Docker Safety Management (real!)

Docker security

Docker difference between the virtual machine

Isolation and sharing

• By adding Virtual Machine Hypervisor layer, a virtual card, memory, CPU and other virtual hardware, and then create a virtual machine on which each virtual machine has its own system kernel
• Docker container is isolated by the way, the file system, process, equipment, networks, and other resources for isolation, and then the permissions, CPU resources, control, and ultimately affect each other between the container,
  the container can not affect the host. Container and host shared kernel, file system, hardware and other resources.

Performance and loss

• Compared with the virtual machine, resource depletion container less.
• Under the same host, to establish the number of containers than the virtual machine.
• However, the security of virtual machines slightly better than the container, from the compromised virtual machine to the host or other virtual machine, you need to break Hypervisor layer, it is extremely difficult
• The docker container and host shared kernel, file systems and other resources,
  are more likely to have an impact on other containers, the host.

  Docker security problems

  Docker's own vulnerability

• As a Docker application itself will be implemented on a code defect. CVE official version of history record Docker total over 20 holes.
  - GJ hackers commonly used means there are code execution, privilege escalation, information disclosure, privilege bypass and so on. Docker current version of the change is very fast, Docker Docker users should upgrade to the latest version.

  Docker source problem

• 1) upload a malicious hacker mirror if the hacker inserted viruses, backdoors and other malicious software in the production of mirror, then the environment from the beginning has been unsafe, the follow-up but there is no security to speak of.
• 2) mirroring software Docker Hub flawed mirror which can be downloaded, 75% of the mirrors are vulnerable software installed. So after downloading the image, you need to check the version of the software inside information, the corresponding version if there are loopholes, and update patched.
• 3) middleman GJ tampering Mirror Mirror can be tampered with during transmission, the new version of the current Docker has provided the appropriate verification mechanism to prevent this problem.

  Docker architecture defects and security mechanism

  Architecture defect

• LAN GJ between the container
  between the container on the host can constitute a local area network, and therefore for the LAN ARP spoofing, sniffing, broadcast storm GJ way they can spend. Therefore, the deployment of a plurality of containers in a host requires reasonable allocation of network settings iptable rules.

• DDoS GJ run out of resources
  Cgroups security mechanism is to prevent such GJ, do not allocate too many resources into a single container to avoid such problems.

• There are loopholes in the system call
  is an important distinction Docker Docker virtual machine is shared with the host operating system kernel.
  Once the override or may be present in the host kernel privilege escalation vulnerability, although Docker performed using ordinary user, when the container is RQ, GJ may also be used to jump to the host kernel exploit do more.

• Share root user privileges
  If you are running with root privileges container, root user in the container will have a host of root privileges.

  Docker baseline safety standard six aspects

  1. kernel level

  (1) to update the kernel.
  (2) User NameSpace (root privileges within the container in a non-high privilege state outside of the container).
  (3) Cgroups (resource quotas and metrics).
  (4) SELiux / AppArmor / GRSEC ( control file access permissions).
  (5) Capability (division of authority).
  (6) Seccomp (defined system call).
  (7) prohibits the naming space of the container and the host process name space sharing.

2. Host level

(1) to create a separate partition for the container.
(2) run only necessary services.
(3) prohibits the mapping directory on the host sensitive to the container.
(4) for Docker daemon, audit-related files and directories.
(5) set appropriate default number of file descriptors.
(File descriptor: Kernel (Kernel) by using the file descriptor (file descriptor) to access the file descriptor nonnegative integer.
When a new file or open an existing file, the kernel returns a file descriptor to read and write files are required. file descriptor to specify the file to be read)
(6) of the user rights Docker root files associated access permissions should be 644 or less.
(7) periodic check list for each host vessel, and clean up unnecessary containers.

3. Network level

(1) implemented prohibit or allow network traffic between the container through the iptables setting rule.
(2) allowing to modify Dokcer iptables.
(3) prohibits the Docker bind to other IP / Port or Unix Socket.
(4) prohibit privileged port mapping on the container.
(5) need only open the container port.
(6) prohibit the use of the host network mode on the container.
(7) if the host has a plurality of cards, will flow into the container to bind to a particular host card.

4. Mirror Level

(1) Create a local mirroring warehouse server.
(2) mirroring software to the latest version.
(3) using the trusted image files, and downloaded through secure channels.
(4) rebuild the mirror rather than the patch of container and mirror.
(5) a reasonable administrative image tag, promptly remove the images no longer in use.
(6) using a scanning mirror.
(7) Mirroring signature.

The container level

(1) the container is minimized, the minimal set of operating system images.
(2) run as a single container main process.
(3) prohibit the use of privileged privileged marked containers.
(4) prohibit running ssh service on the container.
(5) the root of the system read-only mount the container.
(6) defined letter data belonging to the container.
(7) on-failure limit of the vessel by providing a number of attempts to restart the container repeatedly restart easily lost data.
(8) limit the available process tree in the vessel to prevent fork bomb. (Fork bomb, the rapid growth of the child, depleted the number of system processes)

6. Other settings

(1) regularly host systems and container security audit.
(2) use minimum resources and minimum permissions to run the container.
(3) avoid the deployment of a large container on the same host, maintained at a manageable number.
(4) monitor usage, and other performance indicators Docker containers.
(5) increase the real-time detection and incident response impede function.
(6) use centers and remote log collection service

Docker safety rules

Container minimization

• Run only necessary services in a container, like ssh and other services are not open

  [root@localhost ~]# docker exec -it mycontainer bash

  Docker remote api access control

• Docker remote call API interface unauthorized access vulnerabilities exist, should be limited to external network access

  [root@localhost ~]# docker -d -H uninx:///var/run/docker.sork -H tcp://192.168.142.128:2375

• In docker default configuration file is specified, then the host iptables \ firewalld on access control

  Limit traffic flow

• Iptables filters may be used to limit the source IP address Docker container communicates with the outside range

Iptables -A FORWARD -s <source_ip_range> -j REJECT --reject-with icmp-admin-prohibited

Iptables -A FORWARD -i docker0 -o eth0 -j DROP 
Iptables -A FORWARD -i docker0 -o eth0 -m state -state ESTABLISHED -j ACCEPT

Ordinary users to start using the service Docker

• Mapping user, user 0 solve the problem in a particular container is equal to the root on the host system, allowing remapping LXC user and group ID

[root@localhost ~]# yum -y install lxc uidmap
[root@localhost ~]# vim /etc/lxc/default.conf
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

File system limits

• Absolute root container mounted read-only, and different containers corresponding file directory permissions separated optimize each container has a separate partition on a host

  su test01
  docker run -v dev:/home/mc_server/test01 -it centos:latest /bin/bash
  su test02
  docker run -v dev:/home/mc_server/test02 -it centos:latest /bin/bash

  Mirroring Security

• Under normal circumstances, ensure that only get from a trusted database mirroring, and do not use --insecure-registry = [] parameters
  

  Safety Docker client communications terminal and the Docker Daemon

• In order to link hijacking placement problem, a communication session is maintained as a result of Docker intermediary GJ, c / s should ends by encryption communication

[root@localhost harbor]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=0.0.0.0:2376

Resource constraints

• Restrictions container resources, not only can reduce the security risk does not affect business

  docker run -tid -name ec2 -cpuset-cpus 3 -cpu-shares 2048 -memory 2048m -rm -blkio-weight 100 --pids--limit 512

Host time to upgrade the kernel vulnerability

• Host failure or need to upgrade the kernel of the problem
• Docker containers should support live migration
• You should consider the kernel upgrade program planning, implementation and move back programs

Install security reinforcement

• Use secure Linux kernel, kernel patches, such as SELinux, AppArmor,
  grsec etc.

Docker containers to avoid information leakage

• Check the contents of the container to create a template

# check created users
grep authorized keys $dockerfile
# check OS users
grep "etc/group" $dockerfile
# Check sudo users
grep "etc/sudoers.d" $dockerfile
# Check ssh key pair
grep " .ssh/.*id rsa" $dockerfile
# Add your checks in below

Log Analysis

• Collecting and archiving associated with Docker auditing and security log to achieve the purpose of monitoring the use rsyslog or stdout + ELK way log collection, storage and analysis
• Use the following command in the outer container access log file on the host

docker run -v /dev/log:/dev/log <container_name> /bin/sh

• Docker built-in command

docker logs -f

Docker Bench for Security

• Is a script for dozens of common best practice to check a production environment deployment Docker containers
• Environmental Installation
  After downloading a binary file, add it to your PATH environment variable

[root@localhost ]# git clone
https://github.com/docker/docker-bench-security.git
[root@localhost ]# cd docker-bench-security
[root@localhost ]# sudo sh docker-bench-security.sh

ulimit

• May include the size of the core dump file size, the size of process data segment to create class files, memory resident set size, number of open files, the largest virtual memory process stack size, CPU time, maximum number of threads a single user, the process of and other types of resources play in restricting
• Setting CPU time

docker daemon --default-ulimit cpu=1200
docker run --rm -ti --ulimit cpu=1200 ubuntu bash

• After entering the container to view

ulimit -t

Docker-TLS encrypted communication

• In order to prevent hijacking link, and other problems caused when session hijacking the communication is Docker intermediary GJ, c / s should ends by encryption communication

1. Deploy master server

[root@localhost ~]# hostnamectl set-hostname master
[root@localhost ~]# su
[root@master ~]# vim /etc/hosts
127.0.0.1  master
[root@master ~]# mkdir /tls
[root@master ~]# cd /tls/
#创建ca秘钥
[root@master tls]# openssl genrsa -aes256 -out ca-key.pem 4096
#创建ca证书
[root@master tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pen
#创建服务器私钥
[root@master tls]# openssl genrsa -out server-key.pem 4096
#签名私钥
[root@master tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
#使用ca证书与私钥证书签名、输入123123
[root@master tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
#生成客户端秘钥
[root@master tls]# openssl genrsa -out key.pem 4096
#签名客户端
[root@master tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
#创建配置文件
[root@master tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
#签名证书，输入123123需要（签名客户端、ca证书、ca秘钥）
[root@master tls]# openssl x509 -req -days 1800 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
#删除多余文件
[root@master tls]# rm -rf ca.srl client.csr extfile.cnf server.csr
#配置docker
[root@master tls]# vim /lib/systemd/system/docker.service 
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/tls/ca.pem --tlscert=/tls/server-cert.pem --tlskey=/tls/server-key.pem -H tcp://0.0.0.0:2376 -H unix://var/run/docker.sock
#重启进程
[root@master tls]# systemctl daemon-reload
#重启服务
[root@master tls]# systemctl restart docker

#将/tls/ca.pem /tls/cert.pem /tls/key.pem三个文件复制到另一台主机
[root@master tls]# scp ca.pem [email protected]:/etc/docker
[root@master tls]# scp cert.pem [email protected]:/etc/docker
[root@master tls]# scp key.pem [email protected]:/etc/docker 

2. Deploy client server

[root@localhost ~]# hostnamectl set-hostname client
[root@localhost ~]# su
[root@client ~]# vim /etc/hosts
192.168.45.129 master

3.client test

[root@client docker]# docker --tlsverify --tlscacert=ca.pen --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version

thanks for reading!!!