Container Security

Overview

Introduction

We use the following features to ensure the docker security when reviewing container and image security on EdgeScale:

  • Kernel namespaces
  • Control groups
  • Docker daemon attack surface
  • Linux kernel capabilities
  • Use trusted docker private registry
  • Use trusted images (signature and verification)
  • Vulnerability Static Analysis for Containers

Illustrated

Container security on EdgeScale illustrated.

_images/container_integrated_edgescale.png

Steps to use it:

  • 1. Setup a secure Private Registry.
  • 2. Use a trusted registry and image on EdgeScale.

Setup a Secure Private Registry

Install the Trusted Private Docker Registry - Harbor

Install Docker CLI and Docker compose

What’s Harbor

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Having a registry closer to the build and run environment can improve the image transfer efficiency. Harbor supports replication of images between registries, and also offers advanced security features such as user management, access control and activity auditing.

Prerequisites for the target host

Harbor is deployed as several Docker containers, and therefore can be deployed on any Linux distribution that supports Docker. The target host requires Python, Docker, and Docker Compose to be installed.

  • Hardware
Resource Capacity Description
CPU minimal 2 CPU 4 CPU is preferred
Mem minimal 4GB 8GB is preferred
Disk minimal 40GB 160GB is preferred
  • Software
Software Version Description
Python version 2.7 or higher Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default
Docker engine version 1.10 or higher For installation instructions, please refer to: https://docs.docker.com/engine/installation/
Docker Compose version 1.6.0 or higher For installation instructions, please refer to: https://docs.docker.com/compose/install/
Openssl latest is preferred Generate certificate and keys for Harbor
  • Network ports
Port Protocol Description
443 HTTPS Harbor UI and API will accept requests on this port for https protocol
443 HTTPS Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled
80 HTTP Harbor UI and API will accept requests on this port for http protocol

Downloading installer package

We offer two installation methods to setup Harbor. By default, we recommend offline installation.

Package Platform Image URL
offline Linux harbor-offline-installer.tgz
online Linux harbor-online-installer.tgz

Installation steps

Download installer package and decompress.

$ tar xvf harbor-offline-installer.tgz
$ cd harbor-offline-installer
$ mkdir /root/cert && cd harbor-installer

Get a certificate.

  • You can request a new certificate with trusted certificate provider.
  • The certificate usually contains a .crt file and a .key file, e.g. regisrty.edgescale.org.crt and registry.edgescale.org.key.
  • About the certificate conventions, please refer to the chapter Use a trusted registry and image on EdgeScale -> Remarks.

Install by https.

  • Edit file harbor.cfg, replace field ssl_cert, ssl_cert_key and hostname with your domain name.
  • For example:
$ cp cert/registry-1.edgescale.org.key /root/cert/
$ cp cert/registry-1.edgescale.org.crt /root/cert/
$ ./install.sh --with-notary --with-clair

Login and push

$ cp registry-1.edgescale.org-CA.crt /usr/local/share/ca-certificates/
$ update-ca-certificates
$ service docker restart
$ docker login -u admin -p Harbor12345 registry-1.edgescale.org
$ docker pull hello-world
$ docker tag hello-world registry-1.edgescale.org/library/hello-world
$ docker push registry-1.edgescale.org/library/hello-world

Use a trusted registry and image on EdgeScale

Enable Trusted Container for EdgeScale

Add OEM information to EdgeScale

Click Admin -> Endpoint Config

  • Fill in the fields Root CA and Private Key from your certificate’s bundle package.
  • Root CA: Verify the security of the external connection
  • Private Key: Issued to the secondary certificate
  • Trust Chain: Verify secondary or lower level certificate
_images/ca_config.png

After filling in the fields, you can update a new certificate package.

  • Fill example:
_images/ca_save.png

Add private registry service

Click Create button to add your private registry.

  • Service Name: Current supported service can be added.
  • URL: Service URL.
  • Port: Service port.
  • Token: Docker login token content. Optional field, currently only docker repo service is supported.
_images/service_config.png
  • Fill example:
_images/service_docker_repo.png
  • Get the token content. See below example for reference.
_images/get_docker_token.png

Add trust container service

Click Create button to add your trusted server address.

  • Fill example.
_images/service_docker_trust.png

List all services

If you want to see all services available, you can find them by:

_images/service_list.png

Add Docker registry

Click Admin -> Docker Registry -> Create, Then Fill docker registry server.

_images/docker_registry_add.png
  • Fill example.
_images/docker_registry_add_example.png

Pushing Trusted Container Image on Target Host

Download Private Registry Certificate

$ cp registry-1.edgescale.org-CA.crt /usr/local/share/ca-certificates/
$ update-ca-certificates
$ service docker restart
$ docker login -u admin -p Harbor12345 registry-1.edgescale.org

Enable content trust on your target host

$ export DOCKER_CONTENT_TRUST=1
$ export DOCKER_CONTENT_TRUST_SERVER="https://trust.edgescale.org"

Push a signed image to Private Registry

$ docker tag debian  registry-1.edgescale.org/library/debian
$ docker push registry-1.edgescale.org/library/debian:latest
The push refers to repository [registry-1.edgescale.org/library/debian]
dd60b611baaa: Pushed
1.0: digest: sha256:6d8fda39c2eb8fdc7b18c27f53fb6c01ac7721e7d55e7d6ae4cf6b1f3f0109fb size: 529
Signing and pushing trust metadata
Enter passphrase for root key with ID 83320be:
Enter passphrase for new repository key with ID 7411b4b:
Repeat passphrase for new repository key with ID 7411b4b:
Enter passphrase for new repository key with ID 7411b4b:
Repeat passphrase for new repository key with ID 7411b4b:
Enter passphrase for new repository key with ID 7411b4b:
Repeat passphrase for new repository key with ID 7411b4b:
Finished initializing "registry-1.edgescale.org/library/debian"
Successfully signed registry-1.edgescale.org/library/debian:latest

Create Trusted App on EdgeScale

Next, you need to create a trusted App on EdgeScale.

Click Edge Software Store -> APP Store -> My App -> +

  • Fill the App Name, Description and upload App logo.
_images/create_app_step_1.png
  • Choose your added registry server address and fill in other basic info.
_images/create_app_step_2.png
  • Click submit, then click My App to see the App created.
_images/create_app_step_3.png

For more details, please see the chapter Application Management.

Deploy Trusted APP from EdgeScale

Regarding the deployment of Apps, please see the chapter Application Management -> Deploy App.

Remarks

  • We recommend naming your private registry and trusted service by the following naming conventions.
    • Private Registry domain name - registry.A.B
    • Trust Server domain name - trust.A.B
  • Regarding the domain certificate issued, the below condition must be followed.
    • The domain name *.A.B issued by CA provider.