SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker...
Transcript of SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker...
![Page 1: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/1.jpg)
SECURITY ISSUE IN OPENSTACK CONTAINER Souhwan Jung Soongsil University [email protected]
![Page 2: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/2.jpg)
AGENDA
➤ What is Openstack ?
➤ Openstack Container
➤ Harden Container Security
➤ Summary
![Page 3: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/3.jpg)
WHAT IS OPENSTACK
![Page 4: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/4.jpg)
WHAT IS OPENSTACK ?
4
➤ At first, experimental technology for engineers
➤ Platform for rapid development, testing and deployment of mission-critical and massively scalable applications
![Page 5: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/5.jpg)
WHY OPENSTACK ?
5
➤ Grows Dramatically
➤ Many larger enterprises are now using OpenStack
➤ A huge number of technology and cloud vendors now offer OpenStack solutions and tools
➤ Flexibility and agility for businesses need
➤ Vendor-neutral cloud environment to avoid vendor lock-in
➤ Low deployment cost, rapidly evolving marketplace
➤ New features are introduced periodically
![Page 6: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/6.jpg)
WHY OPENSTACK ?
Source: Five reasons You Can’t Ignore Openstack - Cisco
6
➤ A complete, preintegrated cloud operations and management platform
➤ Already includes computing, networking, storage, and other essential cloud elements, already integrated and interoperable
➤ Not anymore a complex, long, do-it-yourself project
➤ Tools to take full advantage of OpenStack are growing
➤ Easy to move workloads back and forth between private and public clouds
![Page 7: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/7.jpg)
OPENSTACK COMMON SERVICES
7
![Page 8: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/8.jpg)
OPENSTACK CONTAINER
![Page 9: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/9.jpg)
OPENSTACK TREND
9
➤ Openstack was already coupled with widely available hypervisor technologies (Xen, KVM, vSphere)
➤ Recently, Linux container technology has become emerging cloud technology and got attention from Openstack community
➤ Container technologies are well-known for its fast and lightweight process virtualization
![Page 10: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/10.jpg)
HARDWARE VIRTUALIZATION
10
➤ Can create virtual machines (VM) for supporting multiple tenants
➤ Use hypervisors to emulate the hardware
➤ Support multiple kernels in a single server
![Page 11: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/11.jpg)
CONTAINER TECHNOLOGY
11
➤ Container technology setup up entire system operating system, applications, services, etc. inside a process
➤ Execute application or service without including a full operating system
➤ Known as Operating-system-level virtualization
![Page 12: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/12.jpg)
HYPERVISOR VS CONTAINER
12
Virtual Machines Containers
Hardware-level virtualization Operating system level
virtualization
Heavyweight Lightweight
Slow Provisioning Real-time provisioning
Limited performance High performance
Fully isolated Process-level isolation
More Secure Less Secure
![Page 13: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/13.jpg)
PERFORMANCE COMPARISON
13
Source: Lightweight Virtualization LXC containers & AUFS
SCALE11x – Feb 2013, Los Angeles
( Container )
![Page 14: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/14.jpg)
OPENSTACK PROJECTS WITH CONTAINER (1)
14
➤ Docker has been introduced as hypervisor driver for Openstack Nova Compute in Havana release
➤ Docker is an open-source engine which automates the deployment of applications
➤ Provide highly portable, self-sufficient containers
![Page 15: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/15.jpg)
OPENSTACK PROJECTS WITH CONTAINER (2)
15
➤ Untill now, Container does not provide enough features comparing with others Nova drivers (KVM, Xen)
➤ To bridges the gap, Openstack introduces three main projects for container: Docker Swarm, Kubernetes, and Mesos
➤ OpenStack refers to these three options as Container Orchestration Engines (COE)
![Page 16: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/16.jpg)
CONTAINER TECHNOLOGY: DOCKER SWARM
16
![Page 17: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/17.jpg)
17
CONTAINER TECHNOLOGY: KUBERNETES
![Page 18: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/18.jpg)
CONTAINER TECHNOLOGY: APACHE MESOS
18
Make sure
long-running
applications never stop
Abstract Resource from Machines
![Page 19: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/19.jpg)
CONTAINER TECHNOLOGY
19
➤ Docker Swarm
➤ Using the standard Docker interface
➤ Difficult to support the more complex scheduling
➤ Kubernetes is an orchestration tool that comes with service discovery and replication baked-in
➤ Mesos is a low-level scheduler that supports several frameworks for container orchestration including Marathon, Kubernetes, and Swarm
![Page 20: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/20.jpg)
CONTAINER-AS-A-SERVICE
20
Multi-tenant integration of containers
Template based orchestration
Bare metal provisioning
![Page 21: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/21.jpg)
CONTAINER TECHNOLOGY AND SECURITY
21
➤ Linux containers are not as secure as other hardware-level virtualization
➤ A misconfiguration could leave a security hole for the guest system to perform an escalation attack
➤ In order to provide adequate isolation, security models should be properly applied
![Page 22: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/22.jpg)
HARDEN CONTAINER SECURITY
![Page 23: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/23.jpg)
OPENSTACK CONTAINER SECURITY
23
➤ Containers use several mechanism for security
➤ Linux Kernel Namespaces
➤ Linux Control Groups
➤ The Docker daemon
➤ Linux Capabilities
➤ Linux Security Mechanism like AppArmor (MAC) or SELinux (MAC, RBAC)
MAC: Mandatory Acccess Control
RBAC: Role-based Access Control
![Page 24: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/24.jpg)
NAMESPACES
24
➤ Namespace in container is a way to make global resource appear to be unique and isolated
➤ In other word, Namespaces are a kernel mechanism for limiting the visibility to a certain group of processes from the rest of the system
➤ For example you can limit visibility to certain process trees, network interfaces, user IDs or filesystem mounts
![Page 25: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/25.jpg)
TYPE OF NAMESPACES
25
➤ Currently, Linux implements six different types of namespaces
➤ Mount namespaces
➤ UTS (UNIX Time-sharing System) namespaces
➤ IPC namespaces
➤ PID namespaces
➤ Network namespaces
➤ User namespaces
![Page 26: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/26.jpg)
NAMESPACES EXAMPLES
26
➤ IPC Namespaces where an IPC namespace process can “see” only those processes contained in its own PID namespaces or in the child namespaces
![Page 27: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/27.jpg)
CONTROL GROUP
27
➤ Resource limitation for each container is managed by cgroup (control group)
➤ Cgroups are organized in a tree-structured hierarchy
➤ Each task running in the system is in exactly one of the cgroups in the hierachy
➤ In a cgroup, there is a set of tasks associated with a set of subsystems that act as parameters constituting an environment for the tasks
![Page 28: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/28.jpg)
CONTROL GROUP EXAMPLE
28
➤ Subsystems provide the parameters that can be assigned and define CPU sets, freezer, or –more general- “resource controllers” for memory, disk I/O, etc
![Page 29: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/29.jpg)
HARDEN YOUR CONTAINERS TIPS (1)
29
➤ Knows the namespace and cgroup basic for full awareness of the differences between container and traditional virtual machine
➤ Make sure you are running on kernel with full container support
➤ A 3.10 Linux kernel is the minimum requirement for Docker
![Page 30: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/30.jpg)
HARDEN YOUR CONTAINERS TIPS (2)
30
➤ Enable AppArmor and SELinux when possible
➤ Some Linux distributions enable AppArmor or SELinux by default and they run a kernel which doesn’t meet the minimum requirements
➤ Many vendors are still using old versions of the Linux kernel without security hardening
➤ Update patches
➤ Update Kernel for providing enhanced isolation capability
![Page 31: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/31.jpg)
HARDEN YOUR CONTAINERS TIPS (3)
31
➤ Provide limited privileged container if possible
➤ A limited privileged container is created by non-root user on host system
➤ When a limited privileged container is compromised, attacker still one-step further from controlling the host system
➤ Drop capabilities
➤ Assign least capabilities for the service
![Page 32: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/32.jpg)
SECURITY HARDENING FOR CONTAINER
32
➤ One can harden their own containers by:
➤ Use AppArmor/SELinux
➤ Drop Capabilities (POSIX)
➤ Filter syscalls (seccomp)
➤ Network filtering (iptables)
➤ Identify type of container services that will be deployed on your host and decide appropriate configuration for the container
![Page 33: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/33.jpg)
SUMMARY
![Page 34: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/34.jpg)
SUMMARY
34
➤ Virtual machines are too heavy, that is why we need more lightweight solution
➤ We could treat a container like a lightweight virtual machine
➤ Since container is fast and virtual machine is secure, more works need to be done to provide either a more secure container or a faster virtual machine, or both
![Page 35: SECURITY ISSUE IN OPENSTACK CONTAINERdpnm.postech.ac.kr/netsoft2016/workshops/workshop4/Net...Docker Swarm Using the standard Docker interface Difficult to support the more complex](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec5529eb0ce712e771402e9/html5/thumbnails/35.jpg)
THANK YOU