I attended my first Container Camp last week and wanted to share my experience.
This is part 1 talking about the workshop day, check out part 2 (coming soon) for the main conference itself.
Before I go any further I think it's useful to mention my technical background because most conference crowds will often polarise towards a particular ecosystem/platform (that's kind of obvious right!). In the case of containers that polarisation is towards Linux compared Windows, understandable as Linux containers have been the forerunner in this area, so talks and even sponsors were going to be talking mostly about the Linux platform1.
In contrast I'm from a fairly typical modern .NET development background, predominantly Windows based and although very comfortable with Windows containers, Docker and Kubernetes not hugely experienced with Linux especially when you get down to lower level kernel stuff.
Right with that out of the way onto Day one at the QEII centre in central London.
Day one is workshop day with sessions running either in the morning or afternoon. I wasn't able to attend the AM workshops so headed to the PM workshop on Securing Docker Containers and Deployments run by Andrew Martin from Control Plane and Ben Hall from KataCoda
Photo by Jelmer Snoeck reproduced with permission from @ContainerCamp
Its fair to say that as a Windows guy we've had our fair share of negativity about security on the Windows platform so perhaps its not surprising that we'd have a perception that all things Linux are secure out of the box. On top of this, containers give you an additional layer of security right?.. so surely its a piece of cake; pull the container image from the container repository (public or private), spin up the container and all is good? Of course as it turns out things are not that straightforward.
Note: the point isn't about the relative merits/security of Windows vs Linux its more that if you come from a particular background your limited experience and arguably the marketing of a technology can to lead to a potentially dangerous ignorance about the other platform's shortcomings. I would bet money that a significant percentage of traditional Windows shops haven't given security of their Linux containers due consideration.
The workshop went pretty deep into the Linux kernel so I was a little out of my depth for sure but we were using the excellent KataCoda platform for all the scenarios so I didn't need to touch the Windows subsystem for Linux on my Surface nor mess around installing various obscure tools. The session highlighted the ease with which un-patched exploits can be discovered and targeted but when combined with the default, rather liberal, settings on containers you can face some serious risks; ranging from denial of service (dos) attacks all the way to container breakout onto the host machine. Andy and Ben would later demonstrate this on stage in a rather entertaining final session of the conference (see Day two).
My key takeaways from the session were:
- Running containers doesn't magically solve your security concerns.
- Don't blindly trust pre-built container images, especially from public container image repositories.
- Your build and deployment pipeline (you have one of those right?) should scan for known vulnerabilities.
- Ensure you don't run root privileges in the containers and remove capabilities which aren't needed (some of which are as good as running with root privileges)
- The all too familiar messages of patch often, defense in depth and principle of least privilege all still apply in the world of containers.
- Enable role based access controls (RBAC) on your container platform of choice if it has them.
- Use tools such as Docker bench to test your host machine configuration against best practices.
- App security is still absolutely key, don't forget OWASP!
In summary, containers are not a silver bullet for security but they can absolutely help to add a significant additional layer of security but you need to do some work - sorry!
There are a huge array of tools both free and commercial to help with container and host machine inspection, vulnerability scanning and container introspection.
Use the tools and knowledge out there and don't be victim.
Lastly if you are a traditional Windows shop now using Linux containers and maybe don't have the in-depth Linux sysadmin experience, you should absolutely consider speaking to some container security experts like Control Plane - no I don't work for them nor is this a paid advert ;)
Keep an eye out for Day 2 review - conference day!
Microsoft were a main sponsor of Container Camp and had a very popular stand. Also as Windows containers rapidly improve and gain traction we can expect to see more vendors supporting them and more talks on the subject ↩
Images reproduced from @containercamp with permission