copyright 2014 1

Docker, DevOps, Security

Chris Swan, CTO@cpswan

Cloud native networking

copyright 2014 2

TL;DR

Dockerfile is awesomely productive

Great for DevOps

Containers don’t contain

At least not yet

Images have a manifest problem

Keep track of your stuff

copyright 2014 3

Why me?

copyright 2014 4

copyright 2014 5

Let’s start with a demo

copyright 2014 6

What do I mean by ‘DevOps’?

copyright 2014

John Boyd’s OODA loop

copyright 2014

Industrial design maturity - cars

Design for purpose

Design for manufacture

Design for operations

copyright 2014

Industrial design maturity - software

Design for purpose

Design for manufacture

Design for operations

DevOps is an artefact

copyright 2014 10

Containers and containment

copyright 2014 11

With thanks to Dan Walsh @rhatdanWatch his DockerCon 2014 presentation at http://is.gd/dcrhdw

copyright 2014

Shocker

12

The issue

The response

http://stealth.openwall.net/xSports/shocker.c

https://news.ycombinator.com/item?id=7910117

copyright 2014

Because containers aren’t VMs

and this has yet to come:

13

copyright 2014

Possible to have our cake and eat it?

14

copyright 2014

cgroups

15

copyright 2014

namespaces

mnt mount points, filesystems

pid processes

net network

ipc inter process communication

uts hostname

device devices

user UIDs

16

copyright 2014

capabilities

Fine grained control over ‘root’ privileges:

•deny all "mount" operations;

•deny access to raw sockets (to prevent packet spoofing);

•deny access to some filesystem operations, like creating new device nodes, changing the owner of files, or altering attributes (including the immutable flag);

•deny module loading;

•etc.

17

copyright 2014

Mandatory Access Control (MAC):

AppArmor and SELinux

18

copyright 2014

<optimist>Containers will contain</optimist>

• Use of namespaces, capabilities and MAC will improve• Might be a game of ‘whack a mole’

• Hard to tell when we’re done (is @solomonstre’s word going to be enough?)

• Libcontainer can drive other mechanisms• More secure options might come

• Hardware support might come• Existing rings 1 & 2 aren’t used much, but aren’t really

suitable• VT-x introduced ring -1, do we need a ring 0.5?

19

copyright 2014 20

The manifest problem

copyright 2014

My Dockerfile from earlier

21

copyright 2014

Each active line creates a layer

22

Base OSSources

Update reposInstall nginx

Mod nginx.confMod index.html

copyright 2014

An image binds layers together

23

Base OSSources

Update reposInstall nginx

Mod nginx.confMod index.html

copyright 2014

Nginx example

The image is the unit of deployment

24

copyright 2014

Nginx example

What version of nginx is that?

25

copyright 2014

Nginx example

What version of OpenSSL installed?

26

?

copyright 2014

Nginx example

and which bash?

27

?

copyright 2014

Problem 1 – non determinism

Whilst we want this to be cached in the short term:

apt-get install nginx

We perhaps don’t want it cached in the long term

What are those durations?

28

copyright 2014

2 – the manifest problem

When I run

apt-get install nginx

I don’t know which version of nginx I just got

Should I?

nginx –v > some_log.txt

Or maybe?

apt-cache policy nginx > some_log.txt

29

copyright 2014

Again, Solomon promises to fix things

30

copyright 2014

There is another way

31

copyright 2014 32

TL;DR

Dockerfile is awesomely productive

Great for DevOps

Containers don’t contain

At least not yet

Images have a manifest problem

Keep track of your stuff

copyright 2014 33

Chicago, USContactMe@cohesiveft.com  +1 888 444 3962

Questions?