Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

Transcription

1 Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

2 Overview What are Containers? Containers and The Cloud Containerization vs. H/W Virtualization Behind The Scenes: Docker Behind The Scenes: Warden Let s Talk Security Conclusion Q&A

3 What are Containers? chroot.

4 What are Containers? Containerization aka OS-Level Virtualization kernel allows multiple isolated user-space instances each instance = a Container One way to implement PaaS Containers: Virtualization Engines (VE) or Virtual Private Servers (VPS) or Jails encapsulate applications + act as interface to the surrounding system chroot on steroids kernel provided resource-management limits impact of a container s activities on others

5 What are Containers? Uses: useful for allocating finite hardware resources separation of several applications for improved hardware independence and added resource management common in virtual hosting security? Modern implementations make containers easier to use (e.g. Docker, Warden)

6 Containers and The Cloud Cloud Computing requires an isolation mechanism: Physical separation Hardware Virtualization (aka virtualization) Containerization (aka OS-level virtualization) Multi-user accounts Containerization provides an isolation mechanism required for cloud computing

7 Containerization vs. H/W Virtualization Containers share the same OS kernel faster, more portable, scale more efficiently Single OS kernels provide file-system access, application process controls, and networking (no H/W emulation) + (use of cgroups and namespaces) = lightweight

8 Containerization vs. H/W Virtualization Containers use namespaces to separate resources PID namespaces Mount namespaces Network namespaces UTS namespaces: nodename & domainname IPC namespaces User namespaces Virtualization: Mature with an extensive ecosystem Allows for mixed kernels on the same platform More secure

9 Containerization vs. H/W Virtualization Containers share OS kernel and (possibly) binaries and libraries

10 Behind The Scenes: Docker Open-source, written in Go Automates deployment of applications Can package an app and its dependencies in a container Accesses the Linux Kernel virtualization in many ways

11 Behind The Scenes: Docker Docker Architecture Docker Architecture

12 Behind The Scenes: Warden Container technology used by Cloud Foundry Provides a service for managing a set of containers Written in C (core) and Ruby Direct use of kernel primitives for containerization previously used LXC wshd (Warden Shell Daemon) root process for managing the container and launching apps streams standard output and error back to client Garden = Warden re-written in Go separates server and protocol buffer handling from a Garden Linux backend (can have a specific backend for each OS)

13 Behind The Scenes: Warden Warden and Garden Architectures

14 Let s Talk Security File-system isolation is implemented typically network and process list isolation as well Lack of user namespace support same user ID across all containers processes running as root have root access everywhere Imperfect design and code increases attack surface namespace leaks present in many containers many containers have had little security analysis

15 Let s Talk Security Shared Kernel = any vulnerability in Kernel can impact all containers OS Kernels provide much more functionality than Hypervisors: larger attack surface Kernels will always have vulnerabilities and containers directly expose it to programs Containers were not designed to contain security issues

16 Conclusion Containers are very useful help ease software management Work is being done to address security e.g. implementation of user namespaces Should be used with caution processes in the container should not be given privileged access good for deploying apps that are trusted (e.g. same vendor) other mechanisms such as SELinux, seccomp, and separate user accounts should be used in conjunction

17 Q&A Q&A