Deploying Secure Containers for Training and Development
Download 4.47 Mb. View original pdf
|
| popularized the technology. It’s actually been around for 7 years. • Automates the deployment of Linux based container • Provides layers of abstraction • Various methods of container creation • Docker hub and registries for sharing and deployment The use of containers are getting more and more popular because there are better ways to create them and there are tools that make it a lot easier to create, manage, and deploy containers. It ’s not unreasonable to say that Docker Inc., formerly dotCould, has created a large amount of desire, their implementation called Docker Engine has done a great deal for getting people to contribute and to take notice and utilize the con- tainer technology. Docker, later renamed Docker Engine, automates the deployment of Linux containers and provides the ability to use copy-on- write filesystems as well as ways to store and deploy containers. The pro- vided chart shows the search terms using Google Trends which is a good indicator of popularity and interest. You can see that around 2013 we have an almost linear growth, as Docker was released as an open source project in March 2013. I expect adoption and growth to continue as others improve their systems as well as find new use cases for containers. 8 Deploying Secure Containers for Training and Development – IBM Research Report: An Updated Performance Comparison of Virtual Machines and Linux Containers 19C85257D2300681E7B/$File/rc25482.pdf> “In general, Docker equals or exceeds KVM performance in every case we tested.” Research Moment To substantiate some of the performance claims made earlier there have been a few studies including a notable one released by IBM titled “An Updated Performance Comparison of Virtual Machines and Linux Containers. ” In that report you will find the concluding statements, “In general, Docker equals or exceeds KVM performance in every case we tested. ” KVM was the chosen hypervisor to represent virtual machines and Docker was the chosen runtime to implement containers. Disk, memory, CPU, and network experiments were conducted using applica- tions such as Redis, MySQL, netperf, and LZMA. I highly recommend reading the report, freely available online, for more information. Container Security Networking can be disabled Don’t run processes as root Follow standard filesystem permission rules for securing data Control CPU and RAM allocation Devicemapper backend can limit disk space Finer environment controls via ulimit for Docker processes: fsize, nproc, etc. Keep container packages up to date × × × × × × × When it comes to running important services in containers a defense in-depth approach is best. By this I mean tighten security across the 9 Containers environment, from the perimeter to the core of the software you ’re try- ing to protect. The perimeter may be the network or operating system and the core may be the application itself. In general you apply the same security principles such as the principle of least privilege to con- tainers as you do to any system you run. Though, with containers there a few others things to be aware of. A few guidelines to follow, disable networking if it ’s not needed; if there is no one from outside connecting to the service, don ’t run the networking services. Don’t add interfaces to the container, this is common in training and in develop- ment. You might not be developing a network application so you don ’t need networking enabled. Good security practice is to not run processes as root on a system unless required; same rule applies to run- ning processes as root inside a container. Apache for example should run as an unprivileged user. Follow standard filesystem access controls for securing your data. Applying permissions, mount options, and ACL (Access Control Lists) to files can go a long way in reducing the attack service. The use of control groups to prevent DoS (Denial of Service) of system resources is critical. Control should be placed so that an out of control process in a container cannot bring down the entire system. Docker Engine supports various storage backends such as devicemapper which can be used to limit the filesystem size in a container. In addition, there are fine grain user and process environment control via ulimit and pam_li- mits that can be applied to processes to do things like limit the number of running processes as well as apply a cap to file size. It ’s very important to keep your container packages up to date. If you ’re going to deploy a new service, you should log into the container and upgrade all the packages because base images don ’t keep current with latest patches. You should also keep your container runtime pro- gram up to date as well as the host operating system. A kernel or Docker Engine vulnerability could make it possible to break out of a container should it become compromised. Note that there have been Docker Engine vulnerabilities in the past. 10 Deploying Secure Containers for Training and Development Host Security grsecurity patches Detailed access control with SELinux and Apparmor iptables rate limiting to prevent excessive connections Least privileged user, take advantage of user namespaces (soon!) Run a HIDS like OSSEC Keep host up to date × × × × × × One can go a step further in securing the operating system by apply- ing the GR and PAX patches to harden the kernel with improved ASLR (Automatic Stack Layout Randomization) coverage as well as provide mandatory access control. One should also take advantage of access control provided via SELinux and App Armor policies. If you have the packaged version of Docker Engine for example, you have access control policies already enabled on your system but you can go a step further to create per container rules. The use of iptables on the host for networked applications is paramount. Rules from limiting access to a service to rate-limiting a DoS attack should be enabled. Taking advantage of the user namespace when supported to further reduce the attack service. A least privileged user can run the container so that root for example in the container is not equivalent to root out- side of the container. Finally, one cannot depend solely on prevention, because one cannot foresee all future attacks. Given this truth it ’s equally important to have the ability to detect and contain breaches. A powerful network security monitoring system such as Bro can keep records of all network activity and react on them if configured to do so. More importantly, a host intrusion detection such as a OSSEC on the host should perform log analysis and monitor the filesystem for changes and rootkits. All or most of these things when implemented together provide a powerful defense against attack. 11 Containers CHAPTER 2 2 Using Containers in Training Problem 1. Training IT training isn’t easy Now that we have covered the main concepts, implementations, and security practices we are going to cover two use cases for training and development. We begin by tackling the IT training problem with con- tainers. The IT training problem in sum is that it ’s rather difficult and time consuming to create and deploy training environments for soft- ware based training. I ’ve been to a number of training events covering subjects such as parallel programming, network security monitoring, malware analysis, and programming in various languages, among others and I found that a common approach for training is to pass out virtual machines. This is often done prior to the event via a link for download or during an event by distributing them on a medium such as USB stick. Both methods are a hassle for the users and the people pro- viding the training. For the users they have to use their valuable time to download a disk image file than can be gigabytes in size as well as have the software available to run it, this software is usually a hypervisor. This large piece of software is required to run the virtual machine and thus concerns arise about hypervisor compatibility such as whether it ’s an image capable of running on Oracle ’s VirtualBox or VmWare’s Workstation/Fusion, etc.. I ’ve witnessed the passing of a disk image take more than an hour to distribute to the conference attendees, this amounts to a loss in training time for the users. Once the disk images are on everybody ’s workstations there’s often a few users that will have an issue with running the images. I ’ve witnessed misconfigurations in network and bus configurations. These problems tend to put some stu- dents behind others in the group especially if staff are not available to assist. The networking infrastructure at the event is often slow or satu- rated and this occurs more often than you would think. It prevents or Deploying Secure Containers for Training and Development. DOI: http://dx.doi.org/10.1016/B978-0-12-804717-0.00002-8 © 2016 Elsevier Inc. All rights reserved. prolongs the transfer of files such as a disk image, training materials, or online resources. The venue is often not equipped to accommodate the amount of students or their traffic habits on the wireless network. Distribution problems can also occur with training materials. Mistakes happen in training material leaving them incomplete and it can go unnoticed until it ’s called upon while training. If there is a mis- take the best scenario in my mind is where the students can obtain the newly updated material quickly. Packaging the materials in a virtual machine doesn ’t work well. Having them in a network accessible repository or website works if the network is reliable. Account management is the final concern I want to present. It ’s a concern when accessing resources that require account credentials to authenticate users. Administrators must create and distribute these cre- dentials to the students and ideally in an automated fashion as it ’s otherwise time consuming and tedious work. This is less of issue in virtual machine training but arises in environments that provide what I call shared hosting training. A shared host is a system that a user inter- acts with remotely using his own provided account for training. The most common example is accessing a unix-like system using SSH. The account usernames and passwords must be distributed to each user. I ’ve seen this in the wild by passing pieces of paper around the room with each students credentials. Common Types of IT Training 1. Shared system training (multiple accounts) 2. Virtual Machine training (VM per student) 3. Container training (container per student) 4. Web based training Before we discuss solutions I want to bring up the different types of training environments I ’ve seen. Number one is the aforementioned shared system training where a single server used to provide access to 14 Deploying Secure Containers for Training and Development multiple users. If you were to train 100 users there would be an equiva- lent number of user accounts in the system. A remote access tool such as SSH would connect the user to the system and access to the training environment. An inconvenience with this type of training is the crea- tion and distribution of the accounts to the users as well as often lack- ing sufficient isolation of the users environment. The second type of training is virtual machine training. This is the most prevalent that I have seen. I have been to a number of confer- ences where they rely on giving a virtual machine disk image to all the participants at the conference. The main problems with this type are distribution, software dependencies, software compatibility, and hard- ware resources. Because hypervisors are demanding pieces of software the use of mobile devices such as tablets and phones are effectively prohibited. One benefit is that the user is often permitted to keep the virtual machine. This allows them to work in the environment at any time in the future. In some cases such as doing kernel work, managing network configuration, and implementation of network services, vir- tual machines are the best solution. Also, there is the case of training using operating system virtualiza- tion technology such as the Linux-based containers we ’ve discussed. This is the medium for training that I ’ve explored and found to be very useful. For this type we assign one container per student on a single host. The user logs into the host and is placed in their very own con- tainer from which they can interact with an isolated but full command- line environment. Finally we have web based training. Web-based training is a way of providing some sort of interactive software such as shell or interpreter embedded in a web page. The Go programming language has an online tutorial on their website that allows you to try out the language. Similarly, the Bro project has try.bro.org where one can write and sub- mit Bro code for execution and have it returned directly in your web browser. While convenient the web based training method is often lim- ited to complete short ad-hoc tasks and providing only a subset of fea- tures of the software to learn. Trainers who need students immersed in an environment where various pieces of software are intended to be utilized and made to work together should look at one of the other training types. 15 Using Containers in Training |