Docker provides security for containerized applications using Linux kernel features like namespaces and cgroups to isolate processes and limit resource usage. The Docker daemon manages these Linux security mechanisms to build secure containers. Docker images can also be scanned for vulnerabilities and signed with content trust to ensure only approved container images are deployed in production.

1. Docker Security
Security of the Docker Platform, and inside Datacenter clusters
Stephane Woillez
stephw@docker.com
SEMEA Technical Sales Lead
@swoillez

2. Agenda
• Security & Isolation at the Linux level
• Security of the Docker Production platform
• Security of Dockered applications

3. Security at the Linux Kernel
How Docker leverages Linux capabilities for security

4. Docker provides Containers, not VMs

5. Docker leverages Linux Security mechanisms
• Docker uses several mechanisms for security:
– Linux kernel namespaces
– Linux Control Groups (cgroups)
– The Docker daemon
– Linux capabilities (libcap)
– Linux security mechanisms like AppArmor or SELinux

6. What are Linux kernel NameSpaces ?
• Namespaces are a way to make a global resource appear to be
unique and isolated.
• The namespaces that the Linux kernel can manage are:
– Mount namespaces
– PID namespaces
– UTS namespaces
– IPC namespaces
– Network namespaces
– User namespaces

7. Examples of Linux NameSpaces
• Mount NameSpaces : allow a container to “think” that a directory which is
actually mounted from the host OS is exclusively the container's.
• PID namespaces : let the container think it's a new instance of the OS.
• User NameSpaces : allow a container to think that it really has users rigths
(like root) where in fact it has no right on the host OS.
• Network NameSpaces : allow a container to have its own IP addresses,
independent of that of the host. These addresses are not available from
outside of the host, this is private networking similar to that of virtualization.
The Docker service sets up an iptables masquerading rule so that the
container can get to the rest of the Internet.

8. What are Linux Control Groups (Cgroups) ?
• “Control Groups provide a mechanism for
aggregating/partitioning sets of tasks, and all their future
children, into hierarchical groups with specialized behavior.”
• This allows Docker to put various system resources into a
group, and apply limits to it, like how much disk IO, CPU use,
memory use, network use, namespaces
• This ensures that, even if a container is compromised (or just
spins out of control), there are limits in place which minimizes
the risk of that misbehaved container impacting the host or
other containers.
https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt:

9. The Docker daemon responsabilities
• The docker daemon (/usr/bin/docker) is responsible for managing the
control groups, orchestrating the namespaces, and so on so that
docker images can be run and secured.
• Because of the need to manage kernel functions, Docker runs with
root privileges. Be aware of this!
• Limit the users who have control of the Docker Daemon

10. Linux Kernel Capabilities (libcap)
• The root user historically had the ability to do
anything, once authenticated.
• Linux capabilities is a set of fine grained controls
which allow services or even users with root
equivalence to be limited in their scope.
• It also allows non-root users to be granted extra
privileges.
• By default, Docker disallows many root capabilities,
not needed by containers, including the ability to
modify logs, change networking, modify kernel
memory,…

11. 11
A Container Security assessment by NCC
Source: NCC Group Whitepaper - Understanding and Hardening Linux Containers
Understanding and Hardening Linux Containers

12. Security of the Docker Production
Access Control and Isolation in production clusters

13. Delivering Containers as a Service
Developers IT Operations
BUILD
Development Environments
SHIP
Secure Content & Collaboration
RUN
Deploy, Manage, Scale
13

14. Universal Control Plane
App and Cluster management
Docker Trusted Registry
Secure image management & distro
Docker Engine
Container Runtime, Orchestration, Networking, volumes, plugins
Security
Content Trust, RBAC,
LDAP/AD
NetworkingOS Volumes Monitoring LoggingConfig MgtImagesCI/CD ..more..
Docker Datacenter Integrated DevOps Platform
Public Cloud Physical/ConvergedVirtualization
Infrastructure

15. Control: Orchestration and integrations at scale
Universal Control Plane
High
Availability
Access Control
3rd Party PluginsSwarm Managed
GUI
Management
Docker Native
Integration
Monitoring
15

16. Control: Secure Image Collaboration
Trusted Registry
Log
Aggregator
Authorization
Server
Registry ServiceContent Trust
16
LDAP/AD
Logs
Storage
Image Repo Image Repo Image Repo
Admin Server
Notary
Server
Web UI
CLI

17. • Docker 1.12 with built in
orchestration (clustering
and scheduling)
• Strong default cluster
security
Secure Cluster Management

18. • Leader acts as CA.
• Any Manager can be
promoted to leader.
• Workers and managers
identified by their
certificate.
• Communications secured
with Mutual TLS.
Mutual TLS by default

19. • Managers support BYO CA.
• Forwards CSRs to external
CA.
Support for External CAs

20. UCP delivers RBAC with Permission Levels

21. Security of Dockered Applications
Production Ready, Containers as a Service solution

22. Layers used by a container are readonly !!!

23. Control: Integrated Content Trust
Developers IT Operations
BUILD
Development Environments
SHIP
Secure Content & Collaboration
RUN
Deploy, Manage, Scale
23
Library of signed and trusted images
Enforce use of only trusted images

24. Docker Security Scanning Architecture

25. Threshold signing and gating
25
CI Security Scanning Staging
Production
UCP WorkerUCP Worker UCP Worker
UCP Manager
Sign image to “approve” passing of each stage.
Policy to check for signatures before deployment

26. THANK YOU