« Previous 1 2
Minifying container images with DockerSlim
Dieting
Security!
Earlier I promised that DockerSlim can also help your Docker container security posture. If you want, you can go a step further and add a security profile to your build. With this in mind, I'll take a brief look at seccomp
(secure computing) profiles [6].
seccomp
provides clever functionality from within the Linux kernel and allows a number of settings to be passed into your container to restrict its access to the host machine on which it's running. As stated on the Linux man page [7], seccomp
rules are enforced in a way that limits a process from performing a very small number of operations (e.g., read
, write
, sigreturn
, and exit
). The use of fine-grained rules, then, make it impossible for a rogue process to get access into a host machine's innards in a way other than those explicitly permitted.
Knowing the power of Linux, you probably won't be surprised to learn that the Android operating system, Google Chrome, Firefox, and even OpenSSH all use seccomp
to enforce important security rules. More accurately, some of the seccomp
adopters mentioned use seccomp-bpf
, which is a clever way of extending seccomp
with the popular Berkeley Packet Filter rules to offer more flexibility and help mitigate any performance concerns. Table 1 lists examples of what seccomp
limits and, conversely, permits.
Table 1
Some Kernel Syscalls for seccomp
Syscall | Function |
---|---|
mount
|
Mounts disk volumes |
clock_adjtime
|
Gives permission to change the host machine's time and date |
init_module
|
Affects importable kernel modules |
keyctl
|
Controls access to the kernel keyring, which contains encryption keys and other sensitive items, such as security tokens |
kexec_load
|
Readies a new kernel to be run at a later time (potentially with malicious code) |
quotactl
|
Prevents containers from altering their own resource quotas (disk space limits, in this case) |
reboot
|
Allows containers to reboot the host machine (usually not a very clever thing to allow) |
For a full list of the more than 300 seccomp
profiles enabled by default in Docker, check out the Moby project's GitHub repository [8]. The default Docker seccomp
profile then denies access to around 44 of the system calls [9], which are "effectively blocked because they are not on the whitelist."
Now it's time to see how DockerSlim can help make use of seccomp
effectively. The docs offer this syntax to follow as a simple example:
$ docker run --security-opt seccomp:<docker-slim directory>/.images/<YOUR_APP_IMAGE_ID>/artifacts/<your-name-your-app>-seccomp.json <your other run params> <your-name>/<your-app>
To translate that to the Nginx example from earlier, first make sure that you have seccomp
set up for Docker when you installed it initially and run:
$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)
If you see CONFIG_SECCOMP=y
, then all is well; otherwise, some searching online might be needed relative to your software version or system.
After you've run the build
command shown earlier to minify the nginx
image, you should be able to find your auto-generated seccomp
profile with:
$ find /var/lib/docker -name *.json
If your system uses strange filesystem paths, you should change the path shown. The two results that I'm interested in are:
/var/lib/docker/volumes/docker-slim-state/_data/images/23
…43aa145/nginx-seccomp.json
/var/lib/docker/volumes/docker-slim-state/_data/images/23
…43aa145/creport.json
The creport.json
file is the report I generated with the docker-slim profile --report nginx.slim
command used earlier to generate some interesting information related to the process through which DockerSlim runs. Incidentally, if you spot a file ending with the extension .fat
, that's the reverse-engineered Dockerfile that the clever DockerSlim has created while going about its business. In my case, the file is named: /var/lib/docker/volumes/docker-slim-state/_data/images/23
…43aa145/Dockerfile.fat
Now that the generated seccomp
profile has been found, Listing 5 shows what the top of the file looks like, so you can differentiate it from other files you've seen. In my case, the JSON file was called nginx-seccomp.json
. Isn't having a profile generated for you so you can refine it handy?
Listing 5
Top of a seccomp Profile
01 { 02 "defaultAction": "SCMP_ACT_ERRNO", 03 "architectures": [ 04 "SCMP_ARCH_X86_64" 05 ], 06 "syscalls": [ 07 { 08 "names": [ 09 "lstat", 10 "exit_group", 11 "arch_prctl", 12 "chdir", 13 "unlink", 14 "geteuid", 15 "setitimer", 16 "write", 17 "sendmsg", 18 "mprotect", 19 "capget", 20 "getuid", 21 "wait4", 22 "pread64", 23 "Capset", 24 [snip...]
Unfortunately, I can't go too deep into seccomp
in this article, but it would be sensible to look online to learn a few security tips about how many syscalls should be used by your containers.
Once you've tweaked a profile, the Docker documentation offers this command format for running a container with a specific seccomp
profile:
$ docker run --rm -it --security-opt seccomp=/<path>/profile.json nginx.slim
You can use the generated security profile with both your slimmed image and the original. It might help you spot when a version upgrade changes a container's system access requirements. The esteemed Jessie Frazelle has a nice piece about seccomp
that is well worth a read [10].
Trouble Ahead
If you get stuck, fret not. seccomp
has been available since Docker version 1.10 [11], and the comprehensive docs [12] offer some useful troubleshooting tips, including tips about Nginx images that might be useful at some point.
The End Is Nigh
Doubtless this tool is exceptionally valuable to a containerized estate, but further investigation clearly is required into how stable DockerSlim might be for production services. However, the docs suggest the DockerSlim author is happy to give it the thumbs up for production use, so I trust you'll soon be trying this highly accessible open source tool.
Infos
- DockerSlim: https://github.com/docker-slim/docker-slim
- DockerSlim single-page website:https://dockersl.im
- Docker CE: https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-docker-engine---community-1
- Nginx on GitHub: https://github.com/nginxinc/docker-nginx/blob/a973c221f6cedede4dab3ab36d18240c4d3e3d74/mainline/buster/Dockerfile
- Nginx on Docker Hub: https://hub.docker.com/_/nginx
- seccomp: https://docs.docker.com/engine/security/seccomp
- seccomp man page: http://man7.org/linux/man-pages/man2/seccomp.2.html
- seccomp on Moby: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
- Docker seccomp security profiles: https://docs.docker.com/engine/security/seccomp
- "How to use the new Docker Seccomp profiles" by Jessie Frazelle, 4 January 2016: https://blog.jessfraz.com/post/how-to-use-new-docker-seccomp-profiles
- "New Docker Security Features and What They Mean: Seccomp Profiles" by Amir Jerbi, 10 February 2016: https://blog.aquasec.com/new-docker-security-features-and-what-they-mean-seccomp-profiles
- Nginx fails: https://github.com/docker-slim/docker-slim#nginx-fails-in-my-minified-image
« Previous 1 2
Buy this article as PDF
(incl. VAT)