We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Hardening a GeoNode Project – Some considerations about container security and optimization

00:00
subtitles
off
playback rate
1
quality
1080p
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
1080p
720p
480p
360p
240p
0
 Cite
 Share
 Related Material
 Download Purchase
No logo availableFOSS4G
Logo of Open Source Geospatial Foundation (OSGeo)Open Source Geospatial Foundation (OSGeo)
 Mota, Carlos Eduardo

Formal Metadata

Title
Hardening a GeoNode Project – Some considerations about container security and optimization
Title of Series
Number of Parts
351
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language
Production Year2022

Content Metadata

Subject Area
Genre
Abstract
The GeoNode, according to the project's website, is a platform for managing and publishing geospatial data. It brings together mature and stable open source software projects into a consistent, easy-to-use interface, allowing non-specialist users to share data and create interactive maps. In Brazil there is a growing use of GeoNode, observed mainly in governmental institutions and universities. One of the main ways of installing and configuring GeoNode is the so-called Geonode Project. It consists of a custom Django Project template, which contains, in addition to the main project files, a set of Dockerfiles of GeoNode components, such as GeoServer, Nginx (reverse proxy) and PostGIS. From a detailed analysis of the components of the GeoNode Project created, it was found that the original dockerfiles contain a series of security holes and also unnecessary packages for the execution of the stack, not recommended for production environments. A Dockerfile that follows best practices eliminates the need to run privileged containers (as root), the use of unnecessary packages, leaked credentials, like mail passwords or database DSNs, or anything that could be used for an attack. Removing known risks in advance will reduce security management work and service overhead. The objective of this talk corresponds to discuss the possible security holes found in the Geonode Project and, with the application of best practices in Dockerfiles, to make it leaner and safer for production environments. For demonstration purposes, there will have a project to be used as an example and will be hosted at GitHub: geonode-br/hardening-geonode-docker.
Keywords
00:00
Moving averageComputer animation
00:10
Information securityVulnerability (computing)Product (business)BitMathematical optimizationRevision controlGoodness of fitComputer animation
00:39
Product (business)CodeComputer fileScripting languageMedical imaging1 (number)Computer animation
01:48
Level (video gaming)Computer-generated imageryInformation managementClefSource codeState of matterMathematicsInformation securityRevision controlGeometryInstallation artBinary fileComputer data loggingError messageScripting languageTheory of everythingEvent horizonSelf-organizationType theoryComputing platformCodierung <Programmierung>CompilerSineComputer fileLocal GroupVolumeBlogData typeGastropod shellContent (media)RootDevice driverVariable (mathematics)Singuläres IntegralTemplate (C++)PasswordKey (cryptography)DatabaseRepository (publishing)Information securityComputer fileServer (computing)Insertion lossMedical imagingVulnerability (computing)Exception handlingTransformation (genetics)Default (computer science)PasswordRevision controlReliefArithmetic progressionAxiom of choiceMultiplication signNumberMathematicsLevel (video gaming)2 (number)Entire functionBuildingWeb 2.0Marginal distributionHazard (2005 film)Source codeXMLComputer animation
05:22
Computer animation
Transcript: English(auto-generated)
00:02
The speaker is Carlos Eduardo Mota, hardening a geonode project, some considerations about container security and optimisation. Okay, good morning. I will discuss here about some security holes that we have found into the geonode
00:25
project using the 3.3 version. And I will show some little bits of code, a lot of Docker files to show how it's not suitable for production yet.
00:40
And in five minutes I will try to solve this problem. Is geonode on Docker suitable for production? In the geonode documentation there are some documents about how to put geonode in production, but some of the code, the scripts inside the project, it has a lot of little problems
01:09
and I will show you some of them. So, I will start to talk to you about the ten amendments of securing a Docker image.
01:22
There is ten little holes that we have to execute, to put on our Docker files, but I will make it more attention. We have light here. Oh, yes. And I will give some access to these red ones.
01:47
Let's see. The first update done into the Docker file images is only to change the base image. It's a little update on the Docker file, but it has some big problems there.
02:08
Changing the base image to Python 3.8.90, the most recent 3.8 version, solves a lot of critical vulnerabilities we have on the image.
02:22
The full Python used on geonode has about 61 issues and the most recent Python 3.8 has about 48 issues either. And this changing of the Docker file allows us to get the latest security features, not
02:49
only in the Python version, but either in the Linux version, the Debian version. Geonode uses the Buster Debian version, and so he inserts a Bullseye repository into
03:07
the Docker file. Upgrading to Bullseye, there's no need to do this. Let's show the second. Remember, we are going to 612 vulnerabilities to at least 48.
03:24
Okay. The second is to break the entire Docker file into stages of building. First we build the dependencies and then we copy the virtual web created to the release
03:42
image. And so it makes our Docker file more simple and vulnerability less. We fall from 76.3 to 339 issues.
04:02
The other simple change that we do is to literally eliminate the Hoot user into the Docker file, preventing a lot of problems that we can have. The special hazards obtained about these simple changes is to reduce the size margin for
04:24
at least four times minutes. The number of layers to 490 to 29, this is either a good choice. And the vulnerabilities to 76.3 to 339 and can lower more if we apply some lynching into
04:44
the Docker file and correct some little problems. And this is a work in progress for us. We are living to handle sensitive data except on the passwords and so on.
05:03
Finishing. We want to do the same into the GeoServer, GeoNode, the Docker file, and transform into a GeoNode project to put it on public to whoever wants to contribute and make some
05:21
suggestions. Okay, sorry for my poor English, thank you so much.