Three Containers Walk Into a Pub

Three Containers Walk Into a Pub

Three containers walk into a pub... Anthony Kesterton Senior Solution Architect [email protected] May 2019 TOPICS ● Containers are Linux ● User ID and usernames ● Trusted sources and registries ● Secure host ● #nodaemon tools ● OpenShift WHAT DOES THIS MEAN? ● A container is a Linux process ● Lots of containers, lots of processes on your machine ● The user id and group id’s inside a container are the same as the host machine BUILD AND RUN A CONTAINER [akesterton@rhel74 ~]$ whoami akesterton [akesterton@rhel74 ~]$ echo $UID 1000 [akesterton@rhel74 ~]$ docker run -d registry.redhat.io/rhel:latest sleep infinity <snip> [akesterton@rhel74 ~]$ ps aux | grep sleep root 5951 0.1 0.0 4360 356 ? Ss 20:55 0:00 sleep infinity akester+ 5981 0.0 0.0 112708 984 pts/0 S+ 20:55 0:00 grep --color=auto sleep CONTAINERS DON’T CONTAIN (by default) Photo by Marc Szeglat on Unsplash USERS AND UID’S ● User id and group id’s are part of the kernel ● User names and group names are from userspace places like ○ /etc/passwd ○ LDAP ● Names are mapped to user id and group ids USER STATEMENT USER as part of the dockerfile FROM registry.redhat.io/rhel7:latest USER myuser ENTRYPOINT ["sleep","infinity"] Now commands after the USER statement as run as myuser Still mapped to corresponding user id on the host! DON’T PANIC! START WITH A TRUSTED SOURCE PRIVATE REGISTRY Use your own private container image registry as your source Scanning tools Photo by Guillaume Bolduc on Unsplash SECURE YOUR HOST ● Security-Enhanced Linux ● Daemon-less runtime engine and other tools ○ Podman ○ Buildah ○ Skopeo SELINUX IN PICTURES SELinux rules: Allow cat cat_chow:food eat Allow dog dog_chow:food eat SELINUX IN PICTURES The rules would allow the ‘cat’ process to eat ‘food’ labelled with ‘cat_chow’ and the ‘dog’ process to eat ‘food’ labelled with ‘dog_chow’ In an SELinux system *everything* is denied by default, so the Kernel will prevent the ‘dog’ process eating the ‘cat_chow’ ‘food’ This is called ‘Type Enforcement’ and protects the host system from Containers. SELINUX IN PICTURES To protect Containers from each other we use MCS, Multi-Category Security This allows ‘sub-labelling’ of an object type, in this case ‘dog’. For example we could label ‘Fido’ as ‘dog:random1’ and ‘Spot’ as ‘dog:random2’ MCS rules say that *if* the Type Enforcement rules are OK *and* the random MCS labels match, access is allowed. Otherwise *denied* by default. DAEMON-LESS TOOLS Commandline tool for containers Container copy/inspection using skopeo Container build tool BUILD AND RUN A CONTAINER Podman login (to use the Red Hat registry to grab images) [akesterton@monster summit19]$ podman login https://registry.redhat.io Create an Initial Dockerfile FROM registry.redhat.io/rhel7:latest ENTRYPOINT ["sleep","infinity"] Build the image [akesterton@monster summit19]$ podman build -t test . Or use buildah [akesterton@monster summit19]$ buildah build-using-dockerfile . [akesterton@monster summit19]$ buildah tag 021a0cdad72b test Run it [akesterton@monster summit19]$ podman run -d test Check the process is running [akesterton@monster summit19]$ ps aux | grep sleep akester+ 3289 0.0 0.0 4368 696 ? Ss 13:47 0:00 sleep infinity akester+ 3657 0.0 0.0 215740 896 pts/0 S+ 13:55 0:00 grep --color=auto sleep This gives me a container that runs as my user id CONTAINERS IN OPENSHIFT Some of the security features of OpenShift ● Minimal OS such as RHEL CoreOS ● User id’s set by OpenShift, not the Dockerfile ● ImageStreams used to update all deployed images ● Only permitted to use specific container registries ● Controlled containers using Security Context Constraints REFERENCES https://medium.com/@mccode/understanding-how-uid-and-gid-work-in-docker-containers-c37a01d01cf hhttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/container_security_guide/index https://www.redhat.com/en/resources/container-security-openshift-cloud-devops-whitepaper A practical introduction to container security using CRI-O [Lab] - Thursday 2:00-4:00pm Security-Enhanced Linux for mere mortals [Talk] -Thursday, May 9, 2:00 p.m.-2:45 p.m. Defend yourself using built-in Red Hat Enterprise Linux security technologies [Lab] Tuesday, May 7, 3:30 p.m.-5:30 p.m SUMMARY Containers are Linux Trusted source of container images Private registries Secure host #Nodaemon tools OpenShift adds controls Containers can be secured Three containers walk into a pub, and after a few drinks, one container turns to another and calls them a "git" . “At least I’m committed” they reply. [Translation: “Git is a term of insult with origins in English denoting an unpleasant, silly, incompetent, annoying, senile, elderly or childish person. As a mild oath it is roughly on a par with prat and marginally less pejorative than berk” - Wikipedia] Anthony Kesterton Senior Solution Architect [email protected] Twitter: @akesterton Please rate our session in the Red Hat Events App!.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    23 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us