Minifying container images with DockerSlim



Earlier I promised that DockerSlim can also help your Docker container security posture. If you want, you can go a step further and add a security profile to your build. With this in mind, I'll take a brief look at seccomp (secure computing) profiles [6].

seccomp provides clever functionality from within the Linux kernel and allows a number of settings to be passed into your container to restrict its access to the host machine on which it's running. As stated on the Linux man page [7], seccomp rules are enforced in a way that limits a process from performing a very small number of operations (e.g., read, write, sigreturn, and exit). The use of fine-grained rules, then, make it impossible for a rogue process to get access into a host machine's innards in a way other than those explicitly permitted.

Knowing the power of Linux, you probably won't be surprised to learn that the Android operating system, Google Chrome, Firefox, and even OpenSSH all use seccomp to enforce important security rules. More accurately, some of the seccomp adopters mentioned use seccomp-bpf, which is a clever way of extending seccomp with the popular Berkeley Packet Filter rules to offer more flexibility and help mitigate any performance concerns. Table 1 lists examples of what seccomp limits and, conversely, permits.

Table 1

Some Kernel Syscalls for seccomp

Syscall Function
mount Mounts disk volumes
clock_adjtime Gives permission to change the host machine's time and date
init_module Affects importable kernel modules
keyctl Controls access to the kernel keyring, which contains encryption keys and other sensitive items, such as security tokens
kexec_load Readies a new kernel to be run at a later time (potentially with malicious code)
quotactl Prevents containers from altering their own resource quotas (disk space limits, in this case)
reboot Allows containers to reboot the host machine (usually not a very clever thing to allow)

For a full list of the more than 300 seccomp profiles enabled by default in Docker, check out the Moby project's GitHub repository [8]. The default Docker seccomp profile then denies access to around 44 of the system calls [9], which are "effectively blocked because they are not on the whitelist."

Now it's time to see how DockerSlim can help make use of seccomp effectively. The docs offer this syntax to follow as a simple example:

$ docker run --security-opt seccomp:<docker-slim directory>/.images/<YOUR_APP_IMAGE_ID>/artifacts/<your-name-your-app>-seccomp.json <your other run params> <your-name>/<your-app>

To translate that to the Nginx example from earlier, first make sure that you have seccomp set up for Docker when you installed it initially and run:

$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)

If you see CONFIG_SECCOMP=y, then all is well; otherwise, some searching online might be needed relative to your software version or system.

After you've run the build command shown earlier to minify the nginx image, you should be able to find your auto-generated seccomp profile with:

$ find /var/lib/docker -name *.json

If your system uses strange filesystem paths, you should change the path shown. The two results that I'm interested in are:

  • /var/lib/docker/volumes/docker-slim-state/_data/images/2343aa145/nginx-seccomp.json
  • /var/lib/docker/volumes/docker-slim-state/_data/images/2343aa145/creport.json

The creport.json file is the report I generated with the docker-slim profile --report nginx.slim command used earlier to generate some interesting information related to the process through which DockerSlim runs. Incidentally, if you spot a file ending with the extension .fat, that's the reverse-engineered Dockerfile that the clever DockerSlim has created while going about its business. In my case, the file is named: /var/lib/docker/volumes/docker-slim-state/_data/images/2343aa145/Dockerfile.fat

Now that the generated seccomp profile has been found, Listing 5 shows what the top of the file looks like, so you can differentiate it from other files you've seen. In my case, the JSON file was called nginx-seccomp.json. Isn't having a profile generated for you so you can refine it handy?

Listing 5

Top of a seccomp Profile

01 {
02   "defaultAction": "SCMP_ACT_ERRNO",
03   "architectures": [
04     "SCMP_ARCH_X86_64"
05   ],
06   "syscalls": [
07     {
08       "names": [
09         "lstat",
10         "exit_group",
11         "arch_prctl",
12         "chdir",
13         "unlink",
14         "geteuid",
15         "setitimer",
16         "write",
17         "sendmsg",
18         "mprotect",
19         "capget",
20         "getuid",
21         "wait4",
22         "pread64",
23         "Capset",
24 [snip...]

Unfortunately, I can't go too deep into seccomp in this article, but it would be sensible to look online to learn a few security tips about how many syscalls should be used by your containers.

Once you've tweaked a profile, the Docker documentation offers this command format for running a container with a specific seccomp profile:

$ docker run --rm -it --security-opt seccomp=/<path>/profile.json nginx.slim

You can use the generated security profile with both your slimmed image and the original. It might help you spot when a version upgrade changes a container's system access requirements. The esteemed Jessie Frazelle has a nice piece about seccomp that is well worth a read [10].

Trouble Ahead

If you get stuck, fret not. seccomp has been available since Docker version 1.10 [11], and the comprehensive docs [12] offer some useful troubleshooting tips, including tips about Nginx images that might be useful at some point.

The End Is Nigh

Doubtless this tool is exceptionally valuable to a containerized estate, but further investigation clearly is required into how stable DockerSlim might be for production services. However, the docs suggest the DockerSlim author is happy to give it the thumbs up for production use, so I trust you'll soon be trying this highly accessible open source tool.

The Author

Chris Binnie's latest book, Linux Server Security: Hack and Defend, shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also shows you how to make your servers invisible, perform penetration testing, and mitigate unwelcome attacks. You can find out more about DevOps, DevSecOps, Containers, and Linux security on his website:

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus