Project

General

Profile

Docker security » History » Version 2

Peter Amstutz, 10/07/2016 03:04 AM

1 1 Peter Amstutz
h1. Docker security
2
3 2 Peter Amstutz
The fundamental Docker security issue is that a  "root" (uid 0) user inside container is equivalent to "root" outside, unless steps are taken to limit container permissions.  We want to disallow containers from sending data outside the private Arvados network, prevent breakout from the container, and limit access if a breakout does occur.  We don't allow end users to invoke Docker directly, so we can impose security measures both in the daemon configuration and the individual container invocation.
4 1 Peter Amstutz
5
Some of the knobs we have include:
6
7
h2. Setting the uid/gid of pid 1 in container
8
9 2 Peter Amstutz
We can explicitly set the uid/gid of pid 1 inside the container so it is not uid 0.  This overrides the USER directive of the image.  One drawback is that some programs behave badly when the current uid
10 1 Peter Amstutz
cannot be found in /etc/passwd.
11
12
h2. User id mapping
13 2 Peter Amstutz
14 1 Peter Amstutz
docker daemon --userns-remap
15
16 2 Peter Amstutz
User ids inside container corresponds to a different host user id. Can map uid 0 inside the container to non-root user outside the container.  Unclear if uid 0 inside the container still has some "root
17
powers" (like bypassing file access checks when accessing files inside the container), or if this means uid 0 is just a regular unprivileged user who happens to have a uid of 0.  (More research necessary)
18 1 Peter Amstutz
19
h2. Dropping capabilities
20
docker run --drop-cap
21
22 2 Peter Amstutz
Drop capabilities of root user inside the container ("man capabilities" for list).  Dropping all capabilities effectively neuters the root user (for example, without CAP_DAC_OVERRIDE the root
23
user is subject to the same file permission checks as regular users). Unclear if this is necessary when user id remapping is in effect; it may be the case that when user id mapping is in effect
24 1 Peter Amstutz
25
h2. Restrict container networking
26
27 2 Peter Amstutz
Crunch v2 communicates via arv-mount, which means most containers don't need networking to read/write to Keep.  Crunch v2 policy is that networking is disabled by default but can be enabled with the runtime constraint API: true (necessary for arvados-aware containers).  The Docker network bridge should be configured with a whitelist firewall that limits communication to essential Arvados services (API server + Keep server).
28
29 1 Peter Amstutz
h2. Disable inter-container communication
30
docker daemon --icc=false
31
32
Our containers don't need to talk to each other.
33
34
h2. Resource limits via cgroups
35
36 2 Peter Amstutz
Slurm can set up a cgroup (control group) to dictate resource limits, and crunch-run can instruct Docker to put the container in the cgroup set up by slurm.  Note, for this to work, we may need to invoke the Docker daemon with this option:
37
38 1 Peter Amstutz
--exec-opt native.cgroupdriver=cgroupfs
39
40 2 Peter Amstutz
Further research is required to see if slurm cgroup settings are sufficient to prevent overloading the node or denial-of-service, or if we need to set other limits (for example, a limit on the number of processes inside the container to prevent forkbomb attacks.)
41 1 Peter Amstutz
42
h2. Resource limits via ulimit
43
44 2 Peter Amstutz
We can also set ulimits on daemon invocation (--default-ulimit) and on container invocation (--ulimit).  ulimit has some overlap with cgroups but the difference seems to be that most ulimit settings apply per-process rather than to a group of processes.
45 1 Peter Amstutz
46
h2. seccomp
47
48 2 Peter Amstutz
Seccomp filters system calls that can be made by programs inside the container; many system calls it filters can also be blocked by dropping capabilities.
49
50 1 Peter Amstutz
https://docs.docker.com/engine/security/seccomp/
51
52
h2. AppArmor
53
54 2 Peter Amstutz
Can further limit what programs (including those running as "root") inside the container can do.  To be really effective, need to tailor profiles to specific application containers.
55 1 Peter Amstutz
56
https://docs.docker.com/engine/security/apparmor/
57
58
h2. SELinux
59
60
docker daemon --selinux-enabled
61
62
Enable SELinux support.  I don't know what that entails.