6148 stories
·
52 followers

John Goerzen: Is there any way to truly secure Docker container contents?

1 Comment

There is much to like about Docker. Much has been written about it, and about how secure the containerization is.

This post isn’t about that. This is about keeping what’s inside each container secure. I believe we have a fundamental problem here.

Earlier this month, a study on security vulnerabilities on Docker Hub came out, and the picture isn’t pretty. One key finding:

Over 80% of the :latest versions of official images contained at least on high severity vulnerability!

And it’s not the only one raising questions.

Let’s dive in and see how we got here.

It’s hard to be secure, but Debian makes it easier

Let’s say you want to run a PHP application like WordPress under Apache. Here are the things you need to keep secure:

  • WordPress itself
  • All plugins, themes, customizations
  • All PHP libraries it uses (MySQL, image-processing, etc.)
  • MySQL
  • Apache
  • All libraries MySQL or Apache use: OpenSSL, libc, PHP itself, etc.
  • The kernel
  • All containerization tools

On Debian (and most of its best-known derivatives), we are extremely lucky to have a wonderful security support system. If you run a Debian system, the combination of unattended-updates, needrestart, debsecan, and debian-security-support will help one keep a Debian system secure and verify it is. When the latest OpenSSL bug comes out, generally speaking by the time I wake up, unattended-updates has already patched it, needrestart has already restarted any server that uses it, and I’m protected. Debian’s security team generally backports fixes rather than just say “here’s the new version”, making it very safe to automatically apply patches. As long as I use what’s in Debian stable, all layers mentioned above will be protected using this scheme.

This picture is much nicer than what we see in Docker.

Problems

We have a lot of problems in the Docker ecosystem:

  1. No built-in way to know when a base needs to be updated, or to automatically update it
  2. Diverse and complicated vendor security picture
  3. No way to detect when intermediate libraries need to be updated
  4. Complicated final application security picture

Let’s look at them individually.

Problem #1: No built-in way to know when a base needs to be updated, or to automatically update it

First of all, there is nothing in Docker like unattended-updates. Although a few people have suggested ways to run unattended-updates inside containers, there are many reasons that approach doesn’t work well. The standard advice is to update/rebuild containers.

So how do you know when to do that? It is not all that obvious. Theoretically, official OS base images will be updated when needed, and then other Docker hub images will detect the base update and be rebuilt. So, if a bug in a base image is found, and if the vendors work properly, and if you are somehow watching, then you could be protected. There is work in this area; tools such as watchtower help here.

But this can lead to a false sense of security, because:

Problem #2: Diverse and complicated vendor security picture

Different images can use different operating system bases. Consider just these official images, and the bases they use: (tracking latest tag on each)

  • nginx: debian:stretch-slim (stretch is pre-release at this date!)
  • mysql: debian:jessie
  • mongo: debian:wheezy-slim (previous release)
  • apache httpd: debian:jessie-backports
  • postgres: debian:jessie
  • node: buildpack-deps:jessie, eventually depends on debian:jessie
  • wordpress: php:5.6-apache, eventually depends on debian:jessie

And how about a few unofficial images?

  • oracle/openjdk: oraclelinux:latest
  • robotamer/citadel: debian:testing (dangerous, because testing is an alias for different distros at different times)
  • docker.elastic.co/kibana: ubuntu of some sort

The good news is that Debian jessie seems to be pretty popular here. The bad news is that you see everything from Oracle Linux, to Ubuntu, to Debian testing, to Debian oldstable in just this list. Go a little further, and you’ll see Alpine Linux, CentOS, and many more represented.

Here’s the question: what do you know about the security practices of each of these organizations? How well updated are their base images? Even if it’s Debian, how well updated is, for instance, the oldstable or the testing image?

The attack surface here is a lot larger than if you were just using a single OS. But wait, it gets worse:

Problem #3: No way to detect when intermediate libraries need to be updated

Let’s say your Docker image is using a base that is updated immediately when a security problem is found. Let’s further assume that your software package (WordPress, MySQL, whatever) is also being updated.

What about the intermediate dependencies? Let’s look at the build process for nginx. The Dockerfile for it begins with Debian:stretch-slim. But then it does a natural thing: it runs an apt-get install, pulling in packages from both Debian and an nginx repo.

I ran the docker build across this. Of course, the apt-get command brings in not just the specified packages, but also their dependencies. Here are the ones nginx brought in:

fontconfig-config fonts-dejavu-core gettext-base libbsd0 libexpat1 libfontconfig1 libfreetype6 libgd3 libgeoip1 libicu57 libjbig0 libjpeg62-turbo libpng16-16 libssl1.1 libtiff5 libwebp6 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxml2 libxpm4 libxslt1.1 nginx nginx-module-geoip nginx-module-image-filter nginx-module-njs nginx-module-xslt ucf

Now, what is going to trigger a rebuild if there’s a security fix to libssl1.1 or libicu57? (Both of these have a history of security holes.) The answer, for the vast majority of Docker images, seems to be: nothing automatic.

Problem #4: Complicated final application security picture

And that brings us to the last problem: Let’s say you want to run an application in Docker. exim, PostgreSQL, Drupal, or maybe something more obscure. Who is watching for security holes in it? If you’re using Debian packages, the Debian security team is. If you’re using a Docker image, well, maybe it’s the random person that contributed it, maybe it’s the vendor, maybe it’s Docker, maybe it’s nobody. You have to take this burden on yourself, to validate the security support picture for each image you use.

Conclusion

All this adds up to a lot of work, which is not taken care of for you by default in Docker. It is no surprise that many Docker images are insecure, given this picture. The unfortunate reality is that many Docker containers are running with known vulnerabilities that have known fixes, but just aren’t, and that’s sad.

I wonder if there are any practices people are using that can mitigate this better than what the current best-practice recommendations seem to be?

Read the whole story
fxer
7 minutes ago
reply
"Over 80% of the :latest versions of official images contained at least on high severity vulnerability!"
Bend, Oregon
Share this story
Delete

New zine: let's learn tcpdump!

2 Shares

tcpdump is a useful tool for seeing what network packets are being sent/received on a computer. I used to be really confused about tcpdump! I’d run tcpdump, it would print a bunch of incomprehensible output, I’d look at the man page, and I’d run away.

I’ve learned a lot more about it and these days, I feel really comfortable with tcpdump! I’ll see a networking problem, think “oh, no big deal, I’ll just fire up tcpdump!”, and be one step closer to figuring it out.

So I decided to write a short 12-page zine to explain tcpdump basics so that you too can realize “hey, this isn’t so bad!!”.

I’m doing an experiment with this one where – you can buy it today for $10 (early access!), and then I’ll release it for free on this blog a little later on. If you’re excited about tcpdump and want to buy it and help support julia’s zine-making enterprises, here it is. As usual it includes both a version you can read online and a version you can print out and give to your friends.


Also, if you’re thinking “this is cool, but I feel like I’m missing some computer networking basics”, I wrote a computer networking zine called Networking! ACK! for you! (here’s the pdf)

Here’s what the cover looks like (I hired an awesome illustrator!):

and the inside pages on tcpdump command line arguments, as a preview – it turns out there are only a few that you really need to know about!

I’m still figuring out what the best way is to sell stuff online is. Gumroad seems reasonable so far but let me know if there are problems with it!

Read the whole story
fxer
14 hours ago
reply
Bend, Oregon
Share this story
Delete

An Amazing Digital Archive of Amsterdam's Past

1 Share
Comments

Amsterdam’s digital map archive was already one of the best municipal resources on the internet, and it just got even better. You may recall when CityLab first obsessed over the archive’s troves of information. We’re returning now to dive into the new maps, videos and archives that provide vivid, fascinating details on how the city has developed, some reaching back to the 1600s.

The Dutch Golden Age of the 17th century, was kind to Amsterdam. Within 100 years, rapid settlement tripled the city’s geographic size and dramatically expanded its network of canals and ramparts, as illustrated in this “Game of Thrones”-like video created by the City Archives.

Watch the reconstruction of Amsterdam’s defenses and you get an idea of the sheer effort it must have taken to expand this city built on marshy ground. Not only were the old ramparts demolished and rebuilt further out, but new canals had to be cut and old ones filled in.

What the video doesn’t show, however, was that this was actually the tip of the iceberg. Even something as simple as building a house could be complicated in Amsterdam’s boggy soil. The land could only be made safe for building by driving wooden pilings deep into it, until they reached the relatively stable sandy layer beneath. If the water level dropped and exposed the wooden pilings to air, they would shrivel and rot, giving rise to the occasional tilted, drunken-looking old building you can see today along Amsterdam’s canals.

Watch closely and you’ll also see how the city got its name. At the heart of the city is a broad dam over the river Amstel, the site of a square where, as the video shows, the old city hall burned down in 1648. Today, Dam Square sits on that location, remaining the heart of the city. Thanks to canals and building, it has since lost any sense of being near water.

The Age of Steam

Jump forward to the video above, documenting Amsterdam’s growth from 1800 to 1900, and what’s initially striking is how little had changed. In the east, much of the land absorbed by the city walls in the 17th century remained undeveloped. This was largely because demand for building land had slackened off as London gradually became Northern Europe’s trading hub. This arrested development means that, as the video shows, major 19th-century projects such as the Rijksmuseum and the Concertgebouw concert hall could be built on open land, but still be surprisingly close to the city core.

Destruction and rebuilding

Amsterdam City Archive

Despite this rapid 19th-century development, there were still some lingering reminders of the more ramshackle, rustic city that was steadily replaced. This new photo archive map allows you to discover historic photos street by street and note how much from old Amsterdam lingered. An old windmill in the working class (but recently gentrified) De Pijp neighborhood, shown in this grainy photo from the archive, somehow managed to survive until 1881. The surrounding sheds and workshops became new streets of tenements soon after, and the site has since been inherited by a supermarket.

Amsterdam City Archive

The archive also reveals some of the damage to Amsterdam during World War II, most of which is hard to spot today. Amsterdam suffered far more from the Holocaust—75,000 Jewish Amsterdammers lost their lives to Nazi persecution—and from the famine that came before the war’s end than from aerial bombardment. Nonetheless, the city suffered some destruction, such as these three houses destroyed in what was the Amsterdam’s Jewish quarter. The site has since been filled by a post-war shop and apartment block.

Amsterdam City Archive

Buildings of quality

Amsterdam’s map showing architectural quality, with the best buildings marked in purple.
(City of Amsterdam)

In Amsterdam, the sheer volume of architectural history that has remained is more striking than the number of buildings that have disappeared. One of the best ways to explore the detail of this architectural heritage is to use the city’s map of buildings of recognized architectural value constructed before 1965, street by street. You can use it to zoom in on every building that the city has registered as high quality. The detail pop-ups even provide the construction year and the name of its architect.

While this is great for locals looking up the buildings in their own neighborhood, it’s also great for architectural tourists whose interest in Amsterdam’s buildings strays beyond the usual suspects. While Amsterdam’s historic canal rings are shaded purple—the color marking the most highly protected structures—you can also zoom out to Amsterdam’s less visited suburbs to find newer, more unlikely architectural treasures.

A close-up of Southern Amsterdam’s Betondorp. (City of Amsterdam)

Zoom in on the southern section of the map, for example, and you will notice the highly protected cluster of buildings at Betondorp—“Concrete Village” in English—a modernist quarter designed by architect Dick Greiner in the 1920s. Even people who normally dislike gray concrete can appreciate the detailing of roofs, windows, and doorways on show here.

(Marcelmulder68/Wikimedia)

Switching between the archive and Google Street View, you could lose hours comparing historic photos, contemporary views and architectural ratings, if your mind is nerdish enough to want to. That alone is testament to the city archivists’ effort: Amsterdam is clearly working hard to make sure that people engage with it and its history as deeply as possible.


Comments
Read the whole story
fxer
14 hours ago
reply
Bend, Oregon
Share this story
Delete

City of Portland may subpoena Uber for details on Greyball program

1 Share
Read the whole story
fxer
23 hours ago
reply
Bend, Oregon
Share this story
Delete

Remember where you parked with Google Maps

2 Comments

Some say it’s about the journey, not the destination—but we think it’s about a little of both. Now, Google Maps for Android and iOS will not only help you get where you’re going, but it’ll help you remember where you parked once you’ve arrived. Here’s how it works:

For Android users, tap the blue dot and then tap “Save your parking” to add your parking location to the map. You’ll see a label on the map itself identifying where you parked your car. Tap on that label to open up your parking card, where you can add additional details about your parking spot. You can add a note like “level 3, spot 35,” add the amount of time left before the meter expires (and even get a reminder alert 15 minutes before it does), save an image of your parking spot, and send your parking location to friends.

SavedParkingAndroid

On iOS, the new experience is pretty similar. Tap on the blue dot and then tap on “Set as parking location” to add your parking spot to the map itself. Tap on the parking label on the map to open up your parking card and do things like share it with friends and view pictures of your parking area. This is in addition to the automatic parking detection you might have already noticed in Google Maps for iOS. If you connect to your car using USB audio or bluetooth, your parking spot will be automatically added to the map when you disconnect and exit the vehicle.

SavedParking_iOS.png

With Google Maps, you get guidance far beyond arrival at your destination, with the ability to save your parking location, explore places you’ve saved to lists, easily find friends and family, and more.

Read the whole story
fxer
23 hours ago
reply
Dude where's my ca-oh it's in the next aisle *credits roll*
Bend, Oregon
DMack
1 day ago
reply
nice
Victoria, BC
Share this story
Delete

Auto site Carvana tumbles 26% in stock market debut

1 Share
Read the whole story
fxer
1 day ago
reply
Bend, Oregon
Share this story
Delete
Next Page of Stories