Project News

I’ve been working on the Project Atomic team at Red Hat on Security for Docker containers. In order to get the word out I have been writing a series of blogs on Docker Security for OpenSource.com. I’ve written two so far, and hope to have the third done soon.

The first post covers the fact that a privileged process within a container is the same from a security point of view as the security of a privileged process outside of a container. The idea I am trying to get across is to set up your application services the same way inside of containers as out, and don’t rely on container technology to protect you.

The second post covers everything that has been put into Docker to try to control the privileged and unprivileged processes within a container. We have things like Read Only File Systems, Dropped capabilities, SELinux, Control over device nodes etc. The cool part of this is it adds a lots of nice new security over the containerized service, but (see Are Docker containers really secure?), you still want to only use trusted applications and drop privileges as quickly as possible.

The last post on OpenSource.com will cover the next group of features we want to add to Docker to make it more secure.

After publishing the first two articles SDTimes contacted me to do an interview on Docker Security, which they published today as How Red Hat and the open-source community are fortifying Docker.

Finally, the presentation I gave at DockerCon discussing Docker and SELinux is available on YouTube. Continue watching here for additional Docker security information!

Some fresh Docker fun as we head into the weekend! The CentOS images in the Docker index have been bumped to 20140902.

Fixes

These updates bring the following fixes:

1. Add CentOS-5 image, with SELinux patch (thanks to Dan Walsh and Miroslav Grepl!)

2. CentOS-7 image includes a fakesystemd package instead of the distro provided systemd. This should resolve a number of the udev and/or pid-1 errors users were seeing. This package is only useful for docker, and will break other installs.

3. Images now contain a new file, /etc/BUILDTIME, to reference when the image was created/published.

4. Includes recent updates current to 20140902.

More info

For detailed information or to see the code differences used in building the images, please see: https://github.com/CentOS/sig-cloud-instance-build.

A great follow-up to my post about Jérôme Petazzoni’s post on Docker and security, Dan Walsh has a post up on OpenSource.com explaining just what’s being done about Docker security.

Says Dan, “Docker, Red Hat, and the open source community are working together to make Docker more secure. When I look at security containers, I am looking to protect the host from the processes within the container, and I’m also looking to protect containers from each other. With Docker we are using the layered security approach, which is ‘the practice of combining multiple mitigating security controls to protect resources and data.’

Basically, we want to put in as many security barriers as possible to prevent a break out. If a privileged process can break out of one containment mechanism, we want to block them with the next. With Docker, we want to take advantage of as many security mechanisms of Linux as possible.”

Read the full post over on OpenSource.com. »

Running applications in Docker is easy. Developers and users are finding this out in droves, which is why Docker is a runaway success. But is it safe? The answer seems to be a resounding it depends, but trending more closely to yes as work continues on Docker and we learn more about how to secure workloads.

Jérôme Petazzoni, tinkerer extraordinaire at Docker, gave an excellent presentation at LinuxCon in Chicago that addressed the safety of running applications in Linux containers. (The presentation from SlideShare is embedded below.)

The short answer, in absolute terms, is no if you depend solely on Docker to ensure security. As Dan Walsh says (and Petazzoni pointed out) containers do not contain.

Currently, if you have root in a container, you potentially can have root on the entire box. Petazzoni suggests that there are a few solutions to that problem:

• Don’t give root
• If the application needs root, give looks-like-root
• If that’s not sufficient, give root, but build another wall

Threat Models and Docker

Petazzoni then ran through different use cases / threat models that you might run into with Docker and fixes for the threats they may pose. For instance, if you’re worried about normal apps escalating from non-root to root, defang SUID binaries by removing the SUID bit and/or mount filesystems with nosuid. Worried about applications leaking to another container? Use user namespaces to map UIDs to different UIDs outside the container (e.g. UID 1000 in the container is 14298 outside).

Petazzoni continued with examples of potential fixes for scenarios where Docker might be attacked, up to situations where one might want to run kernel drivers or network stacks in Docker. His response? Please stop trying to shoot yourself in the foot safely. (In other words, anything that requires control over hardware isn’t going to be more secure in a container!)

You can, of course, get crazy and run Docker-within-Docker by using KVM within a container. But then again, maybe everything doesn’t need to be containerized.

One area that Petazzoni didn’t mention during the initial talk is image signing. Right now, a lot of people are sharing Docker images without signing to ensure that the code you’re running in a container actually is what was originally supplied or is actually from the source it purports to be from. This is a major concern, and Petazzoni says signing will be addressed eventually.

With some caveats, though, the security picture for Docker is pretty good – but not yet perfect. So it goes. At the rate Docker is improving, we’ll see many of the issues that Petazzoni discussed addressed by this time next year. And, in many cases, there are already workarounds.

The presentation (below) is well worth skimming through. Overall, Petazzoni delivered a great presentation – to a packed room, I might add. Interest in Docker at LinuxCon was quite high (not surprisingly). Last year, I recall Docker being discussed at LinuxCon but with little indication of how important it would be this year. Should be interesting to look back next year to see where we were in mid-2014 and how far it’s come.

If you’re interested in all things Docker, you probably want to follow Petazzoni on Twitter at @jpetazzo.

Yesterday, Karanbir Singh announced an alpha-quality build of CentOS 7 Atomic that’s suitable for developing rpm-ostree tools and helping the SIG get started.

As KB points out, the images contain unsigned content that’s produced outside the CentOS.org build system. You should be able to run Docker containers just fine, but it doesn’t yet include Cockpit or Kubernetes packages.

Also, there’s not an upstream ostree repo yet, but KB plans to set up a repo set up under cloud.centos.org soon. Even better, he plans to start running builds every two days as the content stabilizes, and eventually get the builds up on CentOS.org.

Please give it a whirl, though, and report any problems found to the CentOS-devel mailing list.