feat(adr): Docker container guidelines

[brian-intel]

ADR: Docker container guidelines
close #206

Signed-off-by: Brian McGinn [email protected]

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows our guidelines: https://wiki.edgexfoundry.org/display/FA/Contributor%27s+Guide
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?
New ADR for docker security guidelines

• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• Other... Please describe:

What is the current behavior?

Current docker container deployments lack updated security guidelines

Issue Number: 206

What has been updated?

Are there any specific instructions or things that should be known prior to reviewing?

Other information

[bnevis-i]

Add a references section. Include the following URLs:

• OWASP Docker Recommendations https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
• CIS Docker Benchmark https://workbench.cisecurity.org/files/2433/download/2786 (registration required)
• Docker-compose reference https://docs.docker.com/compose/compose-file

Also provide cross-references for each recommendation above.

[bnevis-i]

EdgeX has no control over the user's docker daemon. We are only allowed to exercise control via Dockerfile or docker-compose. In this case, we want

    security_opt:
      - "no-new-privileges:true"

[bnevis-i]

EdgeX does not launch containers via docker run CLI. Rewrite to focus on what is available in the docker-compose.

Please also provide guidance on what user ID's will be used in the docker-compose.

[bnevis-i]

Apply to docker-compose not docker run.

[bnevis-i]

Update technical explanation. Vault needs to run setcap in order to lock pages in memory, but will otherwise run fine if memory page locking is disabled. In many cases, mounting a writable docker volume in a strategic place will resolve the issue.

[jim-wang-intel]

Some minor changes needed

[jim-wang-intel]

LGTM

[lenny-goodell]

LGTM

[jamesrgregg]

LGTM - we should be able to validate the configuration within a running Jenkins Pipeline using Docker Security Bench. Just wondering if this was already looked at during the work completed here.

[jpwhitemn]

I think this document is good - but to clarify, this is just guidance (correct??). Is there any of this that we plan to incorporate into our Docker Compose files?

With regard to the no-new-privileges options, I think we should note that this may be more difficult when dealing with a device-service that may require privilege access in order to get connected to drivers/etc for sensors/devices.

[bnevis-i]

I think this document is good - but to clarify, this is just guidance (correct??). Is there any of this that we plan to incorporate into our Docker Compose files?

The intent is to use this ADR to justify a number of the items in the security backlog that will implement these recommendations. So yes, there are active, in-process plans to incorporate this guidance.

With regard to the no-new-privileges options, I think we should note that this may be more difficult when dealing with a device-service that may require privilege access in order to get connected to drivers/etc for sensors/devices.

No-new-privileges is used to block things like "sudo" in a container. If a container starts with privilege, then no-new-privileges won't prevent the container from retaining privilege. So if there was a device driver that needed root privilege to talk, it could still specify no-new-privilege and start as root.

[tonyespy]

Overall, the recommendations seem fine, but I did have a few comments/questions.

Two other global comments, it seems odd that this ADR falls under system-management, as it's more about deployment than management. Second, maybe I misunderstood, but I thought we sequentially number all ADRs, is it really the case that we number them in series per domain? This doesn't seem to be the case with Core, which only has a single ADR which is 0003:

https://github.com/edgexfoundry/edgex-docs/blob/master/docs_src/design/adr/core/0003-V2-API-Principles.md

[tonyespy]

Are there any guidelines as to what UID ranges should be used? On many distros system user UIDs (i.e. used by services) range from 100-999, and regular user UIDs 1000+.

[bnevis-i]

Docker user NS remapping, when enabled, usually uses a very high user range.

I am a proponent of giving each service its own UID (maybe == its port number) so that the secret store tokens can be individually ACLed.

[tonyespy]

Should this ADR give some recommendations as to what these resource limitations should be? I also imagine the limits might be different for some of our runtime dependencies (e.g. kong, redis, ...).

[lenny-goodell]

Don't think we can as they will be system and use case dependent.

[tonyespy]

If we're not going to provide any guidance (e.g. minimum memory requirement), then we should add some verbiage that this is an exercise left to the end-user base on system resources and use cases.

Also I'll note that the docker resource constraints link above is for the docker command itself, not docker-compose. Does compose support YAML specified resource constraints?

[bnevis-i]

Does compose support YAML specified resource constraints?

https://docs.docker.com/compose/compose-file/#resources

[tonyespy]

What about our persistence later (e.g. redis)?

[bnevis-i]

Agree with Tony. Should also mention plain 'old volumes for normal persistence needs.

[bnevis-i]

Interestingly, Kubernetes might be an issue here. It just doesn't support volumes in the normal way that Docker does.

[tonyespy]

We've also had instances of device services using the --privileged flag in order to access DBus and/or actual hardware devices. It'd be nice if this was called out explicitly as not allowed. In addition, we should provide some guidelines as to how to properly allow hardware access (e.g. writing custom AppArmor rules) from within a container.

[bnevis-i]

@tonyespy Jim White I believe commented on this earlier. I will repeat what I said before.

no-new-privileges doesn't prevent one from running privileged containers. What it prevents is tools like "sudo" from running in a container thus a going from user mode to root mode. It also prevents capabilities defined on extended file attributes from being effected. (For example, the capability to bind to a low-numbered port.).

Docker-compose v3 doesn't allow one to customize cgroups like the v2 did. For example, you can no longer pass in device_cgroup_rules. So if you are accessing a device that isn't in docker's built-in allow list, privileged mode is one way to allow device access to continue to function. (Curious myself if this is the only way, or maybe we should downrev the docker-compose to v2... hmmm.)

[tonyespy]

Thanks @bnevis-i. Two additional points...

• The device-bluetooth-c (still in holding) device service recommends running the service using docker run --privileged, and on systems where AppArmor is supported, includes an example of how to pass an AppArmor profile to docker run. Do you know if compose v2 also allowed AppArmor profiles to be specified?
• Frankly, if we're going to suggest that someone run a service with --privileged, I'm not sure why we're even bothering to run the service in a container in the first place.

[bnevis-i]

@brian-intel

Are you up to adding a recommendation to prefer

security_opt: [ "apparmor:unconfined" ]

or a custom apparmor profile vs running --privileged

This doesn't negate the guidance regarding no-new-privileges, but it does add additional (and worthy) guidance to not use --privileged at all.

[cloudxxx8]

LGTM
Thanks, this is helpful

[jamesrgregg]

Specific Docker Security Bench checks as referenced in this ADR are:
2 - Docker daemon configuration
2.8 Enable user namespace support (Scored)
Same as Rule #2 - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user

2.17 Ensure containers are restricted from acquiring new privileges (Scored)
Same as Rule #4 - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag

4 - Container Images and Build File
ADR does not specifically call out a need to run specific checks for root vs. non-root. The only call out is that this note.
NOTE: exception Sometimes containers will require root access to perform their fuctions. For example the System Management Agent requires root access to
control other Docker containers. In this case you would allow it run as default root user.

5 - Container Runtime
5.10 Ensure that the memory usage for containers is limited (Scored)
Same as Rule #7 - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-7-limit-resources-memory-cpu-file-descriptors-processes-restarts

5.12 Ensure that the container's root filesystem is mounted as read only
(Scored)
Same as Rule #8 - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only

[bnevis-i]

I think we should start with the following checks and known exceptions:

check_4_1,check_5_3,check_5_4,check_5_5,check_5_6,check_5_7,check_5_9,check_5_12,check_5_15,check_5_16,check_5_19,check_5_20,check_5_21,check_5_24,check_5_25,check_5_29,check_5_30,check_5_31

Exclusions:
* Capabilities added: CapAdd=[IPC_LOCK] to edgex-vault
* Container running with root FS mounted R/W: edgex-vault
* Docker socket shared: edgex-sys-mgmt-agent

2.8 Enable user namespace support (Scored)
Same as Rule #2 - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user

We have to to exclude all of section 2 because EdgeX doesn't install or configure the users's docker daemon.

2.17 Ensure containers are restricted from acquiring new privileges (Scored)

We can't check this at daemon level, but we can code it in using security_opt (no checker for it).

4 - Container Images and Build File

Suggest we run check 4.1 (the only scored checker in the section) and add exceptions for the containers requiring root.
Right now this would be all of them, but we can remove the exceptions as we implement the non-root enhancements.

5.10 Ensure that the memory usage for containers is limited (Scored)
Same as Rule #7 - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-7-limit-resources-memory-cpu-file-descriptors-processes-restarts

Suggest hold off adding the checker until we have syntax in the docker-compose to set limits.

5.12 Ensure that the container's root filesystem is mounted as read only
(Scored)
Same as Rule #8 - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only

Good check. One exception so far.

[bnevis-i]

@jamesrgregg

Current output of the above proposal.

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.4
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------

Initializing Wed Oct 21 21:46:55 UTC 2020

[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      * Running as root: edgex-kuiper
[WARN]      * Running as root: edgex-device-virtual
[WARN]      * Running as root: edgex-device-rest
[WARN]      * Running as root: edgex-app-service-configurable-rules
[WARN]      * Running as root: edgex-sys-mgmt-agent
[WARN]      * Running as root: edgex-core-command
[WARN]      * Running as root: edgex-core-data
[WARN]      * Running as root: edgex-core-metadata
[WARN]      * Running as root: edgex-support-scheduler
[WARN]      * Running as root: edgex-support-notifications
[WARN]      * Running as root: edgex-redis
[WARN]      * Running as root: edgex-vault-worker
[WARN]      * Running as root: edgex-vault
[WARN]      * Running as root: edgex-core-consul
[WARN]      * Running as root: kong-db
[WARN] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
[WARN]      * Capabilities added: CapAdd=[IPC_LOCK] to edgex-vault
[PASS] 5.4  - Ensure privileged containers are not used
[PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
[PASS] 5.6  - Ensure ssh is not run within containers
[PASS] 5.7  - Ensure privileged ports are not mapped within containers
[PASS] 5.9  - Ensure the host's network namespace is not shared
[WARN] 5.12  - Ensure the container's root filesystem is mounted as read only
[WARN]      * Container running with root FS mounted R/W: edgex-kuiper
[WARN]      * Container running with root FS mounted R/W: edgex-device-virtual
[WARN]      * Container running with root FS mounted R/W: edgex-vault
[PASS] 5.15  - Ensure the host's process namespace is not shared
[PASS] 5.16  - Ensure the host's IPC namespace is not shared
[PASS] 5.19  - Ensure mount propagation mode is not set to shared
[PASS] 5.20  - Ensure the host's UTS namespace is not shared
[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
[PASS] 5.24  - Ensure cgroup usage is confirmed
[WARN] 5.25  - Ensure the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: edgex-kuiper
[WARN]      * Privileges not restricted: edgex-device-virtual
[WARN]      * Privileges not restricted: edgex-device-rest
[WARN]      * Privileges not restricted: edgex-app-service-configurable-rules
[WARN]      * Privileges not restricted: edgex-sys-mgmt-agent
[WARN]      * Privileges not restricted: edgex-core-command
[WARN]      * Privileges not restricted: edgex-core-data
[WARN]      * Privileges not restricted: edgex-core-metadata
[WARN]      * Privileges not restricted: edgex-support-scheduler
[WARN]      * Privileges not restricted: edgex-support-notifications
[WARN]      * Privileges not restricted: edgex-redis
[WARN]      * Privileges not restricted: edgex-vault-worker
[WARN]      * Privileges not restricted: kong
[WARN]      * Privileges not restricted: edgex-vault
[WARN]      * Privileges not restricted: edgex-core-consul
[WARN]      * Privileges not restricted: kong-db
[WARN]      * Privileges not restricted: edgex-secrets-setup
[PASS] 5.29  - Ensure Docker's default bridge docker0 is not used
[PASS] 5.30  - Ensure the host's user namespaces is not shared
[WARN] 5.31  - Ensure the Docker socket is not mounted inside any containers
[WARN]      * Docker socket shared: edgex-sys-mgmt-agent

[INFO] Checks: 19
[INFO] Score: 6

[jamesrgregg]

Thank you @bnevis-i
These checks are exactly what I was hoping for as we have a working demo of this running on the EdgeX Sandbox and can demo with these checks next week.

[bnevis-i]

@brian-intel Please change the commit message to "feat(adr):" instead of "ADR:"