Tuesday, 28 April 2020

All about Docker : Part 3


Reference

Introduction to Docker Swarm
Why Swarm
  • An enterprise grade secure cluster:
  • Manage one or more Docker nodes as a cluster
  • Encrypted distributed cluster store
  • Encrypted networks
  • Secure join tokens
  • An orchestration engine for creating mircoservices:
  • API for deploying and managing microservices
  • Declarative manifest files for defining apps
  • Provides availability to scale apps, and perform rolling updates and rollbacks
Swarm was initially a separate product layered on Docker, since Docker 1.12 it has become a part of the engine.
Swarm has two major components:
The Cluster
  • A swarm consists of one or more Docker nodes.
  • Nodes are either a managers or a worker.
  • Managers:
  • Manage the state of the cluster
  • Dispatch tasks to workers
  • Workers:
  • Accepts and execute tasks
  • State is held in etcd
  • Swarm uses Transport Layer Security (TLS):
  • Encrypted communication
  • Authenticated nodes
  • Authorized roles
Orchestration
  • The atomic unit of scheduling is a swarm service.
  • The service construct adds the following to a container:
  • scaling
  • rolling updates
  • rollback
  • updates
  • A container wrapped in a service is a task or a replica.
Running Docker in Swarm Mode
In this lesson, we will create two new docker servers. These servers will be used in a swarm configuration. Then we will initialize the swarm manager and have the two new nodes join the swarm.
Install the Swarm Worker Node
Now create two new servers in Cloud Playground that will be used as worker nodes.
Prerequisites
Uninstall old versions:
sudo yum remove -y docker \
                  docker-client \
                  docker-client-latest \
                  docker-common \
                  docker-latest \
                  docker-latest-logrotate \
                  docker-logrotate \
                  docker-engine
Install Docker CE
Add the Docker repository:
sudo yum install -y yum-utils \
  device-mapper-persistent-data \
  lvm2
Set up the stable repository:
sudo yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
Install Docker CE:
sudo yum -y install docker-ce
Enable and Start Docker:
sudo systemctl start docker && sudo systemctl enable docker
Add cloud_user to the docker group:
sudo usermod -aG docker cloud_user
Initialize the manager:
docker swarm init \
--advertise-addr [PRIVATE_IP]
Add the worker to the cluster:
docker swarm join --token [TOKEN] \
[PRIVATE_IP]:2377
List the nodes in the swarm:
docker node ls
Managing Swarm Nodes
Docker node commands:
  • demote: Demotes one or more nodes from manager in the swarm
  • inspect: Displays detailed information on one or more nodes
  • ls: Lists nodes in the swarm
  • promote: Promotes one or more nodes to manager in the swarm
  • ps: Lists tasks running on one or more nodes, defaults to current node
  • rm: Removes one or more nodes from the swarm
  • update: Updates a node
Docker swarm commands:
  • ca: Displays and rotate the root CA
  • init: Initializes a swarm
  • join: Joins a swarm as a node and/or manager
  • join-token: Manages join tokens
  • leave: Leaves the swarm
  • unlock: Unlocks swarm
  • unlock-key: Manages the unlock key
  • update: Updates the swarm
Managing swarm nodes:
Listing nodes:
docker node ls
Inspecting a node:
docker node inspect [NODE_NAME]
Promoting a worker to a manager:
docker node promote [NODE_NAME]
Demoting a manager to a worker:
docker node demote [NODE_NAME]
Removing a node form the swarm (node must be demoted first):
docker node rm -f [NODE_NAME]
Make a node leave the swarm:
docker swarm leave
Getting the join-token:
docker swarm join-token [worker|manager]
Make the node rejoin the swarm:
docker swarm join --token [TOKEN] \
<PRIVATE_IP>:2377
Introduction to Docker Security
Security is all about layers
Linux security:
  • Namespaces
  • Control Groups
  • Mandatory Access Control (MAC)
  • Seccomp
Docker security:
  • Docker Swarm
  • Docker Content Trust
  • Docker Security Scanner
  • Docker secrets
Namespaces
Docker creates a set of namespaces and control groups for the container. Docker containers are an organized collections of namespaces.
  • Namespaces provide isolation.
  • Each container also gets its own network stack.
Docker on Linux namespaces:
  • Process ID (pid)
  • network (net)
  • Filesystem/mount (mount)
  • Inter-process Communication (ipc)
  • User (user)
  • UTS (uts)
Control Groups
Control Groups are about setting limits for:
  • CPU
  • RAM
  • Disk I/O
They help to mitigate denial-of-service attacks, and are important on multi-tenant platforms.
Capabilities
Capabilities turn the binary “root/non-root” dichotomy into a fine-grained access control system. In most cases, containers do not need “real” root privileges at all. This means root within a container has much less privileges than the real root. It also means that even if an intruder manages to escalate to root within a container, it is much harder to do serious damage, or to escalate to the host.
Docker Swarm
Swarm Mode:
  • Cryptographic node Ids
  • Mutual authentication via TLS
  • Secure join tokens
  • CA configuration with automatic certificate rotation
  • Encrypted cluster store
  • Encrypted networks
docker swarm update --cert-expiry [INT]h
Docker Secrets
These store sensitive data like:
  • Passwords
  • TLS Certificates
  • API Keys
Secrets Workflow:
1.    A secret is created and posted to the Swarm.
2.    The secret is encrypted and stored.
3.    A service is created and the secret is attached.
4.    Secrets are stored in-flight.
5.    The secret is mounted into the container of a service.
6.    When the task is complete, the in-memory is torn down.
Working with Docker Security
In this lesson we will start implementing some of the Docker security practices.
Seccomp Profile
docker container run --security-opt seccomp=[PROFILE] [IMAGE] [CMD]
Testing Seccomp:
docker container run --rm -it alpine sh
whoami
mount /dev/sda1 /tmp
swapoff -a
Using a custom Seccomp profile:
mkdir -p seccomp/profiles/chmod
cd seccomp/profiles/chmod
wget https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json
Remove chmod, fchmod and fchmodat from the syscalls whitelist. Syscalls starts at line 52.
Applying the custom Seccomp profile:
docker container run --rm -it --security-opt seccomp=./default.json alpine sh
chmod +r /usr
Capabilities:
Dropping Capabilities:
docker container run --cap-drop=[CAPABILITY] [IMAGE] [CMD]
Test mknod:
docker container run --rm -it alpine sh
mknod /dev/random2 c 1 8
Disable mknod:
docker container run --rm -it --cap-drop=MKNOD alpine sh
mknod /dev/random2 c 1 8
Runtime privilege and Linux capabilities
Control Groups
Limiting CPU and memory:
docker container run -it --cpus=[VALUE] --memory=[VALUE][SIZE] --memory-swap [VALUE][SIZE] [IMAGE] [CMD]
Setting memory limits on a container:
docker container run -d --name resource-limits --cpus=".5" --memory=512M --memory-swap=1G rivethead42/weather-app
Inspect resource-limits:
docker container inspect resource-limits
Runtime constraints on resources More info on resource constraints
Running Docker Bench for Security
Running Docker Bench Security:
docker container run --rm -it --network host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /etc:/etc --label docker_bench_security \
    docker/docker-bench-security
https://github.com/docker/docker-bench-security
Learn more about docker
THE END..


Posted by at
Labels:
Location: Pune, Maharashtra, India

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)