Docker advanced application - Remote TLS Management (security authentication)


TLS(Transport Layer
Security (secure transport layer), TLS is a protocol built on the TCP protocol of the transport layer and serves the application layer. Its predecessor is SSL (Secure Socket)
Layer, which realizes the function of encrypting the message of the application layer and then sending it to TCP for transmission.

TLS protocol has three characteristics: confidentiality (data are encrypted transmission to prevent third-party sniffing), data integrity (based on MAC verification mechanism), and two-way authentication support (to avoid identity impersonation)

In Docker, TLS encryption is established to prevent link hijacking, session hijacking and other problems from causing Docker communication to be blocked by intermediaries * * *, c/s
Both ends should communicate through encryption.

1, The difference between Docker container and virtual machine

1. Isolation and sharing

By adding the Hypervisor layer, the virtual machine virtualizes the network card, memory, CPU and other virtual hardware, and then establishes a virtual machine on it. Each virtual machine has its own system kernel. and
Docker container isolates file system, process, device, network and other resources through isolation, and then controls permissions and CPU
Resources, etc., so that the containers do not affect each other, and the containers cannot affect the host. The container shares the kernel, file system, hardware and other resources with the host

docker Containers share the same kernel resources, while virtual machines are independent, and the resources used are independent.

2. Performance and loss

Compared with virtual machines, container resource consumption is less. Under the same host, more containers can be established than virtual machines. However, the security of virtual machines is slightly better than that of containers,
To break from the virtual machine to the host or other virtual machines, you need to break the Hypervisor layer first, which is extremely difficult. And docker
Containers share kernel, file system and other resources with host computers, which is more likely to affect other containers and host computers.

Compared with the virtual machine, the container consumes much less resources, because the container is a shared kernel, which means that one container occupies more resources, while other containers occupy less. If one container has problems, other containers will have problems. Therefore, the security of the virtual machine is better than that of the container

2, Security problems of Docker

1.Docker's own vulnerability

As an application, Docker has code defects in its implementation. There are more than 20 vulnerabilities in the historical version of Docker officially recorded by CVE. The common means are

Code execution, authority promotion, information disclosure, authority bypass, etc. at present Docker The version changes very quickly,
Docker Users had better Docker Upgrade to the latest version.

2. Docker source code

(1) Docker provides a Docker hub, which allows users to upload the created image for other users to download and build quickly
Build the environment. But it also brings some security problems. For example, there are three ways: (1) upload a malicious image
If malicious software such as and Backdoors are embedded in the produced image, the environment is unsafe from the beginning, and there is no security in the follow-up.

(Mirror image may save love*Software and viruses)

(2) The image uses the vulnerable software. Among the images that can be downloaded on the Docker Hub, 75% of the images are installed with the vulnerable software. So after downloading the image,
It is necessary to check the version information of the software inside and whether there are loopholes in the corresponding version, and update and patch it in time.

((there is a problem with the environment in the image of the old version)

(3) The image tampered by the middleman may be tampered with during transmission. At present, the new version of Docker has provided corresponding verification mechanism to prevent this problem.
The image you uploaded is hijacked and tampered with by an intermediary. At this time, you need a TLS security certificate. The docker container goes to the docker server for security authentication

3, Docker architecture defects and security mechanism

The architecture and mechanism of Docker itself may cause problems. For example, in such a scenario, some containers on the host have been controlled, or the method of establishing containers on the public cloud has been obtained, and then the host or other containers are initiated.

  1. LAN between containers

The containers on the host can form a LAN, so ARP spoofing, sniffing, broadcast storm and other methods for the LAN can be used.
Therefore, deploying multiple containers on a host requires reasonable network configuration and iptable rules.

  1. DDoS exhausted resources

Cgroups security mechanism is to prevent such problems. Do not allocate too many resources to a single container to avoid such problems.

  1. An important difference between a vulnerable system call Docker and a virtual machine is that Docker and the host share an operating system kernel. Once the host kernel has a vulnerability that can exceed authority or lift authority, although Docker is executed by ordinary users, when the container is, the user can also use the kernel vulnerability to jump to the host to do more.

  2. Share root user privilege if you run the container with root user privilege, the root user in the container will have the root privilege of the host.

4: Dcoker TLS encryption practice

4.1: TLS overview

TLS (Transport Layer Security Protocol): transport layer security protocol, whose predecessor is Secure Sockets Layer (SSL) Security protocol , the purpose is to internet Communication provides security and data Integrity Security.

TLS protocol adopts Master-slave architecture The model is used to create a secure connection between two applications through the network to prevent data exchange Eavesdropping And tampering

The advantage of TLS protocol is with the high level application layer Agreement (e.g HTTP,FTP,Telnet Etc.) no coupling. The application layer protocol can run transparently on the TLS protocol, and the TLS protocol can negotiate and authenticate the encryption channel. The data transmitted by the application layer protocol will be encrypted when passing through the TLS protocol, so as to ensure the privacy of communication.

4.2: why TLS encryption

In order to prevent link hijacking, session hijacking and other problems from causing Docker communication to be attacked by intermediaries, both ends of c/s should communicate through encryption.

1:symmetric DES 3DES AES Different lengths, the longer the length, the higher the security, and the slower the decryption speed

2:Asymmetric RSA Public key, private key, public key:Everyone knows(lock)Private key(key)Personal identity information, non repudiation.

3:certificate:Personal information, key, validity

4: ca:Certification authority ca certificate

5.concrete TLS technological process
 secret key key--->Identity signature csr--->(The server/client)(combination ca.pem)Production certificate pem
 certificate pem Send it to the client, and the client will use certificate authentication

4.3: docker TLS deployment

Experimental environment

host name IP address Deployed services
master docker-ce
client docker-ce
#Local host parse file
[root@localhost ~]# vim /etc/hosts
'//'add local IP + hostname' master

#Modify host name
[root@localhost ~]# hostnamectl set-hostname master
[root@localhost ~]# su
[root@master ~]# 

#ping the local
[root@master ~]# ping master
PING master ( 56(84) bytes of data.
64 bytes from master ( icmp_seq=1 ttl=64 time=0.033 ms

#Client also
[root@localhost ~]# vim /etc/hosts master

#Modify host name
[root@localhost ~]# hostnamectl set-hostname client
[root@localhost ~]# su

[root@client ~]# ping client
PING client ( 56(84) bytes of data.
64 bytes from client ( icmp_seq=1 ttl=64 time=0.101 ms
64 bytes from client ( icmp_seq=2 ttl=64 time=0.035 ms

#ping the master
[root@client ~]# ping master
PING master ( 56(84) bytes of data.
64 bytes from master ( icmp_seq=1 ttl=64 time=0.556 ms
64 bytes from master ( icmp_seq=2 ttl=64 time=0.424 ms

1. Service creation key

'//'create certificate directory'
[root@master ~]# mkdir /tls

RSA: Symmetric key aes Method: 256 bits in length   -out: output   
[root@master ~]# openssl# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:      '//Enter password 123123 '
Verifying - Enter pass phrase for ca-key.pem:    '//'confirm password'

'/certificate ca-key.pem Generate home directory'

2. Create ca certificate

#The format of the certificate is x.509 international standard, the time limit is 1000, and the newly generated key file CA key is specified PEM sha256: hash verification certificate Title: subj "/CN *: you can change the name at will
[root@master ~]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
Enter pass phrase for ca-key.pem:        '//Enter ca key password 123123 '

#ca certificate already exists
[root@master ~]# ls
ca.pem      ca-key.pem       

3. Create server private key

'//Generate server key from home directory pem'
[root@master ~]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)

4. Signature private key

'//Home directory generation server crs'      
[root@master ~]# openssl req -new -key server-key.pem -sha256 -subj "/CN=*" -out server.csr

5. Sign with ca certificate and private key certificate, and enter 123123

'//Generate server-cert.pem 'from home directory
[root@master ~]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem

Signature ok
Getting CA Private Key
Enter pass phrase for ca-key.pem:        '//Enter ca key password 123123 '

6. The client creates a key

'//Generate the key of the client pem'
[root@master ~]# openssl genrsa -out key.pem 4096
  1. Signature client
"//Signed client has generated client csr"
[root@master ~]#  openssl req -subj "/CN=client" -new -key key.pem -out client.csr

8. Create profile

[root@master ~]# echo extendedKeyUsage=clientAuth > extfile.cnf

'//Tell the server to open TLS authentication in order to generate client certificate '

9. Enter 123123 for signing certificate, which requires (signing client, ca certificate, ca key)

'//Generate signing certificate based on ca certificate and ca key '
[root@master ~]# openssl x509 -req -days 1800 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
Getting CA Private Key
Enter pass phrase for ca-key.pem:        '//Enter '123123'

10. Delete redundant files

[root@master ~]# rm -rf client.csr extfile.cnf server.csr

[root@master ~]# ls
ca-key.pem  ca.pem  cert.pem  key.pem  server-cert.pem  server-key.pem

11. Configure Docker

[root@master ~]# vim /usr/lib/systemd/system/docker.service

'Note line 14'
'//'add this line'
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/tls/ca.pem --tlscert=/tls/server-cert.pem --tlskey=/tls/server-key.pem -H tcp:// -H unix://var/run/docker.sock

#All certificates are moved to the tls directory
[root@master ~]# mv *.pem /tls/
[root@master ~]# ls /tls/
ca-key.pem  ca.pem  cert.pem  key.pem  server-cert.pem  server-key.pem

12. Restart the service

[root@master tls]# systemctl daemon-reload
[root@master tls]# systemctl restart docker

#View port

[root@master tls]# netstat -natp | grep docker
tcp6       0      0 :::2376                 :::*                    LISTEN      22773/dockerd    

13. Add / TLS / ca.pen / TLS / cert.pem / TLS / key PEM copies three files to another host

[root@master tls]# scp ca.pen root@
[root@master tls]# scp cert.pem root@
[root@master tls]# scp key.pem root@ 

14. Operation on client

[root@client ~]# cd /etc/docker/
[root@client docker]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version
Client: Docker Engine - Community

That's all for today

Tags: Linux Docker tls

Posted by aggrav8d on Sat, 14 May 2022 13:51:49 +0300