From eb0ed998ddf4a2aaebce84e5a0e3dd11ceffcbe3 Mon Sep 17 00:00:00 2001 From: Marco Verleun Date: Fri, 21 Apr 2023 16:25:06 +0200 Subject: [PATCH] Add section about security --- slides/index.yaml | 5 +- slides/intro-container-security.yml | 4 +- slides/secure-containers/cve.md | 27 +++-- slides/secure-containers/intro.md | 22 ++-- .../possible-improvements.md | 101 ++++++++++++++++-- slides/secure-containers/sampleapp.md | 47 -------- 6 files changed, 124 insertions(+), 82 deletions(-) diff --git a/slides/index.yaml b/slides/index.yaml index 5a3bd77..ab3fce0 100644 --- a/slides/index.yaml +++ b/slides/index.yaml @@ -17,7 +17,4 @@ title: Improving container security lang: nl #attend: https://enix.io/fr/services/formation/online/ - slides: https://training.verleun.org/intro-container-security.yml.html#1 - - - + slides: ./intro-container-security.yml.html#1 diff --git a/slides/intro-container-security.yml b/slides/intro-container-security.yml index 078041e..91531d3 100644 --- a/slides/intro-container-security.yml +++ b/slides/intro-container-security.yml @@ -1,11 +1,11 @@ title: | - Introduction Container Security + Introduction Container Security and Hardening #chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)" #chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)" #gitrepo: github.com/jpetazzo/container.training -slides: https://training.verleun.org/tdose.zip +slides: https://training.verleun.org/slides.zip #slidenumberprefix: "#SomeHashTag — " slidenumberprefix: "📜 " diff --git a/slides/secure-containers/cve.md b/slides/secure-containers/cve.md index 6d3108b..0e3998d 100644 --- a/slides/secure-containers/cve.md +++ b/slides/secure-containers/cve.md @@ -1,10 +1,10 @@ # Other improvements -What about security of the code / packages? +- What about security of the code / packages? -Choosing the proper build image might make a big difference: +- Choosing the proper build image might make a big difference: -Look at the following two `Dockerfiles`: +- Look at the following two `Dockerfiles`: ```bash FROM python:latest @@ -24,31 +24,35 @@ CMD ["python", "worker.py"] --- -The only difference is the base image. But the end result is quite different: +## The only difference is the base image. -(Scanning is done with `grype`) +- But the end result is quite different: | Base image | Image size | CVE's | |---|---|---| | python:latest | 888 Mb | 1114 | | python:alpine | 73,5 Mb | 3 | --- + (Scanning is done with `grype` and since the writing of this presentation the numbers have increased) -The 'full' python image has even `gcc` included.... +--- + +## The 'full' python image has even `gcc` included.... ```bash docker run --rm --entrypoint gcc -it python-latest:latest gcc: fatal error: no input files compilation terminated. +``` +```bash docker run --rm --entrypoint gcc python-alpine:latest docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "gcc": executable file not found in $PATH: unknown. ``` --- -Consider a `multistage build` +## Consider a `multistage build` ```bash FROM python:latest as builder @@ -69,12 +73,15 @@ USER 1234 CMD ["python", "worker.py"] ``` +- The required code could be build in image 1 and transfered to image 2 leaving the majority of CVE's behind... + --- -Result: +## Result multistage build | Base image | Image size | CVE's | |---|---|---| | python:latest | 888 Mb | 1114 | | python:alpine | 73,5 Mb | 3 | -| python:mulistage | 73,5 Mb | 3 | \ No newline at end of file +| python:multistage | 73,5 Mb | 3 | + diff --git a/slides/secure-containers/intro.md b/slides/secure-containers/intro.md index bf9757d..b94fbba 100644 --- a/slides/secure-containers/intro.md +++ b/slides/secure-containers/intro.md @@ -1,6 +1,6 @@ # Introduction -## Why talk about container security/hardening? +Why talk about container security/hardening? - Good containers improve system security @@ -16,17 +16,21 @@ What about this one? ## Hardening is a must nowadays -CIS Benchmarking is a good thing to do: +- CIS Benchmarking is a good thing to do: -- Checkout: https://github.com/docker/docker-bench-security + - Checkout: https://www.cisecurity.org/benchmark/docker and https://github.com/docker/docker-bench-security + +- Running `docker` in a non-root environment as well. + +- Consider `podman` instead of `docker` --- -## Building images +## Build images as secure as possible -Build them according to the best practices as described here +- Build them according to the best practices as described here -Be careful when building `base images`: +- Be careful when building `base images`: - Due to inherentence labels are transfered from one image to the other @@ -38,12 +42,12 @@ Be careful when building `base images`: ## What about exising container images? -Do we rebuild them? +- Do we rebuild them? -Can we change the behavior of the container without modifying the image? +- Or can we change the behavior of the container without modifying the image? -- ## Yes we can -Let's see how in the next slides where we will secure a nice demo application \ No newline at end of file +- Let's see how in the next slides where we will secure a nice demo application. diff --git a/slides/secure-containers/possible-improvements.md b/slides/secure-containers/possible-improvements.md index 73391b8..f0ebcd9 100644 --- a/slides/secure-containers/possible-improvements.md +++ b/slides/secure-containers/possible-improvements.md @@ -1,20 +1,101 @@ # Possible improvements -The app is running ~~fine~~ (It does what it is supposed to do at least) +- Useful commands when trying to improve images: + + ```bash + docker logs + docker diff + docker exec ... + trivy + grype + ``` + +--- + +## What do we know about the app? + +- The app is running ~~fine~~ + + - It does what it is supposed to do at least -- -Some improvement areas: +- Some improvement areas: -- All containers are running with root privileges + - All containers are running with root privileges -- Too many privileges (`man 7 capabilities`) + - Too many privileges (`man 7 capabilities`) -- Root filesystem is writeable + - Root filesystem is writeable -- -- Quite a few CVE's (As a result of the build) + - Quite a few CVE's (As a result of the build) + +--- + +## How to improve the `docker-compose.yml` file + +- Let's pretend we do not want to modify the original `docker-compose.yml` file + +-- + + - Changes here might cause issues with upstream updates. + + - Hard to keep track of differences with merge conflicts + +-- + +- Let's override values with `docker-compose.override.yml` + +```bash +❯ docker-compose ls +NAME STATUS CONFIG FILES +dockercoins running(5) docker-compose.yml,docker-compose.override.yml +``` + +--- + +## Two files are merged together + +`docker-compose.yml` + +```yaml +version: "2" + +services: + rng: + build: rng + ports: + - "8001:80" +``` + +`docker-compose.override.yml` + +```yaml +version: "2" + +services: + rng: + user: "4242:4242" +``` + +--- + +## Combined result + +- As shown by `docker-compose config` + +```yaml +version: "2" + +services: +rng: + build: rng + ports: + - "8001:80" + user: "4242:4242" +``` --- @@ -32,7 +113,7 @@ Some improvement areas: ## Improvement 1 -Change user id to 4242. Redis can no longer write to `/data` if a volume exists so we mount a writeable directory on top of it (or just remove the existing volume) +- Change user id to 4242. Redis can no longer write to `/data` if a volume exists from a previous run so we mount a writeable directory on top of it (or just remove the existing volume) ```yaml services: @@ -51,7 +132,7 @@ services: ## Improvement 2 -Lets reduce capabilities to make sure no weird things can happen +- Lets reduce capabilities to make sure no weird things can happen ```yaml ... @@ -68,13 +149,13 @@ services: ... ``` -It does not show anything different... +- It does not show anything different... --- ## Improvement 3 -Make the root filesystem read only +- Make the root filesystem read only ```yaml ... diff --git a/slides/secure-containers/sampleapp.md b/slides/secure-containers/sampleapp.md index 354b4f9..d6ae210 100644 --- a/slides/secure-containers/sampleapp.md +++ b/slides/secure-containers/sampleapp.md @@ -66,50 +66,3 @@ class: pic ![Diagram showing the 5 containers of the applications](images/dockercoins-diagram.png) ---- - -## How to improve the `docker-compose.yml` file - -Let's pretend we do not want to modify the original `docker-compose.yml` file - --- - -- Changes here might cause issues with upstream updates. - -- Hard to keep track of differences with merge conflicts - --- - -Let's override values with `docker-compose.override.yml` - -```bash -❯ docker-compose ls -NAME STATUS CONFIG FILES -dockercoins running(5) docker-compose.yml,docker-compose.override.yml -``` - ---- - -## Two files are merged together - -`docker-compose.yml` - -```yaml -version: "2" - -services: - rng: - build: rng - ports: - - "8001:80" -``` - -`docker-compose.override.yml` - -```yaml -version: "2" - -services: - rng: - user: "4242:4242" -``` \ No newline at end of file