Skip to content

Latest commit

 

History

History
745 lines (577 loc) · 49.3 KB

File metadata and controls

745 lines (577 loc) · 49.3 KB

Microservices & Container Security

Welcome To The World of Containers: A collection of awesome software, libraries, documents, books, resources and cool stuff about Microservices & Container Security. Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.

What are containers?

Containers are executable units of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud.

containers

Containers vs. virtual machines (VMs)

One way to better understand a container is to understand how it differs from a traditional virtual machine (VM). In traditional virtualization—whether it be on-premises or in the cloud—a hypervisor is leveraged to virtualize physical hardware. Each VM then contains a guest OS, a virtual copy of the hardware that the OS requires to run, along with an application and its associated libraries and dependencies.

containers-vm

Benefits of containers

The primary advantage of containers, especially compared to a VM, is providing a level of abstraction that makes them lightweight and portable.

  • Lightweight: - Containers share the machine OS kernel, eliminating the need for a full OS instance per application and making container files small and easy on resources. Their smaller size, especially compared to virtual machines, means they can spin up quickly and better support cloud-native applications that scale horizontally.
  • Portable and platform independent: - Containers carry all their dependencies with them, meaning that software can be written once and then run without needing to be re-configured across laptops, cloud, and on-premises computing environments.
  • Supports modern development and architecture: - Due to a combination of their deployment portability/consistency across platforms and their small size, containers are an ideal fit for modern development and application patterns—such as DevOps, serverless, and microservices—that are built are regular code deployments in small increments.
  • Improves utilization: - Like VMs before them, containers enable developers and operators to improve CPU and memory utilization of physical machines. Where containers go even further is that because they also enable microservice architectures, application components can be deployed and scaled more granularly, an attractive alternative to having to scale up an entire monolithic application because a single component is struggling with load.

What is container security?

Container security is the use of security tools and policies to protect the container, its application and performance including infrastructure, software supply chain, system tools, system libraries, and runtime against cyber security threats.

containers-security

What are the challenges of Container Security?

  • Containers live in an ecosystem — containers are not deployed standalone within an enterprise. Container workloads are deployed as part of an architecture that may include: Public (AWS, GCP, Azure) clouds, Private clouds (VMware) and Hybrid clouds integrated with traditional workloads comprised of servers and VMs, while working with serverless components on the compute side. These enterprises may also be using IaaS and PaaS services such as S3 buckets or RDS. Container workloads therefore need to be secured as part of an enterprise ecosystem.

  • Containers are ephemeral: - Container lifecycles are often measured in seconds, but there is also a high degree of variability that makes generalizations difficult. Security teams need to account for the security and integrity of containers that may only be online for a few seconds, and others that may be online for weeks.

  • Containers are built and deployed in CI/CD DevOps Pipelines. - Container workloads tend to be developer led. The challenge for security is to empower developers to produce applications that are BornSecure.

Table of Contents

^ back to top ^

Foundations

  • OPEN CONTAINER INITIATIVE
    The Open Container Initiative is a lightweight, open governance structure, to be formed under the auspices of the Linux Foundation, for the express purpose of creating open industry standards around container formats and runtime.
  • Cloud Native Computing Foundation
    The Cloud Native Computing Foundation will create and drive the adoption of a new set of common container technologies informed by technical merit and end user value, and inspired by Internet-scale computing.
  • Cloud Foundry Foundation

^ back to top ^ The Cloud is our foundry.

Specifications

  • Open Container Specifications
    This project is where the Open Container Initiative Specifications are written. This is a work in progress.
  • App Container basics
    App Container (appc) is an open specification that defines several aspects of how to run applications in containers: an image format, runtime environment, and discovery protocol.
  • Systemd Container Interface
    Systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. If you write a container solution, please consider supporting the following interfaces.
  • Nulecule Specification
    Nulecule defines a pattern and model for packaging complex multi-container applications and services, referencing all their dependencies, including orchestration metadata in a container image for building, deploying, monitoring, and active management.
  • Oracle microcontainer manifesto
    This is not a new container format, but simply a specific method for constructing a container that allows for better security and stability.
  • Cloud Native Application Bundle Specification
    A package format specification that describes a technology for bundling, installing, and managing distributed applications, that are by design, cloud agnostic.

^ back to top ^

Clouds

  • Amazon EC2 Container Service
    Container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances.
  • Google Cloud Platform
    Run Docker containers on Google Cloud Platform, powered by Kubernetes. Google Container Engine actively schedules your containers, based on declared needs, on a managed cluster of virtual machines.
  • Jelastic
    Unlimited PaaS and Container-Based IaaS in a Joint Cloud Solution for DevOps.
  • Joyent
    High-Performance Container-Native Infrastructure for Today's Demanding Real-Time Web and Mobile Applications.
  • Kubernetes
    Manage a cluster of Linux containers as a single system to accelerate Dev and simplify Ops.
  • Mesosphere
    The Mesosphere Datacenter Operating System (DCOS) is a new kind of operating system that spans all of the machines in your datacenter or cloud. It provides a highly elastic, and highly scalable way of deploying applications, services and big data infrastructure on shared resources.
  • OpenShift Origin
    OpenShift Origin is a distribution of Kubernetes optimized for continuous application development and multi-tenant deployment. Origin adds developer and operations-centric tools on top of Kubernetes to enable rapid application development, easy deployment and scaling, and long-term lifecycle maintenance for small and large teams.
  • Warden
    Manages isolated, ephemeral, and resource controlled environments. Part of Cloud Foundry - the open platform as a service project.
  • Virtuozzo
    A platform, built on Virtuozzo containers, that can be easily run on top of any bare-metal or virtual servers in any public or private cloud, to automate, optimize, and accelerate internal IT and development processes.
  • Rancher
    Rancher is a complete, open source platform for deploying and managing containers in production. It includes commercially-supported distributions of Kubernetes, Mesos, and Docker Swarm, making it easy to run containerized applications on any infrastructure.
  • Docker Swarm
    Docker Swarm is native clustering for Docker.
  • Azure Container Service
    Azure Container Service optimizes the configuration of popular open source tools and technologies specifically for Azure.
  • CIAO
    Cloud Integrated Advanced Orchestrator for Intel Clear Linux OS.
  • Alibaba Cloud Container Service
    Container Service is a high-performance and scalable container application management service that enables you to use Docker and Kubernetes to manage the lifecycle of containerized applications.
  • Nomad
    HashiCorp Nomad is a single binary that schedules applications and services on Linux, Windows, and Mac. It is an open source scheduler that uses a declarative job file for scheduling virtualized, containerized, and standalone applications.

^ back to top ^

Operating Systems

  • CoreOs
    A lightweight Linux operating system designed for clustered deployments providing automation, security, and scalability for your most critical applications.
  • RancherOS
    RancherOS is a tiny Linux distro that runs the entire OS as Docker containers.
  • Project Atomic
    Project Atomic provides the best platform for your Linux Docker Kubernetes (LDK) application stack. Use immutable infrastructure to deploy and scale your containerized applications.
  • Snappy Ubuntu Core
    Ubuntu Core is the perfect system for large-scale cloud container deployments, bringing transactional updates to the world’s favourite container platform.
  • ResinOS
    A host OS tailored for containers, designed for reliability, proven in production.
  • Photon
    Photon OS is a minimal Linux container host designed to have a small footprint and tuned for VMware platforms. Photon is intended to invite collaboration around running containerized and Linux applications in a virtualized environment.
  • Clear Linux Project
    The Clear Linux Project for Intel Architecture is a distribution built for various Cloud use cases.
  • CargOS
    CargOS is a new lightweight, open source, platform for Docker hosts that aims for speed, manageability and security. Releases are built for 64-bit Intel/AMD CPUs.
  • OSv
    OSv is the open source operating system designed for the cloud. Built from the ground up for effortless deployment and management, with superior performance.
  • HypriotOS
    Minimal Debian-based operating systems that is optimized to run Docker. It made it dead easy use Docker on any Raspberry Pi.
  • MCL
    MCL (Minimal Container Linux) is a from scratch minimal Linux OS designed specifically to run containers. It has a small footprint of ~50MB and boots within seconds. It is currently optimized to run Docker.

^ back to top ^

Hypervisors

  • Docker
    An open platform for distributed applications for developers and sysadmins. Standard de facto.
  • LXD
    Daemon based on liblxc offering a REST API to manage LXC containers.
  • OpenVZ
    OpenVZ is container-based virtualization for Linux. OpenVZ creates multiple secure, isolated Linux containers (otherwise known as VEs or VPSs) on a single physical server enabling better server utilization and ensuring that applications do not conflict.
  • MultiDocker
    Create a secure multi-user Docker machine, where each user is segregated into an indepentent container.
  • Lithos
    Lithos is a process supervisor and containerizer for running services. It is not intended to be system init, but rather tries to be a base tool to build container orchestration.
  • containerd
    A container runtime which can manage a complete container lifecycle - from image transfer/storage to container execution, supervision and networking.

^ back to top ^

Containers

  • runc
    runc is a CLI tool for spawning and running containers according to the OCS specification.
  • Bocker
    Docker implemented in around 100 lines of bash.
  • Rocket
    rkt (pronounced "rock-it") is a CLI for running app containers on Linux. rkt is designed to be composable, secure, and fast. Based on AppC specification.
  • LXC
    LXC is the well known set of tools, templates, library and language bindings. It's pretty low level, very flexible and covers just about every containment feature supported by the upstream kernel.
  • Vagga
    Vagga is a fully-userspace container engine inspired by Vagrant and Docker, specialized for development environments.
  • libct
    Libct is a containers management library which provides convenient API for frontend programs to rule a container during its whole lifetime.
  • libvirt
    A big toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes).
  • systemd-nspawn
    Spawn a namespace container for debugging, testing and building. Part of systemd.
  • porto
    The main goal of Porto is to create a convenient, reliable interface over several Linux kernel mechanism such as cgroups, namespaces, mounts, networking etc.
  • udocker
    A basic user tool to execute simple containers in batch or interactive systems without root privileges.
  • Let Me Contain That For You
    LMCTFY is the open source version of Google’s container stack, which provides Linux application containers.
  • cc-oci-runtime
    Intel Clear Linux OCI (Open Containers Initiative) compatible runtime.
  • railcar
    Railcar is a rust implementation of the opencontainers initiative's runtime spec. It is similar to the reference implementation runc, but it is implemented completely in rust for memory safety without needing the overhead of a garbage collector or multiple threads.
  • Kata Containers
    Kata Containers is a new open source project building extremely lightweight virtual machines that seamlessly plug into the containers ecosystem.
  • plash
    Lightweight, rootless containers.
  • runv
    Hypervisor-based (KVM, Xen, QEMU) Runtime for OCI. Security by isolation.
  • podman
    Full management of container lifecycle.
  • firecracker
    Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.
  • sysbox
    Sysbox is a "runc" that creates secure (rootless) containers / pods that run not just microservices, but most workloads that run in VMs (e.g., systemd, Docker, and Kubernetes), seamlessly.
  • youki
    A container runtime written in Rust.

^ back to top ^

Sandboxes

  • Firejail
    Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities.
  • NsJail
    NsJail is a process isolation tool for Linux. It makes use of the namespacing, resource control, and seccomp-bpf syscall filter subsystems of the Linux kernel.
  • Subuser
    Securing the Linux desktop with Docker.
  • Snappy
    Snappy Ubuntu Core is a new rendition of Ubuntu with transactional updates - a minimal server image with the same libraries as today’s Ubuntu, but applications are provided through a simpler mechanism.
  • xdg-app
    xdg-app is a system for building, distributing and running sandboxed desktop applications on Linux.
  • Bubblewrap
    Run applications in a sandbox using Linux namespaces without root privileges, with user namespacing provided via setuid binary.
  • singularity
    Universal application containers for Linux.

^ back to top ^

Partial Access

  • nsenter
    Run program with namespaces of other processes. Part of the util-linux.
  • ip-netns
    Process network namespace management. Part of the iproute2.
  • unshare
    Run program with some namespaces unshared from parent. Part of the util-linux.
  • python-nsenter
    This Python package allows entering Linux kernel namespaces (mount, IPC, net, PID, user and UTS) by doing the "setns" syscall.
  • butter
    Python library to interface to low level linux features (inotify, fanotify, timerfd, signalfd, eventfd, containers) with asyncio support.
  • pyspaces
    Works with Linux namespaces through glibc with pure python.
  • CRIU
    Checkpoint/Restore In Userspace is a software tool for Linux operating system. Using this tool, you can freeze a running application (or part of it) and checkpoint it to a hard drive as a collection of files. CRIU integrated with Docker and LXC to implement Live migration of containers.
  • Moby
    A "Lego set" of toolkit components for containers software created by Docker.

^ back to top ^

Filesystem

  • container-diff
    A tool for analyzing and comparing container images.
  • buildah
    A tool which facilitates building OCI container images.
  • skopeo
    Work with remote images registries - retrieving information, images, signing content.
  • img
    Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.
  • dgr
    Command line utility designed to build and to configure at runtime App Containers Images (ACI) and App Container Pods (POD) based on convention over configuration.
  • Whaler
    Whaler is designed to reverse engineer a Docker Image into the Dockerfile that created it.
  • dive
    A tool for exploring each layer in a docker image.
  • go-containerregistry
    Go library and CLIs for working with container registries.
  • kaniko
    Kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.
  • umoci
    Umoci is a tool to manipulate OCI container images, and can be used as a rudimentary build tool.
  • docker pushrm
    A Docker CLI plugin that that lets you push the README.md file from the current directory to a container registry. Supports Docker Hub, Quay and Harbor.

^ back to top ^

Dashboard

  • LXC-Web-Panel
    Web panel for LXC on Ubuntu.
  • Liman
    Basic docker monitoring web application.
  • portainer
    Lightweight Docker management UI.
  • swarmpit
    Lightweight mobile-friendly Docker Swarm management UI.

Best practices

  • The Twelve-Factor App
    The twelve-factor app is a methodology for building software-as-a-service apps.
  • Container Best Practices
    A collaborative project to document container-based application architecture, creation and management from Project Atomic.

Security

Tools

  • Docker bench security
    The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
  • CoreOS Clair
    Open Source Vulnerability Analysis for your Containers.
  • bane
    Custom AppArmor profile generator for docker containers.
  • OpenSCAP
    The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines.
  • drydock
    Drydock provides a flexible way of assessing the security of your Docker daemon configuration and containers using editable audit templates.
  • trireme
    Security by segmentation for Docker and Kubernetes.
  • goss
    Quick and Easy server testing/validation.
  • sockguard
    A proxy for docker.sock that enforces access control and isolated privileges.
  • gvisor
    gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
  • docker-explorer
    A tool to help forensicate offline docker acquisitions.
  • oci-seccomp-bpf-hook
    OCI hook to trace syscalls and generate a seccomp profile.

Links

Levels of security problems

  1. regular application
  • always untrusted -> know it
  • suid bit -> mount with nosuid
  • limit available syscall -> seccomp-bpf, grsec
  • leak to another container (bug in namespaces, filesystem) -> user namespaces with different uid inside for each container: 1000 in container - 14293 and 15398 outside; security modules like selinux or apparmor
  1. system services like cron, ssh
  • run as root -> isolate via bastion host or vm
  • using /dev -> "devices" control group
    The following device nodes are created in the container by default.
    The Docker images are also mounted with nodev, which means that even if a device node was pre-created in the image, it could not be used by processes within the container to talk to the kernel.
    /dev/console,/dev/null,/dev/zero,/dev/full,/dev/tty*,/dev/urandom,/dev/random,/dev/fuse
  • root calls -> capabilities (cap_sys_admin warning!)
    Here is the current list of capabilities that Docker uses: chown, dac_override, fowner, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, setfcap, and audit_write.
    Docker removes several of these capabilities including the following:
    CAP_SETPCAP Modify process capabilities
    CAP_SYS_MODULE Insert/Remove kernel modules
    CAP_SYS_RAWIO Modify Kernel Memory
    CAP_SYS_PACCT Configure process accounting
    CAP_SYS_NICE Modify Priority of processes
    CAP_SYS_RESOURCE Override Resource Limits
    CAP_SYS_TIME Modify the system clock
    CAP_SYS_TTY_CONFIG Configure tty devices
    CAP_AUDIT_WRITE Write the audit log
    CAP_AUDIT_CONTROL Configure Audit Subsystem
    CAP_MAC_OVERRIDE Ignore Kernel MAC Policy
    CAP_MAC_ADMIN Configure MAC Configuration
    CAP_SYSLOG Modify Kernel printk behavior
    CAP_NET_ADMIN Configure the network
    CAP_SYS_ADMIN Catch all
    uses /proc, /sys -> remount ro, drop cap_sys_admin; security modules like selinux or apparmor; some part of this fs are "namespace-aware"
    Docker mounts these file systems into the container as "read-only" mount points.
    . /sys
    . /proc/sys
    . /proc/sysrq-trigger
    . /proc/irq
    . /proc/bus
    Copy-on-write file systems
    Docker uses copy-on-write file systems. This means containers can use the same file system image as the base for the container. When a container writes content to the image, it gets written to a container specific file system. This prevents one container from seeing the changes of another container even if they wrote to the same file system image. Just as important, one container can not change the image content to effect the processes in another container.
  • uid 0 -> user namespaces, uid 0 mappet to random uid outside
  1. system services like devices, network, filesystems
  • root -> more of services should work on host outside; isolate sensitive functions, run as non-privileged context
  • full privileges -> isolate on kernel level
  1. kernel drivers, network stack, security policies
  • absolute privileges -> run it in separate vm
  1. general like immutable infrastructure
  • container is ro
  • write to small separate rw nosuid part

src
src

Technologies for security

Things are better. For example, most modern container technologies can make use of Linux's built-in security tools such as:
AppArmor, SELinux and Seccomp policies;
Grsecurity;
Control groups (cgroups);
Kernel namespaces
src

Sure, you're deploying seccomp, but you can't use selinux inside your container, because the policy isn't per-namespace (?? lxc uses apparmore for each container...)
sVirt - selinux for kvm
src

Major kernel subsystems are not namespaced like:

  • SELinux
  • Cgroups
  • file systems under /sys
  • /proc/sys, /proc/sysrq-trigger, /proc/irq, /proc/bus

Devices are not namespaced:

  • /dev/mem
  • /dev/sd* file system devices
  • kernel modules

If you can communicate or attack one of these as a privileged process, you can own the system.
src

Another Information Sources

  • sysdig-container-ecosystem
    The ecosystem of awesome new technologies emerging around containers and microservices can be a little overwhelming, to say the least. We thought we might be able to help: welcome to the Container Ecosystem Project.
  • doger.io
    This page is an attempt to document the ins and outs of containers on Linux. This is not just restricted to programmers looking to implement containers or use container like features in their own code but also Sysadmins and Users who want to get more of a handle on how containers work 'under the hood'.

Container Security

Image

Understanding and Hardening Linux Containers - The "War and Peace" of container security

Security Assurance Requirements for Linux Application Container Deployments - Department of commerce guidance on container security

  • Utility for aiding in compliance checks against a container
  • Automated security profiling for Docker image
  • drydock - Inspired by docker-bench-security with the ability to apply custom security profiles
  • Docker bench security - One of the first security linting utility for Docker
  • Packer builds Docker containers without the use of Dockerfiles. By not using Dockerfiles, Packer is able to provision containers with portable scripts or configuration management systems that are not tied to Docker in any way. It also has a simple mental model: you provision containers much the same way you provision a normal virtualized or dedicated server.
  • A toolkit for building custom minimal, immutable Linux distributions
  • An open-source API to audit and govern your software supply chain
  • Python library that extends docker build. It's part of the RedHat Atomic project so its rather opinionated
  • A series of exercises that provide a deep dive into the internals of containers. Also has a good SELinux training component
  • Free image scanning service with a commercial offering similar to Docker Cloud
  • anchore-cli
  • Specialized CVE scanner
  • Framework for peering inside docker images. Useful for rolling your own image scanning system

Commercial solutions


Build Management


  • Source to deployment framework. An alternative to Kubernetes and Spinnaker. I include it here because it implements a concept of trusted images and dependency management

Commercial solutions

  • Project Atomic - RedHat's complete container solution with strong built-in security
  • Docker Cloud - Continuous scanning of images along with a trust mechanism

Networking/Runtime


  • Associating Amazon IAM roles to pods
  • Also for associating Amazon IAM roles to pods
  • Comprehensive guide from Google engineers on securing and isolating containers
  • User-space kernel designed to provide better isolation/sandboxing of containers
  • bSides SF 2017 talk about container monitoring at Netflix using eBPF
  • Security enforcement for Flannel SDN
  • Apply Amazon Identity Management roles to Kubernetes Pods
  • Sidecar and security enforcement system used at Lyft
  • Network policy enforcement
  • Project
  • Realtime metrics gathering across the cluster
  • An exploration of covert channels
  • Contains an interesting point about how contains that share network namespaces can snoop on eachother's traffic
  • Containers are able to send raw ethernet frames to other containers with inter-container communication disabled

Commercial solutions

  • StakRox - Container security solution with adaptive threat protection
  • NeuVector - Continuous network security
  • TwistLock - Network activity profiling

Security profiles


  • AppArmor profile generator for Docker containers
  • A gentle introduction to Security Enhanced Linux
  • Linux namespaces and seccomp-bpf sandbox. Also works with GUI apps
  • A handy list of capabilities that are enabled by default in Docker
  • An SELinux deep dive
  • Blog post about figuring out what capabilities a container needs
  • Spoiler, its using SELinux
  • Bills itself as an adversary resistant computing platform. Under the hood the idea is to run containers in user space
  • An exercise that also takes you through the nitty gritty details of capabilities management

Exploits


  • From the intro: "We’ve been tracking an organized attack campaign that targets misconfigured open Docker Daemon API ports. This persistent campaign has been going on for months, with thousands of attempts taking place nearly on a daily basis."
  • Post exploitation framework
  • This isn't an exploit but it allows user to access the host VM if run in privileged mode
  • List of known security vulnerabilities for Docker
  • Outlines an interesting spear-phishing attack on image maintainers
  • Image scanning system with a red-team focus of exploitation
  • A case study of a vulnerable private registry

Honeypots


  • Capturing exploit attempts by emulating a Wordpress box
  • Docker container running cowrie with DShield output enabled
  • Fairly old but a great idea for platform to build honeypots

Presentations/Posts


  • An extension of the helpful cattle and pets analogy
  • The author presents the intreaging notion of applying the microservices approach to containers where you divide an application apart by capabilities
  • Awesome Object Capabilities - A language-level implementation of the capability based sandboxing methodology
  • Linux port of Capsicum related to this LWN post
  • Securing the image pipeline from creation to delivery
  • A security model to match the deployment model of many orchestration utilities
  • Container performance analysis at Netflix. This contains similar material as the bSides talk listed above with
  • Evolution of Container Usage at Netflix - Also provides insight into container monitoring, logging, and security at Netflix.
  • Chief Systems Architect Sasi Kannappan describes how Docker is used at Visa
  • Collection of resources on hardening your Docker daemon
  • Balancing moving fast and breaking things with securing against vulnerabilities
  • Great presentation on sandboxing containers

^ back to top ^

License

MIT License & cc license

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.