Aguascalientes Local Chapter 2 nd Meeting
About– ChapterLeader
• JuanGama– ApplicationSecurityEngineer@AspectSecurity– 9+yearsinAppsec,Testing,Development– MaintainerofOWASPBenchmark– IlikeGIFs!
Whatisacontainer?
• Consistsofanentireruntimeenvironment:anapplication,plusallitsdependencies,librariesandotherbinaries,andconfigurationfilesneededtorunit,bundledintoonepackage.
Docker vs LXC,Jails,Vagrant
• LXCrunsinthehostbuthasit'sownsectionofRAM,CPU,disk,etc.ClosertoaVM.Dockercanbejustoneprocess,needsavolume.
• VagrantisascriptforVMs.
Docker vs Virtualization
• Virtualizationincludesanentireoperatingsystemaswellastheapplication.Docker sitsontopoftheOS
Docker Engine
• Docker daemon– Runsonthehostmachine
• Docker Client– CLIusedtointeractwiththedaemon
• WindowsandOSX– docker-machine(smalllinux runningtheDockerdaemon)- NeedsVirtualbox
Docker WorkflowComponents
• Docker image– Hastheenv,yourapplication,OS,dependencies,
• Docker Container– Createdfromimages,start,stop,move,delete
• Docker Registry– Publicandprivaterepotostoreimages
• Dockerfile– Automatesimageconstruction
Docker Security
• Quitesecure.• Namespacesforisolation:processesrunningwithina
containercannotsee,andevenlessaffect,processesrunninginanothercontainer,orinthehostsystem
• Eachcontaineralsogetsitsownnetworkstack.• ControlGroupsforresourceaccountingandlimiting,
ensurethateachcontainergetsitsfairshareofmemory,CPU,diskI/O;and,moreimportantly,thatasinglecontainercannotbringthesystemdownbyexhaustingoneofthoseresources.
Docker Security• OnlytrustedusersshouldbeallowedtocontrolyourDocker daemon
• “root”withinacontainerhasmuchlessprivilegesthanthereal“root”.Forinstance,itispossibleto:– denyall“mount”operations;– denyaccesstorawsockets(topreventpacketspoofing);– denyaccesstosomefilesystem operations,likecreatingnewdevicenodes,changingtheowneroffiles,oralteringattributes(includingtheimmutableflag);
– denymoduleloading;– andmanyothers.