11 busybox demo image on a 3.11 kernel: * * docker run -i busybox sh * * seems to run any program inside VMM with UID 0 (some caps stripped);
  • 7. No!
  • 8. Docker has changed its security status to It's complicated
  • 9. Who am I? Why am I here?  Jérôme Petazzoni (@jpetazzo) - Grumpy French Linux DevOps  Operated dotCloud PAAS for 3+ years - hosts arbitrary code for arbitrary users - all services, all apps, run in containers - no major security issue yet (fingers crossed)  Containerize all the things! - VPN-in-Docker, KVM-in-Docker, Xorg-in-Docker, Docker-in-Docker...
  • 10. What are those “containers” ? (1/3)  Technically: ~chroot on steroids - a container is a set of processes (running on top of common kernel) - isolated* from the rest of the machine (cannot see/affect/harm host or other containers) - using namespaces to have private view of the system (network interfaces, PID tree, mountpoints...) - and cgroups to have metered/limited/reserved resources (to mitigate “bad neighbor” effect) *Limitations may apply.
  • 11. What are those “containers” ? (2/3)  From a distance: looks like a VM - I can SSH into my container - I can have root access in it - I can install packages in it - I have my own eth0 interface - I can tweak routing table, iptables rules - I can mount filesystems - etc.
  • 12. What are those “containers” ? (3/3)  Lightweight, fast, disposable... virtual environments - boot in milliseconds - just a few MB of intrinsic disk/memory usage - bare metal performance is possible  The new way to build, ship, deploy, run your apps!
  • 13. Why is this a hot topic?  Containers: have been around for decades  LXC (Linux Containers): have been around for years So, what?
  • 15. Why is this a hot topic?  Containers: have been around for decades  LXC (Linux Containers): have been around for years  Tools like Docker have commoditized LXC (i.e. made it very easy to use)  Everybody wants to deploy containers now  But, oops, LXC wasn't made for security  We want containers, and we want them now; how can we do that safely?
  • 17. “LXC is not yet secure. If I want real security I will use KVM.” —Dan Berrangé (famous LXC hacker) This was in 2011. The Linux Kernel has changed a tiny little bit since then.
  • 18. “From security point of view lxc is terrible and may not be consider as security solution.” —someone on Reddit (original spelling and grammar) Common opinion among security experts and paranoid people. To be fair, they have to play safe & can't take risks.
  • 19. “Basically containers are not functional as security containers at present, in that if you have root on a container you have root on the whole box.” —Gentoo Wiki That's just plain false, or misleading, and we'll see why.
  • 20. “Containers do not contain.” —Dan Walsh (Mr SELinux) This was earlier this year, and this guy knows what he's talking about. Are we in trouble?
  • 21. “For the fashion of Minas Tirith was such that it was built on seven levels, each delved into a hill, and about each was set a wall, and in each wall was a gate.” —J.R.R. Tolkien (also quoted in VAX/VMS Internals and Data Structures, ca. 1980)
  • 23. Let's review one of those quotes: “If you have root on a container you have root on the whole box.” First things first: just don't give root in the container If you really have to give root, give looks-like-root If that's not enough, give root but build another wall
  • 24. Root in the host Root in the container Uruks (intruders)
  • 25. There are multiple threat models  Regular applications - web servers, databases, caches, message queues, ...  System services (high level) - logging, remote access, periodic command execution, ...  System services (low level) - manage physical devices, networking, filesystems, ...  Kernel - security policies, drivers, ...  The special case of immutable infrastructure
  • 27. Regular applications  Apache, MySQL, PostgreSQL, MongoDB, Redis, Cassandra, Hadoop, RabbitMQ...  Virtually all your programs in any language (services/web services, workers, everything!)  They never ever need root privileges (except to install packages)  Don't run them as root! Ever!
  • 28. Regular applications  Risk: they run arbitrary code - vector: by definition, they are arbitrary code - vector: security breach causes execution of malicious code  Fix: nothing - by definition, we are willing to execute arbitrary code here  Consequence: assume those apps can try anything to break out
  • 29. Regular applications  Risk: escalate from non-root to root - vector: vulnerabilities in SUID binaries  Fix: defang SUID binaries - remove them - remove suid bit - mount filesystem with nosuid  Docker: - you can remove SUID binaries easily - doesn't support nosuid mount (but trivial to add)
  • 30.
  • 31. Regular applications  Risk: execute arbitrary kernel code - vector: bogus syscall (e.g. vmsplice* in 2008)  Fix: limit available syscalls - seccomp-bpf = whitelist/blacklist syscalls - Docker: seccomp available in LXC driver; not in libcontainer  Fix: run stronger kernels - GRSEC is a good idea (stable patches for 3.14 since July 4th) - update often (i.e. have efficient way to roll out new kernels) - Docker: more experiments needed *More details about that: http://lwn.net/Articles/268783/
  • 32. Regular applications  Risk: leak to another container - vector: bug in namespace code; filesystem leak (like the one showed in the beginning of this talk!)  Fix: user namespaces - map UID in container to a different UID outside - two containers run a process with UID 1000, but it's 14298 and 15398 outside - Docker: PR currently being reviewed  Fix: security modules (e.g. SELinux) - assign different security contexts to containers - those mechanisms were designed to isolate! - Docker: SELinux integration; AppArmor in the works
  • 34. System services (high level)  SSH, cron, syslog...  You use/need them all the time  Bad news: they typically run as root  Good news: they don't really need root  Bad news: it's hard to run them as non-root  Good news: they are not arbitrary code
  • 35. System services (high level)  Risk: running arbitrary code as root - vector: malformed data or similar (note: risk is pretty low for syslog/cron; much higher for SSH)  Fix: isolate sensitive services - run SSH on bastion host, or in a VM - note: this is not container-specific (if someone hacks into your SSH server, you'll have a bad time anyway)
  • 36. System services (high level)  Risk: messing with /dev - vector: malicious code  Fix: “devices” control group - whitelist/blacklist devices - fine-grained: can allow only read, write, none, or both - fine-grained: can specify major+minor number of device  Docker: ✓ - sensible defaults - support for fine-grained access to devices in the works
  • 37. System services (high level)  Risk: use of root calls (mount, chmod, iptables...) - vector: malicious code  Fix: capabilities - break down “root” into many permissions - e.g. CAP_NET_ADMIN (network configuration) - e.g. CAP_NET_RAW (generate and sniff traffic) - e.g. CAP_SYS_ADMIN (big can of worms )☹ - see capabilities(7)  Docker: ✓ - sensible default capabilities - but: CAP_SYS_ADMIN! (see next slide)
  • 38. Interlude: CAP_SYS_ADMIN Operations controlled by CAP_SYS_ADMIN...  quotactl, mount, umount, swapon, swapoff  sethostname, setdomainname  IPC_SET, IPC_RMID on arbitrary System V IPC  perform operations on trusted and security Extended Attributes  set realtime priority (ioprio_set + IOPRIO_CLASS_RT)  create new namespaces (clone and unshare + CLONE_NEWNS)
  • 39. System services (high level)  Risk: messing with /proc, /sys - vector: malicious code  Fix: prevent unauthorized access control - Mandatory Access Control (AppArmor, SELinux) - remount read-only, then drop CAP_SYS_ADMIN to prevent remount  Fix: wider implementation of namespaces - some parts of procfs/sysfs are “namespace-aware” - some aren't, but can be fixed (by writing kernel code)  Docker: ✓ - locks down /proc and /sys
  • 40. System services (high level)  Risk: leaking with UID 0 - vector: malicious code  Fix: user namespaces - already mentioned earlier - UID 0 in the container is mapped to some random UID outside - you break out: you're not root - you manage to issue weird syscalls: they're done as unprivileged UID  Docker: work in progress  Caveat: user namespaces are still new. We have to see how they behave with that!
  • 42. System services (low level)  Device management (keyboard, mouse, screen), network and firewall config, filesystem mounts...  You use/need some of them all the time  But you don't need any of them in containers - physical device management is done by the host - network configuration and filesystems are setup by the host  Exceptions: - custom mounts (FUSE) - network appliances
  • 43. System services (low level)  Risk: running arbitrary code as root - vector: malformed data or similar  Fix: isolate sensitive functions - “one-shot” commands can be fenced in privileged context (think “sudo” but without even requiring “sudo”) - everything else (especially processes that are long-running, or handle arbitrary input) runs in non-privileged context - works well for FUSE, some VPN services  Docker: provides fine-grained sharing - e.g. docker run --net container:… for network namespace - nsenter for other out-of-band operations
  • 44. System services (low level)  Risk: run arbitrary code with full privileges - vector: needs a process running with full privileges (rare!) - vector: malformed data, unchecked input… classic exploit  Fix: treat it as “kernel” - we'll see that immediately in the next section
  • 46. Kernel  Drivers - can talk to the hardware, so can do pretty much anything - except: virtualize the bus and use e.g. driver domains (Xen)  Network stacks - this probably has to live into the kernel for good performance - except: DPDK, OpenOnload... (networking stacks in userspace)  Security policies - by definition, they control everything else - except: there might be nested security contexts some day
  • 47. Kernel  Risk: run arbitrary code with absolute privileges  Fix: ?
  • 48. Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
  • 49. Reality check: if you run something which by definition needs full control over hardware or kernel, containers are not going to make it secure. Please stop trying to shoot yourself in the foot safely.
  • 50. Kernel  Risk: run arbitrary code with absolute privileges  Fix: give it its own kernel and (virtual) hardware - i.e. run it in a virtual machine - that VM can run in a container - that VM can hold a container - run a privileged container, in Docker, in a VM, while the VM runs in a container, in a Docker https://github.com/jpetazzo/docker2docker - inb4 xzibit meme
  • 51.
  • 53. Immutable immutable infrastructure  New rule: the whole container is read-only  Compromise: if we must write, write to a noexec area  Scalability has never been easier (if totally read-only)  It's even harder for malicious users to do evil things
  • 54. Recap (in no specific order!)  don't run things as root  drop capabilities  enable user namespaces  get rid of shady SUID binaries  enable SELinux (or AppArmor)  use seccomp-bpf  get a GRSEC kernel  update kernels often  mount everything read-only  ultimately, fence things in VMs
  • 55. Recap (with Docker status)  don't run things as root ☑ (you do it!)  drop capabilities ☑ (but CAP_SYS_ADMIN!)  enable user namespaces ☑ (work in progress)  get rid of shady SUID binaries ☑ (but not enforced yet)  enable SELinux (or AppArmor) ☑ (SELinux)  use seccomp-bpf ☑ (on LXC driver)  get a GRSEC kernel ☑ (to be confirmed)  update kernels often ☑ (not Docker's job)  mount everything read-only ☐ (not yet)  ultimately, fence things in VMs ☑ (easy to do)
  • 56. Recap (improvements needed)  don't run things as root ☒ (you do it!)  drop capabilities ☒ (but CAP_SYS_ADMIN!)  enable user namespaces ☒ (work in progress)  get rid of shady SUID binaries ☒ (but not enforced yet)  enable SELinux (or AppArmor) ☒ (SELinux)  use seccomp-bpf ☒ (on LXC driver)  get a GRSEC kernel ☒ (to be confirmed)  update kernels often ☒ (not Docker's job)  mount everything read-only ☒ (not yet)  ultimately, fence things in VMs ☒ (easy to do)
  • 57.