TNS
VOXPOP
What news from AWS re:Invent last week will have the most impact on you?
Amazon Q, an AI chatbot for explaining how AWS works.
0%
Super-fast S3 Express storage.
0%
New Graviton 4 processor instances.
0%
Emily Freeman leaving AWS.
0%
I don't use AWS, so none of this will affect me.
0%
 
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Entrepreneurship for Engineers: Level up Your Sales Game
Dec 8th 2023 5:00am, by Emily Omier
Cloud-Based Automated Testing Increases Speed in a Flash
Dec 7th 2023 7:11am, by Jonny Steiner
Real Talk: Why Is Datadog So Expensive?
Dec 7th 2023 6:00am, by Rachel Dines
Top 5 Trends in Cloud Native Software Testing in 2023
Dec 6th 2023 10:45am, by Bruno Lopes
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
Demystifying Container Security for Developers
Nov 28th 2023 12:21pm, by David Benas
Why Securing Containers Is Like Going to the Dentist
Nov 17th 2023 7:09am, by Neta Krakover
Dell GA's APEX Cloud Platform for Red Hat OpenShift
Nov 2nd 2023 11:00am, by Chris J. Preimesberger
Lynis: Run a Security Audit on Linux for Free
Oct 28th 2023 6:00am, by Jack Wallen
Why Capistrano Got Usurped by Docker and Then Kubernetes
Oct 25th 2023 1:53pm, by David Eastman
Arm Pushes AI into the Smallest IoT Devices with Cortex-M52 Chip
Nov 27th 2023 1:06pm, by Jeffrey Burt
TikTok to Open Source 'Cloud-Neutralizing' Edge Accelerator
Nov 20th 2023 8:30am, by Joab Jackson
Docker at the Edge: How Machine Learning Transformed Fowl Task
Nov 9th 2023 10:28am, by Loraine Lawson
The 2023 State of Kubernetes in Production
Nov 7th 2023 8:10am, by Jennifer Riggins
Edge AI: How to Make the Magic Happen with Kubernetes
Sep 14th 2023 4:00am, by Saad Malik
Why Testing Must Shift Left for Microservices
Dec 6th 2023 8:28am, by Arjun Iyer
Securing Microservices Communication with mTLS in Kubernetes
Nov 28th 2023 3:00am, by Robert Kimani
AppMap Releases Runtime Code Review as a GitHub Action
Nov 21st 2023 3:00am, by Susan Hall
Why Microservices Aren’t Working for You
Nov 20th 2023 6:34am, by Ned Harris
The Struggle for Microservice Integration Testing
Nov 10th 2023 6:30am, by Nočnica Mellifera
Why Is IPv6 Adoption Slow?
Nov 13th 2023 9:20am, by Tucker Preston
Effective Traffic Management with Kubernetes Gateway API Policies
Nov 7th 2023 3:00am, by Robert Kimani
Enhancing Kubernetes Networking with the Gateway API
Nov 3rd 2023 3:30am, by Robert Kimani
Cilium CNCF Graduation Could Mean Better Observability, Security with eBPF
Oct 13th 2023 4:00am, by B. Cameron Gain
Performant and Programmable Telco Networking with eBPF
Aug 11th 2023 10:00am, by Bill Mulligan
State of Serverless Computing and Event Streaming in 2024
Dec 4th 2023 7:17am, by Tun Shwe
Netlify Launches Composable Web Platform for Enterprise Devs
Oct 19th 2023 9:00am, by Richard MacManus
4 Factors of a WebAssembly Native World
Oct 12th 2023 9:00am, by Liam Crilly
Raising the Serverless Bar: Infrastructure APIs Unleash More Value for Enterprises
Oct 10th 2023 10:00am, by Tyson Trautmann
The Security-First Mindset to Unlocking the AWS Opportunity 
Aug 9th 2023 8:14am, by David Melamed
DynamoDB vs. ScyllaDB: A Price Performance Comparison
Dec 7th 2023 8:30am, by Eliran Sinvani
Amazon S3 Express One Zone Introduces Near-Real Time Object Storage
Nov 28th 2023 1:20pm, by Joab Jackson
How Epic Games Revs up Unreal Engine 'Cook Time' for Devs
Nov 28th 2023 7:20am, by Cynthia Dunlop
How to Get Data Warehouse Performance on the Data Lakehouse
Nov 20th 2023 9:00am, by Sida Shen
MongoDB vs. ScyllaDB: A Comparison of Database Architectures
Nov 13th 2023 1:06pm, by Daniel Seybold
AI Frontend Development Software Development TypeScript WebAssembly Cloud Services Data Security
AWS Goes Deep on AI, Chip Power... and Cost Savings
Dec 7th 2023 9:20am, by
JetBrains Launches New AI Assistant Powered by Multiple LLMs
Dec 7th 2023 7:27am, by
AI Will Create Demand and Empower Developers, Not Replace Them
Dec 6th 2023 8:54am, by
2024 Forecast: What Can Developers Expect in the New Year?
Dec 6th 2023 7:38am, by
Decoding Amazon’s Generative AI Strategy
Dec 6th 2023 5:00am, by
JetBrains Launches New AI Assistant Powered by Multiple LLMs
Dec 7th 2023 7:27am, by
Vercel Adds New Features Designed to Support Monorepos
Dec 6th 2023 1:01pm, by
The Pros and Cons of Using React Today
Dec 4th 2023 8:48am, by
Dev News: Astro 4.0 Beta, Rust / Kotlin AWS SDKs, Deno Cron
Dec 2nd 2023 7:00am, by
Tackling AI's Black Box: Howso Challenges PyTorch and JAX
Nov 30th 2023 3:00am, by
Vercel Adds New Features Designed to Support Monorepos
Dec 6th 2023 1:01pm, by
AI Will Create Demand and Empower Developers, Not Replace Them
Dec 6th 2023 8:54am, by
Why Testing Must Shift Left for Microservices
Dec 6th 2023 8:28am, by
2024 Forecast: What Can Developers Expect in the New Year?
Dec 6th 2023 7:38am, by
Think Like a Developer to Help Dev Teams Ship Faster
Dec 6th 2023 5:57am, by
How to Get Advantages of TypeScript in JavaScript
Oct 27th 2023 10:51am, by
Dev News: Udemy's New Docker Program, Plus TypeScript Beta
Oct 7th 2023 5:01am, by
The Angular Renaissance: Why Frontend Devs Should Revisit It
Sep 26th 2023 8:15am, by
Dev News: A 'Nue' Frontend Dev Tool; Panda and Bun Updates
Sep 16th 2023 4:00am, by
Dev News: Svelte 5 vs. VanillaJS and Google’s Project IDX
Aug 12th 2023 8:00am, by
JetBrains Developer Survey Tracks Rapid Adoption of AI
Dec 5th 2023 8:30am, by
Why WebAssembly Is a Good Fit for Extensible Control Planes
Nov 29th 2023 1:36pm, by
Dev News: Vite Rust-ifies, Roc Language, JS Framework SDKs
Nov 24th 2023 7:30am, by
WebAssembly's Status in Computing
Nov 14th 2023 11:14am, by
Who's Leading WebAssembly Adoption? So Far, Vendors
Nov 6th 2023 6:00am, by
AWS Goes Deep on AI, Chip Power... and Cost Savings
Dec 7th 2023 9:20am, by
Decoding Amazon’s Generative AI Strategy
Dec 6th 2023 5:00am, by
State of Serverless Computing and Event Streaming in 2024
Dec 4th 2023 7:17am, by
4 Guidelines to Tame Your Hybrid Cloud Migration
Nov 30th 2023 8:00am, by
Amazon Q, a GenAI to Understand AWS (and Your Business Docs)
Nov 29th 2023 8:47am, by
Piiano Flows Scans for Sensitive Data Leaks in Git Code
Dec 7th 2023 10:30am, by
DynamoDB vs. ScyllaDB: A Price Performance Comparison
Dec 7th 2023 8:30am, by
What Is Operational Resilience?
Dec 5th 2023 9:57am, by
How DoorDash Migrated from Aurora Postgres to CockroachDB
Dec 5th 2023 3:00am, by
Baserow: A No Code, Open Source Alternative to Airtable
Dec 2nd 2023 6:00am, by
Piiano Flows Scans for Sensitive Data Leaks in Git Code
Dec 7th 2023 10:30am, by
2024 Forecast: What Can Developers Expect in the New Year?
Dec 6th 2023 7:38am, by
Stytch Takes the Hassle out of Passkey Authentication
Dec 5th 2023 5:00am, by
Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s
Dec 4th 2023 12:16pm, by
Mitigate OWASP Security Top Threats with an API Gateway
Nov 29th 2023 10:40am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
The Hype Train Is Over. Platform Engineering Is Here to Stay
Dec 4th 2023 10:07am, by Carrie Tang
Demo: Self-Service Kubernetes with Rafay’s Backstage Plugins
Dec 4th 2023 6:44am, by Richard Gall
Cloud Migration and Platform Engineering at Large Organizations
Dec 4th 2023 3:00am, by Jennifer Riggins
Measuring the Impact of Your Platform Engineering Strategy
Nov 30th 2023 9:30am, by David Williams
How to Mature Your DevOps Automation Practices
Nov 30th 2023 6:32am, by Saif Gunja
DynamoDB vs. ScyllaDB: A Price Performance Comparison
Dec 7th 2023 8:30am, by Eliran Sinvani
What Is Operational Resilience?
Dec 5th 2023 9:57am, by Robert Kimani
JetBrains Developer Survey Tracks Rapid Adoption of AI
Dec 5th 2023 8:30am, by Lawrence E Hecht
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
How Meta Patches Linux at Hyperscale
Dec 1st 2023 3:00am, by Steven J. Vaughan-Nichols
How to Observe Your CI/CD Pipelines with OpenTelemetry
Nov 28th 2023 7:40am, by Adriana Villela and Reese Lee
How to Use Databases Inside GitHub Actions
Nov 9th 2023 9:40am, by Gerald Venzl
Securing CI/CD Pipelines: A Comprehensive Approach Is Vital
Oct 25th 2023 6:06am, by Noah Simon
Continuous Release: Move Faster without Breaking Things
Oct 19th 2023 10:55am, by Karishma Irani
No Workflow Is an Island
Oct 13th 2023 7:09am, by Mark Fussell
Entrepreneurship for Engineers: Level up Your Sales Game
Dec 8th 2023 5:00am, by Emily Omier
Hundreds of Employees Face Layoffs in Wake of Broadcom-VMware Merger
Dec 5th 2023 10:58am, by Chris J. Preimesberger
As a Manager, You’re the Referee, Not the Coach
Dec 5th 2023 7:43am, by Kevin Clark
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
2023's Gift Ideas for the Programmer in Your Life
Dec 3rd 2023 6:00am, by David Cassel
AI Will Create Demand and Empower Developers, Not Replace Them
Dec 6th 2023 8:54am, by Tony Graham
The Hype Train Is Over. Platform Engineering Is Here to Stay
Dec 4th 2023 10:07am, by Carrie Tang
Breaking Down the Wall in DevOps
Dec 1st 2023 5:30am, by Laura Santamaria
Top 5 Best Practices for Naming OpenTelemetry Attributes
Dec 1st 2023 4:00am, by Carl Brahms
Thinking in Systems: A Sociotechnical Approach to DevOps
Nov 30th 2023 8:22am, by Tao Hansen
How AWS Supports Open Source Work in the Kubernetes Universe
Dec 7th 2023 2:26pm, by Heather Joslyn
Reimagining Multicluster Kubernetes with k0s/k0smotron
Dec 6th 2023 10:00am, by Jussi Nummelin
Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s
Dec 4th 2023 12:16pm, by Itay Shakury
HPC Kubernetes: AI Training on 3,500 GPUs
Dec 4th 2023 10:20am, by Joab Jackson
Demo: Self-Service Kubernetes with Rafay’s Backstage Plugins
Dec 4th 2023 6:44am, by Richard Gall
Real Talk: Why Is Datadog So Expensive?
Dec 7th 2023 6:00am, by Rachel Dines
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
Top 5 Best Practices for Naming OpenTelemetry Attributes
Dec 1st 2023 4:00am, by Carl Brahms
Hey Programming Language Developer — Get over Yourself
Nov 30th 2023 12:30pm, by Alex Williams
OpenTelemetry for Go Is Almost a Go
Nov 29th 2023 7:22am, by B. Cameron Gain
Using JWTs to Authenticate Services Unravels API Gateways
Nov 8th 2023 6:53am, by Christian Posta and Peter Jausovec
Enhancing Kubernetes Networking with the Gateway API
Nov 3rd 2023 3:30am, by Robert Kimani
Linkerd Enterprise Creators: Keep the Sidecar Mesh
Oct 31st 2023 7:05am, by B. Cameron Gain
Scaling Environments with OpenTelemetry and Service Mesh
Oct 17th 2023 11:13am, by Anirudh Ramanathan
Kubernetes 1.28 Accommodates the Service Mesh, Sudden Outages
Aug 18th 2023 10:08am, by Joab Jackson
Containers / Security

How to Lock Down the Kernel to Secure the Container

Container security is obviously a multi-layered affair. Many of the layers that you need to secure and monitor exist outside containers themselves. One of them is the host operating system and the kernel that powers it. The end result is the whole stack is secured, including registries and orchestrators.In this article, I take a look at how to secure the container host, with a focus on kernel-level security.
Jun 14th, 2019 10:35am by
Featued image for: How to Lock Down the Kernel to Secure the Container

Twistlock sponsored this post.

Theo Despoudis
Theo is a senior software engineer, experienced mentor and guest blogger for Twistlock. He has a keen interest in open source architectures, cloud computing, best practices and functional programming. He occasionally blogs on several publishing platforms and enjoys creating projects from inspiration.

Container security is obviously a multilayered affair. Many of the layers that you need to secure and monitor exist outside containers themselves. One of them is the host operating system and the kernel that powers it. The end result is the whole stack is secured, including registries and orchestrators.

In this article, I take a look at how to secure the container host, with a focus on kernel-level security.

I should also point out that I will focus on Linux container hosts in particular. (Sorry, Windows container fans — if you run containers on Windows, host security is also important, but given that Windows is much less customizable than Linux, there is not as much you can do from the host perspective to harden a Windows container host system).

Your Kernel and Your Containers

Containers, of course, do not offer complete isolation between the host and the container application. Instead, containers “share” the kernel and other host resources with the host system, as well as each other. Unlike virtual machines, containers do not run their own kernel.

How containers work (Source: Medium).

From a security perspective, we can make a few important observations via this model:

  • Compromising the OS will allow all the containers to be compromised as well;
  • We can apply host-based controls and security policies individually on each container;
  • Container escapes that happen via bugs in application code can bypass the engine and access the host OS and the kernel that controls all the other applications.

Based on that, we should carefully devise a security strategy for the host OS environment and the kernel that sits between the containers to decrease the impact of privilege escalation attacks. This process involves lots of trial and error and time to consult the documentation.

Before we embark on modifying the kernel for hosting containers, it’s best if we work in a secure sandbox so that we can rollback our changes in case of a bad configuration. We don’t want to corrupt our own kernel or wipe data. One recommendation is to use VirtualBox and a minimal Linux distro, such as Alpine. Minimal distributions are useful because the less you have running, the smaller your potential attack surface (although, keep in mind that even small distributions have security issues from time to time, as happened recently with Alpine). Once you load it, make sure you create a snapshot so that you can revert back later.

Best Practices for Securing the Kernel

So let’s see how we can harden the kernel by following those simple rules:

  • Get the latest kernel: Have the kernel updated to the latest version as soon as you create the host. Although the kernel itself is a stable piece of software, there are many vulnerabilities related to containers that get found and fixed. Plus, some bugs are known to last long enough before resolution. By keeping the kernel updated, we keep those classes of risk on hold. Checking the current kernel version is as simple as executing:


As of May 2019, the latest stable kernel version is 5.0.13, so we can upgrade it by running:

  • Remove the root user and use only SSH authentication: These two rules should be part of every new server deployment. We don’t need to expose our hosts to super privileges of the root user for when a container escapes isolation. Additionally, passwords for SSH authentication are insecure by design. We can disable them in the ssh.config by setting the following line:


Make sure you configure SSH-based authentication first, however, so you are able to log in with your SSH keys.

  • Run container security tools like docker-bench-security: There are several trusted tools that perform automated scans on the machine and give you reports about best practices for securing containers in production. For example, with Docker, we have the docker-bench-security tool, and you can run it like so:


Pay careful attention to the Host Configuration section, as it can mention several improvements that can be applied to secure it for container usage.

  • Don’t run –privileged containers

There are lots of security profiles and controls such as AppArmor, Seccomp and others that we can enforce in running containers. But if we run them in -privileged mode, then we are giving them superpowers. These powers are harmful enough to affect the hosting OS. We could wipe the host disk space or install modules from inside the container, or do other unsafe things (but this is clearly very insecure and discouraged);

  • Load minimal kernel modules: Kernel modules are plugins that are dynamically loaded into the kernel without rebooting. They make the kernel extensible and offer various services. To list all the kernel modules, you need to run:


Not all modules are useful in a containerized environment as they expose services that may be exploitable. The containers that are deployed have the same list of modules from that kernel, but they cannot install new ones without privileged access. It’s important to keep only the necessary kernel modules, especially the ones that are responsible for enforcing security roles and permissions (such as AppArmor or Tomoyo).

  • Kernel-hardening patches: You can take advantage of specialized frameworks that harden the Linux kernel and offer extra-secure controls with some backwards compatibility tradeoffs, such as grsecurity and SELinux. There are a few caveats here, however. These frameworks work in different ways, and each one has its own “opinion” about how best to harden the kernel. A comparison of kernel-hardening frameworks is beyond the scope of this article, but do some research to decide which one will work best for you, and apply it;
  • Keep yourself updated: You need to keep an eye on new approaches and technologies that allow enforcement of strict isolation and control between the host and the container layer — for instance, the nabla-containers project or Google’s gVisor project where the kernel services run in a sandbox. There is more than one road to follow.

One Final Word

No amount of tweaking or customization at the host level will guarantee that your containers are safe from attack. Monitoring your environments for security issues is also critical. But host security is a good place to start. For more tips on this topic, check out Twistlock’s host protection guide.

Feature image via Pixabay.

TRENDING STORIES
Group Created with Sketch.
Theo Despoudis is a Senior Software Engineer, a consultant and an experienced mentor. He has a keen interest in Open Source software Architectures, Cloud Computing, best practices and functional programming. He occasionally blogs on several publishing platforms and enjoys creating...
Read more from Theo Despoudis
SHARE THIS STORY
TRENDING STORIES
TNS owner Insight Partners is an investor in: Pragma, Docker.
TRENDING STORIES
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.