DRAFT GNIP 101 : Reduce docker attack surface

[gannebamm]

GNIP 101 - Improving Docker Security

To PSC: There is nothing to vote upon, yet

Overview

According to docker security pages (https://docs.docker.com/engine/security/) using docker with default settings does provide an attack surface. The basic approach to lower the attack surface is to enable rootless processes inside the containers. The GeoNode docker composition currently uses the root user for starting the container processes. Disabling root and adding other security related functionality could significantly reduce the attack surface.

Proposed By

Florian Hoedt, Thünen-Institute

Assigned to Release

This proposal is not yet scheduled for a release.

State

• Under Discussion
• In Progress
• Completed
• Rejected
• Deferred

Motivation

An upcoming talk about GeoNode in production at FOSS4G 2024 which will cover topics like:

• Addressing security requirements like rootless execution and random UID support
• Improving security by separating credentials and using Podman instead of Docker

sparked my interesst. I see that improving the current security model is an important task but also one which requires an substential amount of ressources. I created this GNIP as an invitation to the downstream project to contribute to the main project. I see people like @cmotadev working on that. Maybe he can post some links to the downstream project´s github as a reference how to achieve the above mentioned goals.

Proposal

The options to achieve the mentioned goal are manifold. The fist level of reducing the attack surface is to enable rootless docker for the containers as done in the geoSGB use-case described above.

Backwards Compatibility

Currently, the amount of changes is not yet known. If those changes do not effect the django code but solely how docker containers are started they could be backwards compatible. If django code needs changes the work of backporting those is likely to big.

Future evolution

Apart from using podman and a rootless docker we could implement AppArmor profiles per container to further reduce the attack surface. An example of this for an nginx container is listed here.

Feedback

Update this section with relevant feedbacks, if any.

Voting

Project Steering Committee:

• Alessio Fabiani:
• Francesco Bartoli:
• Giovanni Allegri:
• Toni Schoenbuchner:
• Florian Hoedt:

[t-book]

Thanks Florian! I remember a PSC thread regarding this topic some time ago. Rootles would be great, if I remember correclty I cut permissions with AppAmor in one project. Will see what has been done there … maybe something can be reused. Even if not requested my +1! Thanks!

[kikislater]

+1
rootless will enable the ability to run container in singularity / apptainer in HPC server

[cmotadev]

Thank you @gannebamm! We're hard workinng on it. We are finishing a lite image for GeoNode 4. In FOSS4G 2022 we discussed about application of these practices. Now we are porting some of them to our GeoNode Project. Soon I will propose this lite image for main repo.

[giohappy]

Happy to see contributions on this! We're also discussing the topic here at GeoSolutions, particularly for GeoNode 5.
We don't have a roadmap yet but the first goal is rootless containers.

@cmotadev what is your plan for this lite image? What do you mean by "lite"?

[cmotadev]

I can summarize "lite image" into these below topics:

• Usage of Python virtualenv, instead of python deb/base images
• Multi stage build - One stage to build entire virtualenv and other to copy it and install libraries (with no devels, compilers and so on)
• Replace all deb python modules to pip packages (avoid Python mixed versions - base image and from deb repos)
• Reduce number of layers
• reduce image size (Im FOSS4G2022 we reduced Geonode 3 image from 4GB to 900Mb)
• Add rootless execution

[giohappy]

@cmotadev thanks, looging forward to have a look into your lte image ;)