New Docker Engine 1.10 brings Enterprise-level security hardening – Secure Computing

Security issues like kernel exploits,  denial-of-service attacks, container breakouts, poisoned images, compromising secrets etc. has been talked a lot in recent times for a container based environnment. With Docker’s “Build, ship and Run” mission, the introduction of the standardized images format has fueled an explosion of interest in container world in the enterprise IT. Docker allows greater sharing of resources and as you have dozens of applications running on your computer system, the chances of exposing your application to the outside world and risk of application vulnerability is sure to increase.

How to use Docker securely?

To use Docker safely, you need to be aware of the potential security issues and the major tools and techniques for securing container-based systems. The new Docker 1.10 release focus on the security aspect of the container technology.This new release brings several security improvements that merits the attention of Docker developers and operations team. In this article, we are going to look at one of the new security feature announced as part of Docker 1.10 release which is rightly  called “secure computing”.

In 2005, one of memory management contributor Andrea Arcangeli, started exploring what we today call “secure computing” (or “seccomp”) feature. Initially, he started working on a feature to enable owners of Linux systems to rent out their CPUs to people doing serious processing work. Allowing strangers to run arbitrary code is something that people tend to be nervous about; they require some pretty strong assurance that this code will not have general access to their systems.Seccomp solves this problem by putting a strict sandbox around processes running code from others. A process running in seccomp mode is severely limited in what it can do; interestingly there are only four system calls – read(), write(), exit(), and sigreturn() – available to it. Attempts to call any other system call result in immediate termination of the process. The idea is that a control process could obtain the code to be run and load it into memory. After setting up its file descriptors appropriately, this process would call:

prctl(PR_SET_SECCOMP, 1);

to enable seccomp mode. This enabled jumping into the guest code, knowing that no real harm could be done. The guest code can run in the CPU and communicate over the file descriptors given to it, but it has no other access to the system.  Later point  of time it was Google Team who thought that seccomp would make a good platform on which to create a “finished implementation” for Linux which they used it for Google Chrome.

Secure computing mode (Seccomp) is purely  a Linux kernel feature which enables you to control which system calls are disabled– and this applies to containers as well, when applied via Docker.You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access.In addition, Docker implemented a default setting which is now part of the Docker daemon.

By default, the new Docker Seccomp profile disables 44 system calls, out of 313 available in 64bit Linux systems. These system calls are listed under Docker official site(shown below for reference).

Syscall Description
acct Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.
add_key Prevent containers from using the kernel keyring, which is not namespaced.
adjtimex Similar to clock_settime and settimeofday, time/date is not namespaced.
bpf Deny loading potentially persistent bpf programs into kernel, already gated by CAP_SYS_ADMIN.
clock_adjtime Time/date is not namespaced.
clock_settime Time/date is not namespaced.
clone Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS.
create_module Deny manipulation and functions on kernel modules.
delete_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
finit_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
get_kernel_syms Deny retrieval of exported kernel and module symbols.
get_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
init_module Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.
ioperm Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
iopl Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.
kcmp Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
kexec_file_load Sister syscall of kexec_load that does the same thing, slightly different arguments.
kexec_load Deny loading a new kernel for later execution.
keyctl Prevent containers from using the kernel keyring, which is not namespaced.
lookup_dcookie Tracing/profiling syscall, which could leak a lot of information on the host.
mbind Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
modify_ldt Old syscall only used in 16-bit code and a potential information leak.
mount Deny mounting, already gated by CAP_SYS_ADMIN.
move_pages Syscall that modifies kernel memory and NUMA settings.
name_to_handle_at Sister syscall to open_by_handle_at. Already gated by CAP_SYS_NICE.
nfsservctl Deny interaction with the kernel nfs daemon.
open_by_handle_at Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.
perf_event_open Tracing/profiling syscall, which could leak a lot of information on the host.
personality Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns.
pivot_root Deny pivot_root, should be privileged operation.
process_vm_readv Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
process_vm_writev Restrict process inspection capabilities, already blocked by dropping CAP_PTRACE.
ptrace Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping CAP_PTRACE.
query_module Deny manipulation and functions on kernel modules.
quotactl Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.
reboot Don’t let containers reboot the host. Also gated by CAP_SYS_BOOT.
restart_syscall Don’t allow containers to restart a syscall. Possible seccomp bypass see: https://code.google.com/p/chromium/issues/detail?id=408827.
request_key Prevent containers from using the kernel keyring, which is not namespaced.
set_mempolicy Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.
setns Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.
settimeofday Time/date is not namespaced. Also gated by CAP_SYS_TIME.
stime Time/date is not namespaced. Also gated by CAP_SYS_TIME.
swapon Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
swapoff Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.
sysfs Obsolete syscall.
_sysctl Obsolete, replaced by /proc/sys.
umount Should be a privileged operation. Also gated by CAP_SYS_ADMIN.
umount2 Should be a privileged operation.
unshare Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare --user.
uselib Older syscall related to shared libraries, unused for a long time.
ustat Obsolete syscall.
vm86 In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.
vm86old In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.

 

Source ~ https://docs.docker.com/engine/security/seccomp/

It’s time to look into seccomp feature implementation now. By default, Docker 1.10 available as part of DEB or RPM doesnt support seccomp feature.

Please Note: Seccomp profiles require seccomp 2.2.1 and are only available starting with Debian 9 “Stretch”, Ubuntu 15.10 “Wily”, and Fedora 22. To use this feature on Ubuntu 14.04, Debian Wheezy, or Debian Jessie, you must download the latest static Docker Linux binary.

I am using Ubuntu 14.04.3 for my Docker containers. I will be downloading static Docker Linux binary from https://docs.docker.com/engine/installation/binaries/ and run the binary to get seccomp implementation running.

root@dell:~# wget https://get.docker.com/builds/Linux/x86_64/docker-1.10.2
–2016-02-28 05:33:15–  https://get.docker.com/builds/Linux/x86_64/docker-1.10.2
Connecting to 10.116.2.242:80… connected.
Proxy request sent, awaiting response… 200 OK
Length: 34892323 (33M) [binary/octet-stream]
Saving to: ‘docker-1.10.2.1’

100%[==============================================>] 3,48,92,323  972KB/s   in 31s

2016-02-28 05:33:46 (1.06 MB/s) – ‘docker-1.10.2.1’ saved [34892323/34892323]

root@dell:~# chmod +x docker-1.10.2.1

root@dell:~# ./docker-1.10.2.1 daemon
INFO[0000] [graphdriver] using prior storage driver “aufs”
INFO[0000] Graph migration to content-addressability took 0.00 seconds
INFO[0000] Firewalld running: false
INFO[0000] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option –bip can be used to set a preferred IP address
..

INFO[0001] Loading containers: done.
INFO[0001] Daemon has completed initialization
INFO[0001] Docker daemon   commit=c3959b1 execdriver=native-0.2 graphdriver=aufs version=1.10.2
INFO[0001] API listen on /var/run/docker.sock

Ensure that Docker service is running fine:

root@dell:~# docker version
Client:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 21:37:01 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 22:37:33 2016
 OS/Arch:      linux/amd64
root@dell~#

Passing unconfined to run a container without the default seccomp profile

Docker’s default seccomp profile is a whitelist which specifies the calls that are allowed.

Let’s take a simple example:

root@dell:~# docker run –rm -it –security-opt seccomp:unconfined  hello-world

Hello from Docker.
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the “hello-world” image from the Docker Hub.
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker Hub account:
https://hub.docker.com

For more examples and ideas, visit:
https://docs.docker.com/userguide/

Passing a profile to run a container with a default seccomp profile

let’s pick up two syscalls – “mount” and “chown” for this example.

Create a json file with the below contents and save it as mypolicy.json.

{

“defaultAction”: “SCMP_ACT_ALLOW”,
    “syscalls”: [
        {
            “name”: “mount”,
            “action”: “SCMP_ACT_ERRNO”
        },
                
        {
            “name”: “chown”,
            “action”: “SCMP_ACT_ERRNO”
        }
        
    ]
}

Ensure that the format is exactly same as json is little delicate in terms of its entries.

Run the below command to enable secomp profile for a container:
root@dell-PowerEdge-R630:~# docker run -it –security-opt seccomp:mypolicy.json busybox sh
/ # ls
bin   dev   etc   home  proc  root  sys   tmp   usr   var
/ # mkdir test
/ # chown root:root test
chown: test: Operation not permitted
/ #

The first command will try to pass seccomp-opt parameter to the container being built. Once the user is inside the container, if he tries to change the ownership of a file he is not permitted to do so. Similarly, he is retricted to run mount command.

In summary, we experienced that the “secured computing” provides the flexibility to harden specific containers based on their actual needs. Said that, it still requires in-depth knowledge of the system calls and container behaviour.This tool arrives as a weapon for Developers and Docker enthusiasts to make Docker’s mission “Build, Ship and Run” more secure and production-ready.

 

 

 

28 thoughts on “New Docker Engine 1.10 brings Enterprise-level security hardening – Secure Computing

  1. Aw, this was a very nice post. Finding the time and actual effort to generate a superb article… but what
    can I say… I procrastinate a lot and never manage to get anything done.

  2. This post presents clear idea designed for the new people of blogging, that truly how you can do blogging.

  3. Hi there friends, nice post and good arguments commented at this place, I am truly enjoying by
    these.

  4. It’s very trouble-free to discover any matter on net in comparison with
    textbooks, when i found this paragraph at the site.

  5. Hi there everyone, it’s my first visit at this web site,
    and piece of writing is truly fruitful designed for me, keep up posting these articles or reviews.

  6. I found myself recommended this web site by way of my cousin. I am
    not any longer certain whether this submit is written by using him as nobody else recognise such precise about my problem.
    You’re amazing! Thanks a lot!

  7. Wonderful items from you, man. I’ve keep in mind
    your stuff prior to and you’re simply extremely
    magnificent. I actually like what you may have acquired here, really like what you’re stating and how through which you say it.
    You’re making it entertaining and you continue to look after to keep it sensible.
    I are unable to wait to read significantly more of your
    stuff. That is actually a wonderful website.

  8. It’s hard to come by knowledgeable people about this topic,
    however, you appear like do you know what you’re talking about!
    Thanks

  9. It’s really a nice and useful piece of info. I’m glad that you just shared this helpful info with us.
    Please stay us informed similar to this.
    Thanks for sharing.

  10. Hello, I wish for to subscribe for this blog to get most up-to-date updates, thus where can i do
    it please help out.

  11. always i utilized to read smaller content which also clear their motive, and that is certainly also happening with this
    bit of writing which I am reading at the place.

  12. Greate pieces. Keep writing such kind of info on your page.
    Im really impressed by your blog.
    Hi there, You’ve done a fantastic job. I’ll definitely digg it and personally suggest to
    my friends. I’m sure they will be benefited from this web site.

  13. I am extremely inspired together with your writing abilities as neatly as together with the format inside your blog.
    Is that this a paid subject or did you modify it on your own?
    In either case keep the nice premium quality writing,
    it can be rare to discover a nice weblog similar to this one nowadays..

  14. Very nice post. I just discovered your blog and wished to express that I’ve truly loved browsing your blog posts.
    In the end I’ll be subscribing on your feed and I’m hoping
    you write again soon!

  15. Hello there! Would you mind if I share your blog with my twitter group?
    There’s a lot of folks that I think would really appreciate your content.
    Please let me know. Many thanks

  16. I pay a brief visit daily several sites and blogs to read through
    articles or reviews, but this weblog provides quality based writing.

  17. Usually I don’t learn article on blogs, however I would want to
    point out that this write-up very forced me to look into and do so!
    Your writing taste has become amazed me. Thanks a lot,
    quite nice article.

  18. Hi could you mind sharing which blog platform you’re using?
    I’m looking to get started on my very own blog in the near
    future but I’m possessing a tough time choosing between BlogEngine/Wordpress/B2evolution and Drupal.
    The key reason why I ask is because your design seems different
    then most blogs and I’m searching for something unique.
    P.S Sorry for being off-topic however i was required to ask!

  19. I really love your website.. very good colors & theme.
    Do you create this amazing site yourself or did you hire
    someone to make it happen for you personally? Plz reply as I’m looking
    to create my own blog and would want to know where u got this from.
    thank you

  20. Fantastic beat ! I wish to apprentice while you amend your website, how can i subscribe for a blog web site? The account aided me a acceptable deal. I had been a little bit acquainted of this your broadcast offered bright clear concept

  21. “I just added this blog site to my google reader, excellent stuff. Cannot get enough!”

  22. Its like you read my mind! You seem to know a lot about this, like
    you wrote the book in it or something. I think that you could do with a few pics to drive the message
    home a little bit, but instead of that, this is magnificent blog.

    A fantastic read. I’ll certainly be back.

  23. Hello there, just became alert to your website through Google, and discovered that it is
    actually really informative. I’m gonna watch out for brussels.
    I will appreciate should you continue this in future. A lot of
    individuals will be benefited from your writing.

    Cheers!

  24. Major thankies for the blog post. Keep writing.

  25. Do you mind if I quote a few of your posts as long as I provide credit and sources back to your webpage? My blog is in the exact same niche as yours and my users would definitely benefit from some of the information you provide here. Please let me know if this alright with you. Thanks!

  26. Thanksamundo for the post.Really thank you! Awesome.

Leave a Reply

Your email address will not be published. Required fields are marked *