New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker Containers Hardening & Restrictions (apparmor, cgroups, etc) #130
Comments
The idea of this issue is mostly to gather the knowledge, then we will try to make:
|
Here is a compilation of common stuff that can be found on google |
PATHWAR LEVEL SECURITY GUIDELINES1. Denial of Service mitigation
Limit imposes an upper limit to the amount of memory that can potentially be used by a Docker container. Memory Reservations tries to bring the container’s memory consumption at or below the reservation limit, when the system is running low on memory. If there’s an abundance of memory, however, the application can expand upto the hard set memory limit. Example with docker :
Example with docker-compose :
storage-opt option is only available on docker-compose v2, not in v3. 2. Mitigate privilege escalation / container hijacking1. Keep docker updated (thx captn obvious)2. Run as limited userIn Dockerfile :
On Runtime
3. Isolate containers with a user namespaceUse /etc/docker/daemon.json
To disable user namespaces for a specific container, add the --userns=host flag to the docker container create, docker container run, or docker container exec command. The following standard Docker features are incompatible with running a Docker daemon with user namespaces enabled: sharing PID or NET namespaces with the host (--pid=host or --network=host). One of the interesting issues I faced while using userns-remap was an error when doing a docker pull of the form: failed to register layer: Error processing tar file (exit status 1): container id xxx cannot be mapped to a host id. Once userns-remap is enabled, all docker engine operations are carried out as the user specified - not the user executing the docker client command. If an image you are pulling has files with user ID 1000, and if your subuid file entry doesn’t have space for 1000 users, it is going to fail. The solution is to have a decent enough range of users in your subuid entry. 4. Limit available system calls using SeccompExample profile -> https://github.com/giuliocomi/csplogger/blob/master/seccomp-profile-csplogger.json Risky because if any unexpected system call is executed in the container, the whole container will be immediately terminated. 5. Use Apparmor to whitelist what is possible to do on the containerTool for qol : https://github.com/genuinetools/bane 6. Run some automated security bench scriptsIdeally we want a Makefile option to test a single container or any container found in the whole project, ie :
1. Docker Bench for Securityhttps://github.com/docker/docker-bench-security Looks really cool, didn't test yet but it seems to test any known security vulnerability against running docker containers. 2. clairhttps://github.com/coreos/clair Looks a bit complex, didn't test yet. 7. Check used image through Content TrustAdd following option to /etc/docker/daemon.json
Need Docker Enterprise Engine |
Examples of profiles we can imagine having:
The common point will always to restrict the level of DOSing the server running it (restrict memory, cpu, disk)
The text was updated successfully, but these errors were encountered: