book

Container Security

by Liz Rice

April 2020

Intermediate to advanced

198 pages

5h 30m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Who This Book Is ForWhat This Book CoversA Note about KubernetesExamplesHow to Run ContainersFeedbackConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Risks, Threats, and MitigationsContainer Threat ModelSecurity BoundariesMultitenancyShared MachinesVirtualizationContainer MultitenancyContainer InstancesSecurity PrinciplesLeast PrivilegeDefense in DepthReducing the Attack SurfaceLimiting the Blast RadiusSegregation of DutiesApplying Security Principles with ContainersSummary
System CallsFile Permissionssetuid and setgidLinux CapabilitiesPrivilege EscalationSummary
Cgroup HierarchiesCreating CgroupsSetting Resource LimitsAssigning a Process to a CgroupDocker Using CgroupsCgroups V2Summary
Linux NamespacesIsolating the HostnameIsolating Process IDsChanging the Root DirectoryCombine Namespacing and Changing the RootMount NamespaceNetwork NamespaceUser NamespaceUser Namespace Restrictions in DockerInter-process Communications NamespaceCgroup NamespaceContainer Processes from the Host PerspectiveContainer Host MachinesSummary
Booting Up a MachineEnter the VMMType 1 VMMs, or HypervisorsType 2 VMMKernel-Based Virtual MachinesTrap-and-EmulateHandling Non-Virtualizable InstructionsProcess Isolation and SecurityDisadvantages of Virtual MachinesContainer Isolation Compared to VM IsolationSummary
Root Filesystem and Image ConfigurationOverriding Config at RuntimeOCI StandardsImage ConfigurationBuilding ImagesThe Dangers of docker buildDaemonless BuildsImage LayersStoring ImagesIdentifying ImagesImage SecurityBuild-Time SecurityProvenance of the DockerfileDockerfile Best Practices for SecurityAttacks on the Build MachineImage Storage SecurityRunning Your Own RegistrySigning ImagesImage Deployment SecurityDeploying the Right ImageMalicious Deployment DefinitionAdmission ControlGitOps and Deployment SecuritySummary
Vulnerability ResearchVulnerabilities, Patches, and DistributionsApplication-Level VulnerabilitiesVulnerability Risk ManagementVulnerability ScanningInstalled PackagesContainer Image ScanningImmutable ContainersRegular ScanningScanning ToolsSources of InformationOut-of-Date SourcesWon’t Fix VulnerabilitiesSubpackage VulnerabilitiesPackage Name DifferencesAdditional Scanning FeaturesScanner ErrorsScanning in the CI/CD PipelinePrevent Vulnerable Images from RunningZero-Day VulnerabilitiesSummary
SeccompAppArmorSELinuxgVisorKata ContainersFirecrackerUnikernelsSummary
Containers Run as Root by DefaultOverride the User IDRoot Requirement Inside ContainersRootless ContainersThe --privileged Flag and CapabilitiesMounting Sensitive DirectoriesMounting the Docker SocketSharing Namespaces Between a Container and Its HostSidecar ContainersSummary

Container FirewallsOSI Networking ModelSending an IP PacketIP Addresses for ContainersNetwork IsolationLayer 3/4 Routing and RulesiptablesIPVSNetwork PoliciesNetwork Policy SolutionsNetwork Policy Best PracticesService MeshSummary
Secure ConnectionsX.509 CertificatesPublic/Private Key PairsCertificate AuthoritiesCertificate Signing RequestsTLS ConnectionsSecure Connections Between ContainersCertificate RevocationSummary
Secret PropertiesGetting Information into a ContainerStoring the Secret in the Container ImagePassing the Secret Over the NetworkPassing Secrets in Environment VariablesPassing Secrets Through FilesKubernetes SecretsSecrets Are Accessible by RootSummary
Container Image ProfilesNetwork Traffic ProfilesExecutable ProfilesFile Access ProfilesUser ID ProfilesOther Runtime ProfilesContainer Security ToolsDrift PreventionSummary
InjectionBroken AuthenticationSensitive Data ExposureXML External EntitiesBroken Access ControlSecurity MisconfigurationCross-Site Scripting XSSInsecure DeserializationUsing Components with Known VulnerabilitiesInsufficient Logging and MonitoringSummary

Content preview from Container Security

Chapter 5. Virtual Machines

Containers are often compared with virtual machines (VMs), especially in terms of the isolation that they offer. Let’s make sure you have a solid understanding of how VMs operate so that you can reason about the differences between them and containers. This will be particularly useful when you want to assess the security boundaries around your applications when they run in containers, or in different VMs. When you are discussing the relative merits of containers from a security perspective, understanding how they differ from VMs can be a useful tool.

This isn’t a black-and-white distinction, really. As you’ll see in Chapter 8, there are several sandboxing tools that strengthen the isolation boundaries around containers, making them more like VMs. If you want to understand the security pros and cons of these approaches, it’s best to start with a firm understanding of the difference between a VM and a “normal” container.

The fundamental difference is that a VM runs an entire copy of an operating system, including its kernel, whereas a container shares the host machine’s kernel. To understand what that means, you’ll need to know something about how virtual machines are created and managed by a Virtual Machine Monitor (VMM). Let’s start to set the scene for that by thinking about what happens when a computer boots up.

Booting Up a Machine

Picture a physical server. It has some CPUs, memory, and networking interfaces. When you first boot up the machine, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781492056690Errata Page

Container Security

by Liz Rice

Chapter 5. Virtual Machines

Booting Up a Machine

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Security Observability with eBPF

Mastering Linux Security and Hardening - Second Edition

API Security in Action

Implementing SSL/TLS Using Cryptography and PKI

Publisher Resources

Chapter 5. Virtual Machines

Booting Up a Machine

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Security Observability with eBPF

Mastering Linux Security and Hardening - Second Edition

API Security in Action

Implementing SSL/TLS Using Cryptography and PKI

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.