Aguascalientes Local Chapter - OWASP · • Vagrant is a script for VMs. Docker vs Virtualization...
Transcript of Aguascalientes Local Chapter - OWASP · • Vagrant is a script for VMs. Docker vs Virtualization...
AguascalientesLocalChapter
2nd Meeting
About– ChapterLeader
• JuanGama– ApplicationSecurityEngineer@AspectSecurity– 9+yearsinAppsec,Testing,Development– MaintainerofOWASPBenchmark– IlikeGIFs!
Docker
WhatisDocker?
• "Docker istheworld'sleadingsoftwarecontainerizationplatform"
Whatisacontainer?
• Consistsofanentireruntimeenvironment:anapplication,plusallitsdependencies,librariesandotherbinaries,andconfigurationfilesneededtorunit,bundledintoonepackage.
Docker inventedcontainers?
Docker vs LXC,Jails,Vagrant
• LXCrunsinthehostbuthasit'sownsectionofRAM,CPU,disk,etc.ClosertoaVM.Dockercanbejustoneprocess,needsavolume.
• VagrantisascriptforVMs.
Docker vs Virtualization
• Virtualizationincludesanentireoperatingsystemaswellastheapplication.Docker sitsontopoftheOS
Docker vs Virtualization
Docker vs Virtualization
WhyDocker?
• Solvesdependencyproblemsandtheproblemofancienttimes:
• "Itworksonmymachine!"
Docker Components
• Docker Engine
• Docker Hub
Docker Engine
• Docker daemon– Runsonthehostmachine
• Docker Client– CLIusedtointeractwiththedaemon
• WindowsandOSX– docker-machine(smalllinux runningtheDockerdaemon)- NeedsVirtualbox
Docker WorkflowComponents
• Docker image– Hastheenv,yourapplication,OS,dependencies,
• Docker Container– Createdfromimages,start,stop,move,delete
• Docker Registry– Publicandprivaterepotostoreimages
• Dockerfile– Automatesimageconstruction
Docker
• Docker Container
• Docker Composer
• Docker Swarm
Demo
Docker Security
• Quitesecure.• Namespacesforisolation:processesrunningwithina
containercannotsee,andevenlessaffect,processesrunninginanothercontainer,orinthehostsystem
• Eachcontaineralsogetsitsownnetworkstack.• ControlGroupsforresourceaccountingandlimiting,
ensurethateachcontainergetsitsfairshareofmemory,CPU,diskI/O;and,moreimportantly,thatasinglecontainercannotbringthesystemdownbyexhaustingoneofthoseresources.
Docker Security• OnlytrustedusersshouldbeallowedtocontrolyourDocker daemon
• “root”withinacontainerhasmuchlessprivilegesthanthereal“root”.Forinstance,itispossibleto:– denyall“mount”operations;– denyaccesstorawsockets(topreventpacketspoofing);– denyaccesstosomefilesystem operations,likecreatingnewdevicenodes,changingtheowneroffiles,oralteringattributes(includingtheimmutableflag);
– denymoduleloading;– andmanyothers.
Docker Security
• Additional:AppArmor,SELinux,GRSEC• RuninsideaVM• Compromisedimages• DOS• https://www.docker.com/docker-security