book

Container Security

Name: Container Security
Author: Liz Rice
ISBN: 9781492056706

by Liz Rice

April 2020

Intermediate to advanced

198 pages

5h 30m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who This Book Is ForWhat This Book CoversA Note about KubernetesExamplesHow to Run ContainersFeedbackConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Container Security Threats
Risks, Threats, and MitigationsContainer Threat ModelSecurity BoundariesMultitenancyShared MachinesVirtualizationContainer MultitenancyContainer InstancesSecurity PrinciplesLeast PrivilegeDefense in DepthReducing the Attack SurfaceLimiting the Blast RadiusSegregation of DutiesApplying Security Principles with ContainersSummary
2. Linux System Calls, Permissions, and Capabilities
System CallsFile Permissionssetuid and setgidLinux CapabilitiesPrivilege EscalationSummary
3. Control Groups
Cgroup HierarchiesCreating CgroupsSetting Resource LimitsAssigning a Process to a CgroupDocker Using CgroupsCgroups V2Summary
4. Container Isolation
Linux NamespacesIsolating the HostnameIsolating Process IDsChanging the Root DirectoryCombine Namespacing and Changing the RootMount NamespaceNetwork NamespaceUser NamespaceUser Namespace Restrictions in DockerInter-process Communications NamespaceCgroup NamespaceContainer Processes from the Host PerspectiveContainer Host MachinesSummary
5. Virtual Machines
Booting Up a MachineEnter the VMMType 1 VMMs, or HypervisorsType 2 VMMKernel-Based Virtual MachinesTrap-and-EmulateHandling Non-Virtualizable InstructionsProcess Isolation and SecurityDisadvantages of Virtual MachinesContainer Isolation Compared to VM IsolationSummary
6. Container Images
Root Filesystem and Image ConfigurationOverriding Config at RuntimeOCI StandardsImage ConfigurationBuilding ImagesThe Dangers of docker buildDaemonless BuildsImage LayersStoring ImagesIdentifying ImagesImage SecurityBuild-Time SecurityProvenance of the DockerfileDockerfile Best Practices for SecurityAttacks on the Build MachineImage Storage SecurityRunning Your Own RegistrySigning ImagesImage Deployment SecurityDeploying the Right ImageMalicious Deployment DefinitionAdmission ControlGitOps and Deployment SecuritySummary
7. Software Vulnerabilities in Images
Vulnerability ResearchVulnerabilities, Patches, and DistributionsApplication-Level VulnerabilitiesVulnerability Risk ManagementVulnerability ScanningInstalled PackagesContainer Image ScanningImmutable ContainersRegular ScanningScanning ToolsSources of InformationOut-of-Date SourcesWon’t Fix VulnerabilitiesSubpackage VulnerabilitiesPackage Name DifferencesAdditional Scanning FeaturesScanner ErrorsScanning in the CI/CD PipelinePrevent Vulnerable Images from RunningZero-Day VulnerabilitiesSummary
8. Strengthening Container Isolation
SeccompAppArmorSELinuxgVisorKata ContainersFirecrackerUnikernelsSummary
9. Breaking Container Isolation
Containers Run as Root by DefaultOverride the User IDRoot Requirement Inside ContainersRootless ContainersThe --privileged Flag and CapabilitiesMounting Sensitive DirectoriesMounting the Docker SocketSharing Namespaces Between a Container and Its HostSidecar ContainersSummary

10. Container Network Security
Container FirewallsOSI Networking ModelSending an IP PacketIP Addresses for ContainersNetwork IsolationLayer 3/4 Routing and RulesiptablesIPVSNetwork PoliciesNetwork Policy SolutionsNetwork Policy Best PracticesService MeshSummary
11. Securely Connecting Components with TLS
Secure ConnectionsX.509 CertificatesPublic/Private Key PairsCertificate AuthoritiesCertificate Signing RequestsTLS ConnectionsSecure Connections Between ContainersCertificate RevocationSummary
12. Passing Secrets to Containers
Secret PropertiesGetting Information into a ContainerStoring the Secret in the Container ImagePassing the Secret Over the NetworkPassing Secrets in Environment VariablesPassing Secrets Through FilesKubernetes SecretsSecrets Are Accessible by RootSummary
13. Container Runtime Protection
Container Image ProfilesNetwork Traffic ProfilesExecutable ProfilesFile Access ProfilesUser ID ProfilesOther Runtime ProfilesContainer Security ToolsDrift PreventionSummary
14. Containers and the OWASP Top 10
InjectionBroken AuthenticationSensitive Data ExposureXML External EntitiesBroken Access ControlSecurity MisconfigurationCross-Site Scripting XSSInsecure DeserializationUsing Components with Known VulnerabilitiesInsufficient Logging and MonitoringSummary
Conclusions
Security Checklist
Index

Content preview from Container Security

Chapter 4. Container Isolation

This is the chapter in which you’ll find out how containers really work! This will be essential to understanding the extent to which containers are isolated from each other and from the host. You will be able to assess for yourself the strength of the security boundary that surrounds a container.

As you’ll know if you have ever run docker exec <image> bash, a container looks a lot like a virtual machine from the inside. If you have shell access to a container and run ps, you can see only the processes that are running inside it. The container has its own network stack, and it seems to have its own filesystem with a root directory that bears no relation to root on the host. You can run containers with limited resources, such as a restricted amount of memory or a fraction of the available CPUs. This all happens using the Linux features that we’re going to delve into in this chapter.

However much they might superficially resemble each other, it’s important to realize that containers aren’t virtual machines, and in Chapter 5 we’ll take a look at the differences between these two types of isolation. In my experience, really understanding and being able to contrast the two is absolutely key to grasping the extent to which traditional security measures can be effective in containers, and to identifying where container-specific tooling is necessary.

You’ll see how containers are built out of Linux constructs such as namespaces and chroot, along with cgroups, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Implementing SSL/TLS Using Cryptography and PKI

Publisher Resources

ISBN: 9781492056690Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Container Security

by Liz Rice

Chapter 4. Container Isolation

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.