An evaluation of Docker’s security

SCHOOL OF ARCHITECTURE, COMPUTING AND
ENGINEERING
MSc Information Security and Digital Forensics
An evaluation of Docker’s security
Student Name: Ade Ajasa
Student Number: 0015906
Supervisor: Mike Kretsis
Marking Scheme: 75% Theory – 25% Practical
Module Code: CN7000
Semester 3 – 2015/16

ADE AJASA STUDENT NUMBER: 0015906
Acknowledgements
Would like to thank Mike Kretsis for his supervision, support and inspiration on this project.
Would also like to thank Dr Rabih Bashroush for his advice during the lectures and tutorials of
CN7014 Security Management 2015/16, a big thanks to Nicholas Balmforth, who showed me
how to enhance my search methods, thanks to Dr. Ameer Al-Nemrat for giving some very important
tips about dissertation writing and a big thanks to my very kind GP Dr. Thushari Ediriwickrema,
who looked after me, after my operation on the 23rd
of April 2015.
Despite all the financial problems encountered while taking my MSc, the only reason i could get
through it, has been because of the support from my fellow classmates, Michael Thompson, Dawan
Rashid, MD Abdul Khan, "The Don" Dilshan and the two lovely ladies Rabia Begum and Anu
Chhetri.
“The best time for me at UEL, was spent doing my coursework, exam revision and dissertation
writing with the lovely Anu Chhetri, “The Don" Dilshan, Uncle JD and Aunty C.”
I will miss you all
2 Contents

Abstract
The first half of this dissertation will be 75% theory and the second half will be 25% practical.
Docker was released to the world in 2013, as a competitor to VMware and VirtualBox, two of the
most popular virtual software on the market of today. This dissertation is going to evaluate the
security of Docker and look at known vulnerabilities, also associated with Docker. This dissertation
will demonstrate, how to secure your Docker image’s, Docker container’s and update the images,
when a known security or vulnerability patch is uploaded to the HUB. The dissertation will not only
talk about the theoretical aspect of Docker’s security and vulnerabilities, but will give the reader a
real hands-on practical experience as how to use Docker in the real world. This dissertation will
give you an idea, as to what new things Docker has to offer the IT world, that we don’t already
have.
Keywords-Docker Security; Vulnerability; Image; Container
3 Contents

Table of Contents
Acknowledgements..............................................................................................................................2
Abstract................................................................................................................................................3
Introduction.......................................................................................................................................12
1.0 The methodology used for this dissertation...........................................................................12
1.1 What are the problems?.......................................................................................................12
1.2 What is the cause of the problems?.....................................................................................13
1.3 The impact of the problems?...............................................................................................13
1.4 What is the proposed solution to the problems?.................................................................13
2.0 An overview of the implementation........................................................................................13
3.0 What is Docker and what is it used for?.....................................................................................14
3.1 A closer look at Docker and it’s components...........................................................................14
3.2 Docker work-flow and its benefits...........................................................................................14
3.3 The client/server model............................................................................................................17
3.4 LXC.........................................................................................................................................17
3.5 A Docker image.......................................................................................................................18
3.6 A Docker container..................................................................................................................19
3.7 The registry hub of Docker......................................................................................................19
3.8 The following problems are solved by Docker.......................................................................20
3.8.1 Conflicting of dependencies.............................................................................................20
3.8.2 Missing of dependencies..................................................................................................20
3.8.3 Differences of platforms..................................................................................................20
3.8.4 Secure and efficient..........................................................................................................20
4.0 Containers versus the other type of virtualization...................................................................20
4.1 Browsing the repositories........................................................................................................21
5.0 Docker from a security perspective.............................................................................................22
5.1 Docker Hub..............................................................................................................................22
5.2 Docker Engine.........................................................................................................................22
5.3 The security analysis of Docker...............................................................................................22
5.4 Identifying the vulnerabilities and security flaws.................................................................23
5.4.1 Docker images and Poodle bleed SSL vulnerability........................................................23
5.4.2 Testing for shellshock in a Docker container...................................................................24
4 Contents

5.4.3 Local privilege escalation vulnerability in Docker..........................................................25
5.4.4 Host to container contamination......................................................................................26
5.4.5 Results of the implementation..........................................................................................28
5.4.6 APT attacks on Docker images........................................................................................28
5.4.7 Exploits of the Kernel......................................................................................................28
5.4.8 DOS (Denial of service) attack........................................................................................28
5.4.9 Breakouts within a container............................................................................................28
5.5.0 Poisoned Docker images..................................................................................................28
5.5.1 Secrets that have been compromised...............................................................................29
6.0 Vulnerability websites.............................................................................................................29
6.1 Testing of security...................................................................................................................29
7.0 Problems encountered while writing this dissertation...............................................................31
7.1 Conclusion...................................................................................................................................31
7.2 Future research...........................................................................................................................33
7.3 Terms of validity of my methodology/approach to the dissertation........................................33
References..........................................................................................................................................34
Appendices.........................................................................................................................................37
Implementation on how to use Docker.............................................................................................37
Appendix 1: Installing Ubuntu 15.04..........................................................................................37
Screenshot 1: Ubuntu installation and details screen................................................................37
Screenshot 2: Setting up root’s password.................................................................................37
Screenshot 3: Installing virtualbox guest tools.........................................................................38
Screenshot 4: Updating the system...........................................................................................38
Screenshot 5: Checking the version of Ubuntu.........................................................................39
Appendix 2: Installing Docker in Ubuntu 15.04.........................................................................39
Screenshot 1: Searching the cache for Docker..........................................................................39
Screenshot 2: docker.io is installed...........................................................................................40
Screenshot 3: Checking the version of Docker installed..........................................................40
Screenshot 4: The version of Docker installed is 1.5.0.............................................................40
Screenshot 5: Installing curl......................................................................................................41
Screenshot 6: Using curl to install Docker...............................................................................41
Screenshot 7: Using the id command........................................................................................41
5 Contents

Screenshot 8: Adding user u0015906 to the docker group.......................................................41
Screenshot 9: An alternative command.....................................................................................42
Screenshot 10: Looking at the groups user u0015906 belongs too...........................................42
Screenshot 11: Checking the new version of Docker installed.................................................42
Appendix 3: How to use Docker commands................................................................................43
Screenshot 1: docker search command.....................................................................................43
Screenshot 2: docker attach <container ID> and docker start <container ID>.........................43
Screenshot 3: docker pull fedora:latest.....................................................................................43
Screenshot 4: docker restart <container ID>.............................................................................44
Screenshot 5: docker run -it -v $(pwd):/Ade ubuntu:latest /bin/bash.......................................44
Screenshot 6: user and group root.............................................................................................44
Screenshot 7: sudo chown.........................................................................................................45
Screenshot 8: Docker hub account............................................................................................45
Screenshot 9: Logged into my Docker Hub account................................................................46
Screenshot 10: docker login......................................................................................................46
Screenshot 11: Dockerfile.........................................................................................................46
Screenshot 12: docker build......................................................................................................47
Screenshot 13: docker images...................................................................................................47
Screenshot 14: docker history...................................................................................................47
Screenshot 15: docker run.........................................................................................................48
Screenshot 16: docker run.........................................................................................................48
Screenshot 17: docker ps -l.......................................................................................................48
Screenshot 18: docker port........................................................................................................48
Screenshot 19: docker push.......................................................................................................48
Screenshot 20: Image................................................................................................................49
Screenshot 21: Bind..................................................................................................................50
Screenshot 22: localhost:32768................................................................................................50
Screenshot 23: u0015906/ade:project.......................................................................................50
Screenshot 24: docker info........................................................................................................51
Screenshot 25: docker inspect...................................................................................................51
Screenshot 26: Gateway............................................................................................................52
Screenshot 27: mkdir and touch................................................................................................52
6 Contents

Screenshot 28: docker diff........................................................................................................52
Screenshot 29: docker commit..................................................................................................52
Screenshot 30: u0015906:project2.changed..............................................................................52
Screenshot 31: docker stats.......................................................................................................53
Screenshot 32: docker logs.......................................................................................................53
Screenshot 33: docker top.........................................................................................................53
Screenshot 34: Upgrading docker.............................................................................................54
Appendix 4: Installation of my webpage permanently into a Docker image.............................55
Screenshot 1: docker run -it -v $(pwd):/Ade u0015906:project /bin/bash................................55
Screenshot 2: cp *.* /var/www/html.........................................................................................55
Screenshot 3: rm index.nginx-debian.html...............................................................................55
Screenshot 4: mv images /var/www/html and mv style /var/www/html..................................56
Screenshot 5: docker run...........................................................................................................56
Screenshot 6: docker ps -l.........................................................................................................56
Screenshot 7: localhost:32768..................................................................................................57
Screenshot 8: docker login........................................................................................................59
Screenshot 9: docker push.........................................................................................................60
Screenshot 10: Docker hub.......................................................................................................60
Appendix 5: Phoronix test suite installed into a Docker image..................................................61
Screenshot 1: Phoronix folder...................................................................................................61
Screenshot 2: phoronix-test-suite..............................................................................................61
Screenshot 3: Repository..........................................................................................................62
Appendix 6: Installing nmap into a Docker image.....................................................................62
Screenshot 1: Dockerfile...........................................................................................................62
Screenshot 2: ifconfig...............................................................................................................63
Screenshot 3: u0015906/nmap -v 172.17.42.1..........................................................................63
Screenshot 4: u0015906/nmap -v comptia.org..........................................................................64
Screenshot 5: Uploaded u0015906/nmap to my Docker hub....................................................64
Appendix 7: Running Kali 2.0 Linux and Metasploit in a Docker container............................65
Screenshot 1: Pulling down the Kali Linux image from GitHub..............................................65
Screenshot 2: The image...........................................................................................................65
Screenshot 3: Launching the Kali container.............................................................................65
7 Contents

Screenshot 4: Fixing an error....................................................................................................65
Screenshot 5: Installing metasploit-framework into Kali Linux container...............................66
Screenshot 6: Running Metasploit in a Kali Linux container...................................................66
Appendix 8: How to run GUI applications in Docker................................................................67
Screenshot 1: Checking if there is any docker images on the host machine.............................67
Screenshot 2: The id terminal command...................................................................................67
Screenshot 3: The id $USER command....................................................................................67
Screenshot 4: Building the image.............................................................................................68
Screenshot 5: Updating Docker on the host machine...............................................................68
Screenshot 6: Checking the new update....................................................................................68
Screenshot 7: Re-building the image........................................................................................69
Screenshot 8: Re-building the image failed..............................................................................69
Screenshot 9: My Dockerfile for Firefox..................................................................................70
Screenshot 10: Re-building the image again.............................................................................71
Screenshot 11: Running the image again..................................................................................71
Screenshot 12: The display test.................................................................................................72
Screenshot 13: The terminal command xhost...........................................................................72
Screenshot 14: Running the docker run command again..........................................................72
Screenshot 15: Firefox working from a Docker container........................................................73
Screenshot 16: Converting the container to an image...............................................................73
Screenshot 17: The new created image with Firefox installed.................................................73
Screenshot 18: Removing containers created...........................................................................74
Implementation on fixing security vulnerabilities in Docker images and containers....................74
Appendix 9: An advantage for an attacker or hacker.................................................................74
Screenshot 1: Creating a directory............................................................................................74
Screenshot 2: Creating a file in the directory............................................................................74
Screenshot 3: Verification.........................................................................................................75
Screenshot 4: docker run -it -v $(pwd): /ade adeajasa/new_apache2 /bin/bash........................75
Screenshot 5: Listing the directories and files in the container................................................75
Screenshot 6: Reading the file u0015906.txt............................................................................75
Screenshot 7: Hacking the file..................................................................................................76
Screenshot 8: Proving that the file has been altered.................................................................76
8 Contents

Appendix 10: Testing for shellshock in a Docker container.......................................................77
Screenshot 1: Starting Docker...................................................................................................77
Screenshot 2: Current Docker version running.........................................................................78
Screenshot 3: Upgrading Docker from 1.8.3 to 1.9.1...............................................................78
Screenshot 4: Upgrading successful..........................................................................................79
Screenshot 5: Executing the docker run command...................................................................79
Screenshot 6: Testing if u0015906/phoronix is affected by shellshock....................................80
Screenshot 7: The image u0015906/phoronix is not affected by shellshock............................80
Screenshot 8: Exit from the container u0015906/phoronix......................................................80
Appendix 11: Docker images and Poodle bleed SSL vulnerability.............................................81
Screenshot 1: Installing Ubuntu................................................................................................81
Screenshot 2: Running Ubuntu image......................................................................................82
Screenshot 3: Installing updates into the Docker container......................................................82
Screenshot 4: Installing vim.nox, gedit, mc and apache2.........................................................83
Screenshot 5: Running the application midnight commander from Docker container.............83
Screenshot 6: Saving changes made to the running Docker container.....................................84
Screenshot 7: Verifying that the changed container has been saved.........................................84
Screenshot 8: Starting apache2 web server...............................................................................84
Screenshot 9: Installed Apache2 inside a Docker container and map port 80 to host..............84
Screenshot 10: Running Apache2 web server...........................................................................85
Screenshot 11: Installing curl into the the running container....................................................85
Screenshot 12: Testing Apache2 web server vulnerability........................................................86
Screenshot 13: How to fix the Poodle vulnerability.................................................................86
Screenshot 14: Editing the ssl.config file..................................................................................87
Screenshot 15: Restart the apache2 service..............................................................................87
Appendix 12: Local privilege escalation vulnerability in Docker...............................................88
Screenshot 1: Result from a vulnerable Kernel.........................................................................89
Screenshot 2: Ubuntu 16.04.1 LTS...........................................................................................89
Screenshot 3: Installing docker.io.............................................................................................90
Screenshot 4: Adding user to the Docker group........................................................................90
Screenshot 5: Docker version...................................................................................................91
Screenshot 6: Pulling an image of Ubuntu:latest from the Docker HUB.................................91
9 Contents

Screenshot 7: Verifying that the image downloaded successfully............................................91
Screenshot 8: cve-2016-0728 script..........................................................................................92
Screenshot 9: Verifying cve-2016-0728 script downloaded successfully.................................92
Screenshot 10: Using uname -a terminal command.................................................................93
Screenshot 11: Results of the test run in Ubuntu 16.04.1 LTS.................................................93
Personal development plan...............................................................................................................94
Project plan....................................................................................................................................95
10 Contents

List of Figures
Fig. 1: The traditional deployment work-flow, without Docker (Matthias, et al. 2015, p. 25)..........16
Fig. 2: The Docker deployment work-flow (Matthias, et al. 2015, p. 25)..........................................17
Fig. 3: Docker client/server model (Matthias, et al. 2015, p. 25).......................................................17
Fig. 4: Virtual machines versus containers (Merkel, 2014, p. 81)......................................................21
Fig. 5: Docker-brew-ubuntu-core/vivid/Dockerfile (GitHub, 2015)..................................................22
Fig. 6: Docker security scanning 1 (Williams, 2016).........................................................................31
Fig. 7: Docker security scanning 2 (Williams, 2016).........................................................................32
11 Contents

List of Tables
Tab. 1: Vulnerability/security flaws results table...............................................................................28
Tab. 2: Personal development plan.....................................................................................................96
Tab. 3: Gantt chart 1...........................................................................................................................97
Tab. 4: Gantt chart 2...........................................................................................................................98
Tab. 5: Gantt chart 3...........................................................................................................................98
Tab. 6: Gantt chart 4...........................................................................................................................99
12 Contents

Introduction
In California, at the python developers conference (Santa Clara) with little fan-fare and no pre
announcement, Docker was introduced by Solomon Hykes, CEO and founder of dotCloud, to the
world on the 15.03.2013. The project was made publicly available on GitHub and open-sourced,
people could contribute to the project, by downloading it from GitHub. (Matthias, et al. 2015, p. 23)
The first half of this dissertation will be 75% theory and the second half will be 25% practical.
Docker was released, as a competitor to VMware and VirtualBox, two of the most popular virtual
software on the market of today. Most major distributions of Linux, have Docker in their
repositories, starting from Ubuntu 12.04, Docker is supported. Docker runs on a 64-bit operating
system. (Holla, 2015, p. 20)
1.0 The methodology used for this dissertation
1.1 What are the problems?
This dissertation has some questions to answer and the questions are:-
1. How secure is the virtual engine called Docker?
2. Does Docker have any known vulnerabilities/security flaws?
3. Is Docker easy to install, configure and use?
1.2 What is the cause of the problems?
Because it's free, some people might think, that security would not be taking seriously by the
Docker community and its users. In general, the commercial sector still see Linux as a platform,
that is not a viable operating system and especially that Docker is a Linux based engine.
1.3 The impact of the problems?
Since the launch of Docker to the world, developers have taken a like to the virtual engine. This has
put Docker at the forefront of things, especially when it comes to security and moving sensitive data
in the cloud.
1.4 What is the proposed solution to the problems?
The dissertation methodology would be based on a practical aspect. Docker will be vigorously
tested for all it's vulnerabilities and security flaws known. A practical methodology that will
simulate real world scenarios. The testing methodology will be an approach and strategy, that
would be used to test the vulnerabilities/security flaws in Docker, to see if it is fit for purpose and
works within accordance of its specification. Worst case will fail safely (e.g. will it retain work in
the event of a power loss) and has no undesirable side effects when used in ways outside of its
design parameters.
Vulnerability and security testing, gone are the days when security was what we used to test
after-the-fact. Application security is something that has to be developed and designed with
business functionality at the same time, due to the awareness of the risks associated with software
vulnerabilities and with the rise in cybercrime. The vulnerability/security testing will test Docker
images and containers, for non-repudiation, availability, authentication, integrity and
confidentiality. To prevent any unauthorized access to Docker's images and containers, individual
13 Contents

tests would be conducted.
Note: See appendix, Implementation on fixing security vulnerabilities in Docker images and
containers.
This dissertation is going to evaluate the security of Docker and look at known vulnerabilities,
associated with Docker. This dissertation will demonstrate, how to secure your Docker image’s,
Docker container’s and update the images, when a known security or vulnerability patch is
uploaded to the HUB. This dissertation will not only talk about the theoretical aspect of Docker’s
security and vulnerabilities, but will give the reader a real hands-on practical experience as how to
use Docker in the real world. This dissertation will give you an idea as to what new things Docker
has to offer the IT world, that we don’t already have.
2.0 An overview of the implementation
The following hardware and software would be used to demonstrate how Docker works and also to
find any vulnerabilities/security flaws within Docker.
A laptop that can run multiple operating systems with ease.
A virtual machine (VirtualBox), all implementations would be carried out in a virtual environment,
this is done for security reasons.
The latest version of Docker installed in Ubuntu 16.04.
The latest version of Docker installed in Ubuntu 15.04. (Backup operating system)
The latest version of Docker installed in Microsoft windows server 2016 (Core)
Note: Microsoft windows server 2016 (Core) will only be tested, time permitting.
3.0 What is Docker and what is it used for?
Docker is a very lightweight virtual machine and is normally called, container virtualization
technology. Docker brings with it continuous deployment and continuous integration. Developers
can build stacks on their laptops, because Docker is lightweight. (Anderson, 2015)
The deployment of applications into containers, using an open-source engine, is the function of
Docker. Docker is released by the Apache 2.0 license. (Turnbull, 2014, p. 29) Docker can be called
a tool, that allows you to encapsulate, deploy in any environment and streamline any type of
application. (Matthias, et al. 2015, p. 23)
Docker can be called a platform which is open for running distributed applications, building and
and also shipping. It lets development teams, operation engineers and programmers, use the
common toolbox that is needed to take advantage of the networked nature, the modern applications
and their distribution. (Docker, 2015) Docker is known as an open platform for sysadmins and
developers to run distributed applications, build and ship. Consisting of a Docker Hub, Docker
Engine, a portable lightweight runtime and packaging tool, a cloud service for automating
workflows and sharing applications, Docker lets applications to be assembled quickly from
components and removes the friction between production environments and development. This
14 Contents

results in IT shipping faster and running the same application, on data center VMs, laptops and the
cloud. (LIU, et al. 2014, p. 1 – 4)
3.1 A closer look at Docker and it’s components
Virtualization has set up the goal of bringing forth portability and IT infrastructure optimisation.
Mean while, virtualization technology has its own serious drawbacks, the lack of any application
portability, slowness in providing of IT resources and due to the heavyweight nature of VMs1
, we
get performance degradation. Now, the IT industry has been steadily looking at Docker's inspired
containerization journey. Docker allows the containerization process to be achieved in an
accelerated and risk-free fashion. (Raj, et al. 2015, p. 23)
3.2 Docker work-flow and its benefits
1. Packaging any software that takes the advantage of the skills that developers already posses.
A lot of companies have created positions for build and release engineers in order to manage the
tooling and knowledge, needed to create software packages platforms of theirs that is supported.
Tools like dpkg2
, rpm3
, pbuilder4
, have been learned independently and can be complicated to use.
Docker can put all your needs together into a single package, that make a single file.
(Matthias, et al. 2015, p. 25)
2. With all systems in all environments, we can use packaged artefacts to deliver and test exactly
the same artefacts.
In a version control system, if developers have committed any changes, a new Docker image is
built, which goes through all the testing process, as well as repackaged at any step in the process or
without the need of recompiling, can be deployed to production. (Matthias, et al. 2015, p. 25)
3. Putting together required operating system file systems and application software in a single
format which is standardised.
Previously, you would need to package all of the dependencies that the application depended on
and also the application, including daemons and libraries. This did not guarantee that the execution
environment was identical 100%. Companies found it very hard to accomplish reliability, because
packaging was difficult. Most of the time a person running scientific Linux, would try to deploy
any community package which has been tested on Red Hat Linux, and expecting the package was
close to what they needed. You deploy your application along with all the single files required to
run it with Docker. This is an efficient process that ensures that your application is running in the
expected environment, because of Docker's layered images. (Matthias, et al. 2015, p. 25)
4. Without sacrificing resources, for the abstracting of software applications from the hardware.
When people need to create an abstraction layer between the software applications and the physical
hardware that supports them, traditionally they use enterprise virtualization solutions like VMware,
this is at the cost of the resources. The hypervisors that manage the virtual machines and each
virtual machine running kernel, use some of the systems hardware resources, and this means the
systems applications can no long use these resources of the hosted system. While a container, talks
directly to the Linux kernel as a another process, which enables it to use more resources, till the
quota-based or system limits are reached. (Matthias, et al. 2015, p. 25)
15 Contents

Fig. 1: The traditional deployment work-flow, without Docker (Matthias, et al. 2015, p. 25)
1. From the operations engineers, the application developers request resources.
2. Handed over to the developers, are the provisioned resources.
3. Developers tool and script their deployment.
4. Developers and operations engineers repeatedly tweak the deployment.
5. Discovered by developers, are additional application dependencies.
6. Additional requirements are installed by the operations engineers.
7. Loop over steps 5 and 6 N more times.
8. Deployment of the application. (Matthias, et al. 2015, p. 25)
____________________
1
VMs: Virtual machines
2
dpkg: Debian package manager
3
rpm: Red Hat package manager
4
pbuilder: Is a tool to use debootstrap for automatic package building in a clean environment
16 Contents

Fig. 2: The Docker deployment work-flow (Matthias, et al. 2015, p. 25)
1. Docker image is built by the developers and shipped to the registry.
2. Configuration details to the provision resources and container are provided by the operations
engineer.
3. Deployment triggered by developers. (Matthias, et al. 2015, p. 25)
3.3 The client/server model
Fig. 3: Docker client/server model (Matthias, et al. 2015, p. 25)
Docker is made up of two parts, the server/daemon and the client. Optionally there is the registry,
which is a third component and it stores meta-data about the images and the Docker images. The
server does the ongoing work of managing and running the containers, and the client is used to tell
the server what to do. In the infrastructure, the docker daemon can run on any number or amount of
servers, a single client can address any number or amount of servers. The communication is driven
by all the clients, while the Docker servers talk directly to the image registries, when the client tells
them to do so. The client is in charge of telling the servers what to do, while the servers focus on
hosting containerized applications. (Matthias, et al. 2015, p. 25)
17 Contents

3.4 LXC
LXC (Linux container) is a type of operating system level virtualization method. In a single control
host, it implements several isolated Linux system containers. The tool that manages Linux
containers is Docker. Comprising of cgroups5
, Linux kernel allocates resources (Network, Block
I/O, Memory, CPU, etc.) without the virtualization machine starting. (Seo, et al. 2014, p. 105 – 111)
The tool that makes it easy to package any application, with all it’s dependencies, into a container,
is Docker. Hardware architecture support, is not required by LXC. OpenVZ6
and Vserver7
, are
other container-based virtualization technologies, LXC is their successor. (Scheepers, 2014, p. 1– 7)
OpenVZ, Linux-Vserver are the most representative implementations of container-based-
virtualization, especially Linux containers (LXC). They have some similarity, when aspects such as
isolation, performance and security are taken into account, they are all Linux implementations.
The way resources are managed, is the main difference between them. Examples, how the resource
isolation is accomplished and how the resources are limited between multiple containers on a single
machine. (Xavier, et al. 2014, p. 1 – 9)
Linux containers (LXC) share the same underlying operating system (i.e. device drivers and
Kernel), but are independent from each other. (Gerlach, et al. 2014, p. 1 – 8) Layered images and
NAT are some of the features that Docker adds, and this makes it easier to use than Linux
containers (LXC) style raw-containers. (Felter, et al. 2015, p. 171 – 172)
Linux containers support multitenancy and isolation. In portable containers, there is an open source
project providing a systematic way to automate the faster deployment of Linux applications, this is
accomplished by Docker an open source project. (Bernstein, 2014) Versioning of container images,
archiving, sharing, component reuse, portable deployment of containers across platforms and Linux
container (LXC) based operating systems (OS) level virtualization, are some of the things Docker
can accomplish, in a user friendly implementation. (Boettiger, 2015)
3.5 A Docker image
The kernel of Linux is referred to a layer zero, when a Docker image is run, it is put on top of the
Linux kernel, and is referred to as layer one image. This image cannot hold a state or change and
is a read-only image. Docker images can build on top of one another, i.e. one Docker image can be
built on top of one another. (Hane, 2015, p. 30)
_______________________
5
cgroups: A Linux kernel feature called control groups, that accounts for, limits, and takes care of
the resource usage isolation of a collection of processes. (Network, disk I/O, memory, CPU, etc.)
6
OpenVZ: Open Virtuozzo (OpenVZ) for Linux, is an operating system-level virtualization
technology. Multiple isolated operating system instances, called virtual environments (Ves.),
virtual private servers (VPSs) or containers, can be run on a physical server
7
VServer: Distributed and developed as open-source software, Linux-VServer is an implementation
of a virtual private server, that has added to it's Kernel, operating system-level virtualization
capabilities
18 Contents

The base image is called the first image, while apart from the last image, all other images are
referred to as parent images. All the settings and properties of their parent images are inherited,
they also add their on configuration to the Dockerfile. (Hane, 2015, p. 30)
docker pull ubuntu:latest (Pulls the latest image of Ubuntu from the docker repository)
The image ID identifies the Docker image and it is a 64-character long hexadecimal string, most of
the time the image is referenced by its name. (Hane, 2015, p. 30)
3.6 A Docker container
When the terminal command docker run <imagename> is executed, a Docker container is created.
on top of all image layers, a writeable layer is added.
This layer can have two different states, exited or running and has processes running on the CPU.
This is known as the container. Once a container is started with the docker run command, it goes
into the running state until it is stopped by us or itself and it then goes into the exited state. While
the container is running, all changes made to its file-system are permanent between the start and the
stop. Any changes made to a container's file-system, are not written to the Docker image.
(Hane, 2015, p. 30)
We can start as many instances of running containers as we want. From the same image, you can
start as many instances of running containers, all the containers will live by each others side, while
totally separated from each other. Any changes made to a container are limited to that container
alone. When there is a change or changes made to a container's image, there is no auto update
happening and the running container is unaffected. (Hane, 2015, p. 30)
Multiple isolated user space instances running on a single host and a single shared operating system,
is what Docker container-based technology is. (Adufu, et al. 2015, p. 507 – 510) Due to the use of
Kernel namespaces and cgroups by Linux containers (LXC), the isolation of containers is stronger
than usual OS process isolation. (Estrada, et al. 2014, p. 730 –737) Containers provide a means of
resource management and isolation in a Linux environment. The isolation of the process from the
rest of the system, is what an operating system container provides. All the child processes are
included in the containment. The same level of security as a virtual machine and isolation are better
integrated with the host's operating system. The performance benefits over full virtualization, is due
to the non dependence on hardware emulation. (Dua, et al. 2014, p. 1 – 5)
19 Contents

The ease of deployment and portability, have made Linux containers the better technology to be
used with scientific workflow platforms. (Gerlach, et al. 2014, p. 1 – 8)
The command docker ps -a, displays the containers both running and not running, while The
command docker ps, displays the containers
The container ID is a 64-character long hexadecimal string and it identifies the Docker container.
When interacting with a container, you can use the container's ID, this depends on how many
containers are running. (Hane, 2015, p. 32)
3.7 The registry hub of Docker
Docker's popularity is down to its community, the ease of sharing and the extension of Docker
images. Docker registry hub is the central place for this and is found at this website:-
https://hub.docker.com/ (Hane, 2015, p. 32)
3.8 The following problems are solved by Docker
3.8.1 Conflicting of dependencies
If you need to run Java 6 on one website and Java 7 on another website, you can run each website in
a separate container. (Merkel, 2014, p. 77)
3.8.2 Missing of dependencies
All the dependencies are packaged along with an application in a container, this results to installing
applications in a Docker environment a quick process. (Merkel, 2014, p. 77)
3.8.3 Differences of platforms
The movement of users from one distro to another is no more of a problem. The same container will
execute without issues, as long as both distro's run Docker. (Merkel, 2014, p. 77)
3.8.4 Secure and efficient
When containers are used properly, they can provide an efficient and a more secure system, than
using bare metal alone or virtual machines (VMs). (Mouat, 2015, p. 8)
20 Contents

4.0 Containers versus the other type of virtualization
Fig. 4: Virtual machines versus containers (Merkel, 2014, p. 81)
Isolation for security and performance
Processes running on the host operating system are isolated from the processes running in a
container or any other container in Docker. Meanwhile, the execution of all processes are in the
same kernel. (Merkel, 2014, p. 81)
21 Contents

4.1 Browsing the repositories
Fig. 5: Docker-brew-ubuntu-core/vivid/Dockerfile (GitHub, 2015)
Here we can browse for image repositories, and search to find exactly what we are looking for. We
can see the Ubuntu repository, the number of stars it has, users comments and when last it was
updated. (GitHub, 2015)
5.0 Docker from a security perspective
The technology called virtualization has increased dramatically in the last few years. The demand
for a secure and efficient virtualization has become a priority for the users of virtualization. The
two main types of virtualization technologies that have emerged on to the market are, hypervisor-
based and container-based virtualization. The container-based virtualization can provide a efficient
virtual environment and is more lightweight, but in terms of security, there are still a lot of
concerns. (Bui, 2014, p. 1) The two major components of Docker are (1). Docker hub and (2).
22 Contents

Docker engine. Docker hub is used for the sharing of images and is known as a Software as a
Service, while Docker engine the is solution to open source virtualization. (Bui, 2014, p. 2)
Software as a Service is when the provider’s applications, which are running on a cloud
infrastructure and ready-to-use, are then provided to the customer. The customer uses a web
browser to access these applications. Examples are, servers, storage, payroll systems and office
collaboration tools. The customer responsibilities include, configuration of users, limited
configuration of the application settings and preparing them to use the features of the applications.
(Sabharwal, et al. 2013, p. 11)
5.1 Docker Hub
The Docker hub is the central repository of both private images, public images and customised
images owned by users. Users can use the Docker client to download the images they have searched
for. Verification of the integrity and authenticity of the images downloaded, can be carried out by
the user, Docker always verifies and signs images that are submitted to the hub by the owner of the
images. (Bui, 2014, p. 3)
5.2 Docker Engine
The Docker engine is a portable and lightweight packaging tool which depends on a container-
based virtualization. The Docker daemon is in charge of managing and executing all of the Docker
containers, while the Docker containers run on top of the Docker daemon. Docker users interact
with the Docker container, via the Docker client which acts as a user interface, takes commands
typed by the user and sends these commands to the Docker daemon. Using this type of method to
communicate, enables the Docker client to run on different hosts or even the same host.
(Bui, 2014, p. 2)
5.3 The security analysis of Docker
If you are running services in a virtual environment, while in a multi-tenant cloud system, security
would be one of the major challenges. Hypervisor based virtualization techniques are more secure
than containers, because of the extra layer of isolation that they add, this layer is between the host
and application. An application that is running inside a virtual machine, cannot communicate with
the host kernel, but can communicate with the virtual machine kernel. For an application to go out
of the virtual machine, it must bypass the virtual machine kernel and also the hypervisor, before it
can lunch an attack on the host kernel. (Bui, 2014, p. 3)
The host kernel and containers can communicate directly with each other, this gives an attacker an
advantage when breaking into any host system. This causes a security concern when working with
containers and Docker. One of the major challenges to Docker, is security. (Bui, 2014, p. 3)
To increase flexibility and Docker security, the Dockerfile format should let images be packaged
with SELinux policy, this would enhance the containers security.
(Boutaba, et al. 2010, p. 862 – 876) Linux security module (LSM), which is commonly existent in
modern Linux Kernels, mandatory access control (MAC) can be implemented based on it.
(Win, et al. 2014, p. 1004 – 1009)
To instantiate containers, a Dockerfile is created with the Docker engine, to generate a Docker
image. Available in online repositories, the image can be built upon other images. The (DAC)
Kernel discretionary access control is considered less insufficient, when dealing with containers,
23 Contents

this is due to the limited control it provides on the security policy and to the flexibility it gives to the
subjects. Subjects cannot by pass the system security policy, with (MAC) mandatory access control.
SELinux8
and AppArmor9
are the most used implementations of MAC.
(Bacis, et al. 2014, p. 749 –750)
5.4 Identifying the vulnerabilities and security flaws
In the enterprise, there has been explosion of interest in the use of containers, this is because of
Docker’s introduction of a standardized image format. Containers allow greater sharing of resources
on a computer system and simplify the distribution of software. The risk of an individual
application having a vulnerability would increase as you pack more applications onto a system,
which could lead to a breakout. (Mouat, 2015, p. 6)
As opposed to virtual machines, containers currently share the same host kernel. The kernel, then
becomes a single point of failure. A process within a container could break out and take over the
system, if there is a flaw in the host kernel. Docker security is about controlling and limiting the
attack surface on the kernel. Security measures provided by the host operating system, is what
Docker takes advantages of. Using multiple security measures to control what the processes within
the container are able to do, it relies on defence in depth. Security measures will continue to be
added, as Docker/containers evolve. (Mouat, 2015, p. 6)
Note: The research will focus on the first four vulnerabilities below, plus others time permitting.
5.4.1 Docker images and Poodle bleed SSL vulnerability
Designed to provide communications security over computer networks, SSL (Secure Sockets Layer)
and TLS (Transport Layer Security) are known as cryptographic protocols. Padding Oracle On
Downgraded Legacy Encryption, commonly known a POODLE, is were the server and the client
use SSLv3. SSLv3 has no security. TLS 1.0 has replaced SSLv3 for practical use, to provide
interoperability with legacy system and backward compatibility, TLS is used.
(Manimaran, et al. 2015, p. 575 – 579)
Note: Docker images and Poodle bleed SSL vulnerability, is a problem that is found within the
Apache webserver software, but due to the fact that software developers like to install Apache
webserver into docker images, they also install this vulnerability with the Apache webserver.
containers, can be found in the appendix.
_____________________
8
SELinux: Security Enhanced Linux, is a security module for the Linux Kernel, it supports
mandatory access control (MAC) and access control security policies
9
AppArmor: Application Armor, allows the system administrator to restrict programs
capabilities with per-program profiles and is also Linux kernel security module
24 Contents

Screenshot 1: Testing Apache2 web server vulnerability
Using the terminal command curl -v -3 -X HEAD https://localhost:80 (curl = URL transfer,
-v = verbose/talkative, -3 = Forces curl to use sslv3 when negotiating with a remote SSL server,
-X = request, HEAD = Header and localhost = is configured to use port 80
Note: sslv3 handshake was not successful, the connection was closed, which means our Apache2
web server is not vulnerable to Poodle
Screenshot 2: How to fix the Poodle vulnerability
Use an editor to edit the file ssl.conf
5.4.2 Testing for shellshock in a Docker container
In September 2014, Stephane Chazelas, discovered a vulnerability in the bash shell of Unix, which
was called bashdoor or shellshock. (Delamore, et al. 2015, p. 1129 – 1135) Shellshock, is a
vulnerability in a bash shell. In Linux/Unix, the shell is used to execute commands. Shellshock
enables an attacker to gain control of a server/stand alone computer.
(Mary, C. A. 2015, p. 1322 – 1325)
25 Contents

Screenshot 1: Testing if u0015906/phoronix is affected by shellshock
The terminal command, env x='() {: ;}; echo You Are Vulnerable' bash -c 'echo Update your Image
will print “If You Are, Update Your Image” if bash has been patched, but will print “You Are
Vulnerable” and “If You Are, Update Your Image” on a vulnerable system.
Screenshot 2: Exit from the container u0015906/phoronix
Exit from the container
The solution to the shellshock vulnerability of Docker containers, is to update and upgrade Bash
5.4.3 Local privilege escalation vulnerability in Docker
Due to the ability to simplify the management and deployment of applications for scalability, Linux
containers have become popular. Linux containers are one of the central building blocks of big data
platforms and cloud. Attacks on shared resources, examples, kernel, network and file system, could
happen when deploying Linux containers, this is because, Linux containers were not designed for
security. Security hardening mechanisms that exist, only protect specific applications and they are
not designed to protect an entire environment inside a Linux container.
(Manimaran, et al. 2015, p. 1 – 9)
The entire host computer can be put at risk. When a user can break out of a Linux container and
elevate himself or herself with administrator or root privileges, which then could allow the user,
attack propagation to other components on the same network and arbitrary code execution. The
attacks can be done through kernel exploits. Example, attacks on the resources shared between the
host and the Linux containers, example, memory, volumes, file systems and networking, or where a
26 Contents

bug in a shared kernel is exploited for privilege escalation. (Manimaran, et al. 2015, p. 1 – 9)
Container applications should run without privileges whenever possible or drop privileges all
together. (Mouat, 2015, p. 6)
Screenshot 1: Using uname -a terminal command
Checking the Kernel version of Ubuntu 16.04.1 LTS
Screenshot 2: Results of the test run in Ubuntu 16.04.1 LTS
Passed
5.4.4 Host to container contamination
The host kernel and Linux containers can communicate directly with each other, this gives an
attacker an advantage when breaking into any host system. This causes a security concern when
working with containers and Docker. One of the major challenges to Docker, is security.
(Bui, 2014, p. 3)
27 Contents

Screenshot 1: docker run -it -v $(pwd): /ade adeajasa/new_apache2 /bin/bash
The above terminal command docker run -it -v $(pwd):/ade adeajasa/new.apache2 /bin/bash maps
the folder /home/u0015906/Ade.Ajasa on the host to the folder ade in the container. (-v =
bind mount a volume and $(pwd) = is a short form of typing your present working directory, in this
case, /home/u0015906/Ade.Ajasa)
Screenshot 2: Reading the file u0015906.txt
Reading the file from the container
Vulnerabilities/security flaws implementation results
The Four
Vulnerabilities/Security
Flaws Of Docker That Were
Tested
Was An
Implementation
Carried Out?
Was The
Implementation
Successfully
Completed?
During Testing
Was The System
Vulnerable?
Overall Results
Of The
Implementation
Carried Out
Docker images and Poodle
bleed SSL vulnerability
Yes, it was Yes, it was No, it was not Passed the
implementation
Testing for shellshock in a
Docker container
implementation
Local privilege escalation
vulnerability in Docker
implementation
Host to container
contamination
implementation
Tab. 1: Vulnerability/security flaws results table
5.4.5 Results of the implementation
The vulnerability and security flaws that this dissertation has addressed, were re-created and tested
to see if they had been patched or are still prevalent within Docker images and containers. All tests
carried out passed, the vulnerability and security flaws had been patched.
28 Contents

containers.
5.4.6 APT attacks on Docker images
To minimise IT infrastructure costs, many companies use cloud computing services, this has made
cloud computing increasingly popular with companies. Cyber criminals have become attracted to
cloud computing, due to it's popularity. Virtual environments have become an attractive and valid
target for advanced persistent threat attacks. Rootkit malware, which provides stealth, is the key
component of an APT10
attack. (Hwang, et al. 2013, p. 27 – 32)
5.4.7 Exploits of the Kernel
A kernel panic can be caused by a container, which could also bring down the host system.
(Container Solutions, 2015)
The security kernel is critical, make sure the kernel is always updated with the latest security fixes.
Security flaws in the kernel can be minimized, if you have support teams watching out for them.
Magnifying the importance of any vulnerabilities present in the kernel, is due to the kernel been
shared among the host and all containers. The situation is much better in virtual machines (VMs).
The attacker has to route an attack through both the hypervisor and the VM kernel, to get access to
the host Kernel. (Mouat, 2015, p. 6 – 9)
5.4.8 DOS (Denial of service) attack
Kernel resources are shared by all containers. If access to certain resources are monopolized by one
container, this includes the memory and (UIDs) user IDs, other containers on the host would be
starved out from using these resources, this can lead to a (DOS) denial-of-service, legitimate users
would be unable to access all or part of the system. (Mouat, 2015, p. 9)
5.4.9 Breakouts within a container
An attacker who has access to a container, is not supposed to have access to the host and other
containers. Any process that breaks out of a container, will acquire the same privileges on the host,
as it had in the container, this is because users are not namespaced, this means you will be root on
the host, if you were root in the container. With regular security updates, use a good quality
supported host system for running the container. Make sure the provider fixes the container images
in a timely manner, when you examine your container images for security flaws and report the
findings to the provider. (Mouat, 2015, p. 6 – 10)
5.5.0 Poisoned Docker images
An image could be running a known vulnerability within a software or could be injected with a
virus of trojan infected software. (Container Solutions, 2015) Both the host and your data are at
risk, if an attacker can trick you into running her or his image. How do you know that the images
you are using have not been tampered with, are safe to use and come from the place they claim they
are from? Run only container images that come from a trusted party or parties.
(Mouat, 2015, p. 6 – 10)
______________________
10
APT: Advanced Persistent Threat is when a person, who is not authorized, gains access to a
network and stays within that network for a long time, without been detected. APT attacks do not
cause damage to the network, but the main goal of an APT attack, is to steal data from the network
29 Contents

5.5.1 Secrets that have been compromised
To prevent attackers gaining access to database passwords and API11
keys, they must be kept secure.
(Container Solutions, 2015) The host operating system security features should not be disabled. If
a service or database is accessed by a container, a secret is likely required, such as a username and
password or an API key. Gaining access to the secret by an attacker, also means the attacker has also
gained access to the service. In microservice architecture, the problem becomes more acute
(Unpleasant), as compared to an architecture with small numbers of long-lived VMs, because the
containers are constantly stopping and starting. (Mouat, 2015, p. 10)
6.0 Vulnerability websites
On the internet, there are a lot of vulnerability reporting sites. A site could be chosen and checked at
regular intervals for updates or subscribe to a service which will send an email with the latest
updates of the vulnerability listings that have been requested from the service.
(Cardwell, 2014, p. 54 – 56)
6.1 Testing of security
The virtualization of security, comes with some benefits, increased scalability and speed, overhead
is decreased, the costs of cloud environments and security infrastructure in virtualized data centers,
are also decreased. (Blatnik, 2015)
Publicly known vulnerabilities, should be scanned for in software components, before their
deployment. This is an idea that has come from the Docker community. Docker security scanning,
alerts developers, after it has checked the Docker clouds private repositories, for security bugs.
Docker data center customers will also get this feature, before the end of the year. Docker security
scanning, is going to be an opt-in service (The client selects the services they would want
to subscribe to and how the information they have provided is used) when the image is pushed to
the Docker cloud, Docker security scanning, scans the image and then a BOM (Bill-of-materials) of
the software components that make up the image is built. (Williams, 2016)
The bill-of-materials is then run against the security vulnerability databases, (NVD) National
vulnerability database, (CVE) Common vulnerabilities and exposures etc. An alarm is raised, when
a dependency or library in the image has an exploitable program. The alarm lets the developer know
there is a problem with the image, in which the developer can fix the the problem. Docker security
scanning right now, can study programming-language modules, application-level libraries and
operating system components. Bugs in developers own code cannot be found at this moment, but if
patched versions exist, it can stop the pulling in of insecure dependencies. (Williams, 2016)
While the developers are pushing their image or images to a registry, these images are been
scanned. IT Ops can then deploy the image or images, as containers towards the production
systems. (Williams, 2016)
_____________________
11
API key: Application Programming Interface key is when a computer passes in a code, calling
an application programming interface (API) for the identity of the program calling, it's user or
developer to the website
30 Contents

Fig. 6: Docker security scanning 1 (Williams, 2016)
Fig. 7: Docker security scanning 2 (Williams, 2016)
Installing security functions into containers, is a new approach which is very promising. There are
benefits when using containers to secure your network or networks, e.g. applications that have to be
migrated within the environments of computing. Another way to provide an efficient way to secure
your network or networks, is the massive effect on scalability and cost, decrease in power and size
needed to operate security operations inside a container, with a single operating system.
(Blatnik, 2015)
Containerizing your security functions, comes with several benefits. Cutting down of the cost is the
most obvious. You can reduce the amount of money been spent on multiple (OS) operating systems.
When it comes to performance, a significant increase in speed of services and massive scalability
can be achieved. The average (VM) virtual machine could take several minutes to boot up,
containers can boot up almost immediately. (Blatnik, 2015)
31 Contents

7.0 Problems encountered while writing this dissertation
Unfortunately, the laptop used for this dissertation, packed up and alternative arrangements had to
be made to complete this dissertation. Ubuntu 16.04 LTS with Docker installed, had a lot of bugs,
when it was released in April 2016, that is why Ubuntu 15.04 with docker installed, was used for
the implementation of this dissertation, had limited time to complete the dissertation and could not
afford to fix any bugs in Ubuntu 16.04 LTS.
Note: Ubuntu 16.04.1 LTS, was used for the Local privilege escalation vulnerability in Docker
implementation, this version had corrected earlier bugs found in Ubuntu 16.04.
For those who have been using operating systems which are heavily GUI (Graphical user interface)
driven, Docker is mainly CLI (command line interface) and also a knowledge of the Linux
operating system terminal commands would have to be learnt in order to be successful in executing
the Docker commands in the terminal.
7.1 Conclusion
At the beginning, before writing up this dissertation, the research paper's read and used for this
dissertation, told me that Docker had many advantages, but it was one of these advantages that
caught my attention, Docker worked across all platforms i.e. the image you run on a Linux
platform, could also be run on a Microsoft or Apple Mac platform without the need of extra
software to run it. Also, Docker is free.
The four vulnerability/security tests that were carried out on Docker images and containers are
listed below:-
1. Docker images and Poodle bleed SSL vulnerability.
2. Testing for shellshock in a Docker container.
3. Local privilege escalation vulnerability in Docker.
4. Host to container contamination.
containers.
The implementation/practical results showed that all vulnerabilities/security flaws mentioned above
have been either patched or updated.
This dissertation tells us that, Docker lives up to the reputation that the Linux community have
and are known for, which is, when a vulnerability or security flaw is found or discovered within
their software, a patch or update is released to Linux community and the world at large
immediately.
Docker is a good tool to use for your virtualization needs, it’s lightweight, does not use up the
host’s resources and works across various platforms (Operating systems), example, Linux
(all distros), Apple Mac OS and Microsoft windows. Security was always going to be the main
concern in regards to Docker, once the big corporate companies, small businesses, government
32 Contents

establishments and individuals started to use it to move sensitive data among each other.
Docker’s security cannot be established that easily, it is only when Docker’s security has been
breached or a vulnerability has been discovered within Docker, then, it is how Docker will function
during these times and after the patches have been applied to fix the security breach or vulnerability.
Note: No software is 100% secure, any software will only know how effective it’s security is, once it
has been breached.
The best way to protect yourself, when using Docker images, is to build your own image, with
Dockerfile, which is just a text file that contains a series of commands. This prevents the user from
having to download an image from a source and later finding out that the downloaded image
contains malware or a virus. Note: See Appendix 3: How to use Docker commands.
“Magnifying the importance of any vulnerabilities present in the kernel, is due to the kernel been
shared among the host and all containers. The situation is much better in virtual machines (VMs).
The attacker has to route an attack through both the hypervisor and the VM kernel, to get access to
the host Kernel.” (Mouat, 2015, p. 6 – 9)
The situation is not much better, because first of all you have been attacked and secondly, it is only
a matter of time before the attacker or attackers will get what they want.
“An attacker who has access to a container, is not supposed to have access to the host and other
containers. Any process that breaks out of a container, will acquire the same privileges on the host,
as it had in the container, this is because users are not namespaced, this means you will be root on
the host, if you were root in the container.” (Mouat, 2015, p. 6 – 10)
Having a stand alone computer, does this mean i have to deny myself the use of or access to my root
account?
The simple solution to both statements from (Mouat, 2015, p. 6 – 9) and (Mouat, 2015, p. 6 – 10) is
too build your own image with the Dockerfile utility, it’s a simple text file that contains a series of
commands/instructions. If the owner is the paranoid type, have a stand alone computer, that is not
connected to any network or the internet.
Any mishap from the owner’s image, during development and after, would only point to the owner
of the image, this brings less confusion on who did what and when.
There were limitations on to what could be done with Docker running in a virtual environment, the
best way around this, was to run docker from the host computer. Note: See Appendix 8: How to run
GUI applications in Docker.
33 Contents

7.2 Future research
What could have been done differently, if more time was given to me, while writing up this
dissertation, is that other vulnerabilities/security flaws that were mentioned in the dissertation, but
due to the limited time period to complete the dissertation, tests on them could not be carried out.
5.4.6 APT attacks on Docker images
5.4.7 Exploits of the Kernel
5.4.8 DOS (Denial of service) attack
5.4.9 Breakouts within a container
5.5.0 Poisoned Docker images
5.5.1 Secrets that have been compromised
Docker is new to the world of virtualization, it was released into the market in 2013, barely 5 years
ago. There is still a lot more that could have been covered in this dissertation on Docker, but time
was too short to cover it more extensively. Further research would be carried out, especially with,
the latest version of Docker installed in Microsoft windows server 2016 (Core), if given the chance.
7.3 Terms of validity of my methodology/approach to the dissertation
The best way to prove beyond doubt that all the vulnerabilities/security flaws that were tested for in
this dissertation, is either to replicate the scenario that led to vulnerability/security flaw or find a
Docker image or Linux kernel that is susceptible to the mentioned vulnerability/security flaws and
run tests, to get your results, which are then compared to the results that have been published in
research journals or renowned database companies (CVE- Common Vulnerabilities and Exposures
or NVD - National Vulnerabilities Database).
This dissertation used a methodology that would practically give you one of two answers, either
there is a vulnerability/security flaw in a Docker image or there is no vulnerability/security flaw in
a Docker image.
34 Contents

References
Anderson, C. (2015). Docker. IEEE SOFTWARE PUBLISHED BY THE IEEE COMPUTER
SOCIETY. 1 (1), p102-105.
Adufu, T. Choi, J. Kim, Y. (2015). Is Container-Based Technology a Winner for High Performance
Scientific Applications? Network Operations and Management Symposium (APNOMS), 2015 17th
Asia-Pacific. 1 (1), p507-510.
Bernstein, D. (2014). Containers and cloud: From LXC to Docker to kubernetes. IEEE CLOUD
COMPUTING. 1 (1), p81-84.
Boettiger, C. (2015). An introduction to Docker for reproducible research, with examples from the
R environment. ACM SIGOPS Operating Systems Review. 1 (1), p71-79.
Bacis, E. Mutti, S. Capelli, S. Paraboschi, S. (2015). DockerPolicyModules: Mandatory Access
Control for Docker Containers. Communications and Network Security (CNS), 2015 IEEE
Conference. 1 (1), p749-750.
Boutaba, R. Chowdhury, N.M.M.K. (2010). A survey of network virtualization. Computer
Networks. 54 (1), 862-876.
Bacis, E. Mutti, S. Capelli, S. Paraboschi, S. (2015). DockerPolicyModules: Mandatory Access
Control for Docker Containers. DIGIP — Universit`a degli Studi di Bergamo, Italy. 1 (1), p1-2.
Bui, T. (2014). Analysis of Docker Security. Aalto University T-110.5291 Seminar on Network
Security. 1 (1), p1-7.
Blatnik, J. (2015) Containerized Security: The Next Evolution of Virtualization? [Online] Available
at: http://www.securityweek.com/containerized-security-next-evolution-virtualization
(Accessed 4th
August 2016)
Cardwell, K. (2014) Building Virtual Pentesting Labs for Advanced Penetration Testing: Build
intricate virtual architecture to practice any penetration testing technique virtually, 1st
ed. USA.
PACKT.
Container Solutions. (2015) DOCKER SECURITY CHEAT SHEET [Online]. Available at:
http://container-solutions.com/ (Accessed 16th
July 2016)
CVE Details, the ultimate security vulnerability datasource. (2016) Vulnerability Details:
CVE-2016-0728 [Online]. Available at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-
0728 (Accessed 10th
August 2016)
CVE-2014-6271 (8 Metasploit modules) [Online]. Available at: http://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2014-6271 (Accessed 28th
March 2016)
35 Contents

CVE-2014-3566 (1 Metasploit modules) [Online]. Available at: http://www.cvedetails.com/cve-
details.php?t=1&cve_id=CVE-2014-3566 (Accessed 29th
March 2016)
Dua, R Raja, A. R. Kakadia, D. (2014). Virtualization vs Containerization to support PaaS. 2014
IEEE International Conference on Cloud Engineering. 1 (1), p1-5.
Delamore, B. Ko, R. K. L. (2015). A Global, Empirical Analysis of the Shellshock Vulnerability in
Web Applications. 2015 IEEE Trustcom/BigDataSE/ISPA. 1 (1), p1129-1135.
Docker. (2015) What is Docker? [Online]. Available at: https://www.docker.com/
(Accessed 19th
September 2015)
Estrada, Z. J. Stephens, Z. Pham, C. Kalbarczyk, Z. Iyer, R. K. (2014). A Performance Evaluation
of Sequence Alignment Software in Virtualized Environments. 2014 14th
IEEE/ACM International
Symposium on Cluster, Cloud and Grid Computing. 1 (1), p730-737.
Felter, W. Ferreira, A. Rajamony, R. Rubio, J. (2015). An Updated Performance Comparison of
Virtual Machines and Linux Containers. Performance Analysis of Systems and Software (ISPASS),
2015 IEEE International Symposium. 1 (1), p171-172.
Gerlach, W. Tang, W. Keegan, K. Harrison, T. Wilke, A. Bischof, J. D’Souza, M. Devoid, S.
Murphy-Olson, D. Desai, N. Meyer, F. (2014). Skyport – Container-Based Execution Environment
Management for Multi-Cloud Scientific Workflows. 2014 5th
International Workshop on Data-
Intensive Computing in the Clouds. 1 (1), p1-8.
GitHub. (2015) Docker - the open-source application container engine [Online]. Available at:
https://github.com/docker/docker (Accessed 6th
September 2015)
GitHub. (2015) docker-brew-ubuntu-core/vivid/Dockerfile [Online]. Available at:
https://github.com/tianon/docker-brew-ubuntu (Accessed 19th
September 2015)
Hane, O. (2015) Build Your Own PaaS with Docker: Create, modify, and run your own PaaS with
modularized containers using Docker, 1st
ed. USA. PACKT.
Holla, S. (2015) Orchestrating Docker - Manage and deploy Docker services to containerize
applications efficiently, 1st
ed. USA. PACKT.
Hwang, T. Shin, Y. Son, K. Park, H. (2013). Design of a Hypervisor-based Rootkit Detection
Method for Virtualized Systems in Cloud Computing Environments. The 2013 AASRI Winter
International Conference on Engineering and Technology (AASRI-WIET 2013). 1 (1), p27-32.
LIU, D. ZHAO, L. (2014). THE RESEARCH AND IMPLEMENTATION OF CLOUD
COMPUTING PLATFORM BASED ON DOCKER. International Center for Wavelet Analysis and
Its Applications, School of Information and Software Engineering, University of Electronic Science
and Technology of China, Chengdu 611731. 1 (1), p1-4.
36 Contents

Mouat, A. (2015) Docker Security - Using Containers Safely in Production, 1st
ed. USA. O’Reilly
Media, Inc.
Merkel, D. 2014. "Docker: Lightweight Linux containers consistent development and deployment",
Linux journal, September 22, p.77.
Mary, C. A. (2015). Shellshock Attack on Linux Systems – Bash. International Research Journal of
Engineering and Technology (IRJET). 2 (8), p1322-1325.
Merkel, D. 2014. "Containers versus the other type of virtualisation", Linux journal,
September 22, p.81.
Manimaran, S. Kaviya, S. Anitha, S. J. Meiyappan, S. (2015). A Theoretical Analysis of Different
Hacking Techniques in Wireless Networks. International Journal of Computer Science &
Engineering Technology (IJCSET). 6 (9), p575-579.
Matthias, K. Kane, S. P. (2015) Docker: Up and Running, 1st
ed. O’Reilly Media, Inc.
Mattetti, M. Shulman-Peleg, A. Allouche, Y. Corradi, A. Dolev, S. Foschini, L. (2015).
Security hardening of Linux containers and their workloads. Communications and Network Security
(CNS), 2015 IEEE Conference on Cloud Security and Privacy, At Florence, Italy. 1 (1), p1-9.
Perception Point Research Team. (2016) Analysis and Exploitation of a Linux Kernel Vulnerability
(CVE-2016-0728) [Online] Available at: http://perception-point.io/2016/01/14/analysis-and-
exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ (Accessed 4th
August 2016)
Raj, P. Chelladhurai, S. P. Singh, V. (2015) Learning Docker: Optimize the power of Docker to run
your applications quickly and easily, 1st
ed. USA. PACKT.
Seo, K. T. Hwang, H. S. Moon, L. Y. Kwon, O. Y. Kim. B. J. (2014). Performance Comparison
Analysis of Linux Container and Virtual Machine for Building Cloud. Advanced Science and
Technology Letters Vol.66 (Networking and Communication 2014). 66 (1), p105-111.
Sabharwal, N. Wali, P. (2013) Cloud Capacity Management, 1st
ed. Apress.
Scheepers, M. J. (2014). Virtualization and Containerization of Application Infrastructure: A
Comparison. 21st
Twente Student Conference on IT June 23rd
, 2014, Enschede, The Netherlands. 1
(1), p1-7.
Turnbull, J. (2014) The Docker Book, Version: v1.0.7 (8f1618c).
Xavier, G. M. Neves, M. V. De Rose, C. A. F. (2014). A Performance Comparison of Container-
Based Virtualization Systems for MapReduce Clusters. Author manuscript, accepted for
publication in IEEE PDP 2014. Copyright (c) 2014 IEEE. 1 (1), p1-9.
Win, T. Y. Tianfield, H. Mair, Q. (2014). Virtualization Security Combining Mandatory Access
Control and Virtual Machine Introspection. 2014 IEEE/ACM 7th
International Conference on Utility
and Cloud Computing. 1 (1), p1004-1009.
37 Contents

Williams, C. (2016) Docker lets security bug sniffer dogs off the leash at container images: -
Libraries and other code scanned for known programming blunders [Online]. Available at:
http://www.theregister.co.uk/2016/05/10/docker_security_vuln_scanner/ (Accessed 27th
July 2016)
Appendices
Implementation on how to use Docker
Appendix 1: Installing Ubuntu 15.04
Screenshot 1: Ubuntu installation and details screen
Screenshot 2: Setting up root’s password
sudo passwd root command, adds a password to the root account
38 Contents

Screenshot 3: Installing virtualbox guest tools
sudo apt-get install virtualbox-guest-x11 command, installs drivers on Ubuntu 15.04 e.g, drivers for
the sound, network, mouse, keyboard and printer
Screenshot 4: Updating the system
sudo apt-get update command, updates Ubuntu 15.04
Screenshot 5: Checking the version of Ubuntu
lsb_release -a command is used to check the version of Ubuntu installed
39 Contents

Appendix 2: Installing Docker in Ubuntu 15.04
Screenshot 1: Searching the cache for Docker
sudo apt-get cache search docker command, is used to search for the version of docker installed
with Ubuntu by default
Screenshot 2: docker.io is installed
docker.io – Linux container runtime package is installed by default in Ubuntu 15.04
40 Contents

Screenshot 3: Checking the version of Docker installed
sudo apt-get cache policy docker.io command, is used to check the version of Docker installed
Screenshot 4: The version of Docker installed is 1.5.0
Docker version 1.5.0 is installed
Screenshot 5: Installing curl
sudo apt-get install curl command, installs the application curl
41 Contents

Screenshot 6: Using curl to install Docker
The command curl, is used to transfer data to or from a server. (L = location, s = silent and
S = show error) | sudo sh command, allows us to send the output to a sudo shell
Screenshot 7: Using the id command
id command allows us to look at the groups user u0015906 belongs too.
(Note: user u0015906 is not yet a member of the docker group)
Screenshot 8: Adding user u0015906 to the docker group
sudo usermod -a -G docker u0015906 command, allows to modify a users account, user u0015906
is add to the group docker. (-a = append and -G = groups)
Screenshot 9: An alternative command
If a user does not want to reboot the system, he or she can use the command su – u0015906
42 Contents

Screenshot 10: Looking at the groups user u0015906 belongs too
The id command is used to verify that user u0015906 is now a member of the docker group
(Note: user u0015906 is now a member of the docker group)
Screenshot 11: Checking the new version of Docker installed
The docker version command is used to see what version of Docker is installed in Ubuntu 15.04
Appendix 3: How to use Docker commands
Using the terminal command docker search ubuntu to search for all the ubuntu images on the
repository website
43 Contents

Screenshot 1: docker search command
docker search -s 100 ubuntu searches the image with 100 or more stars (-s = displays x amount of
stars, in this example, its 100 stars)
Screenshot 2: docker attach <container ID> and docker start <container ID>
Before a user can use the terminal command docker attach <container ID> the user must first use
the terminal command docker start <container ID>
Screenshot 3: docker pull fedora:latest
docker pull fedora:latest terminal command only downloads the latest image of fedora, instead of
all the images of fedora
Screenshot 4: docker restart <container ID>
docker restart <container ID> terminal command restarts a stopped container
44 Contents

Screenshot 5: docker run -it -v $(pwd):/Ade ubuntu:latest /bin/bash
The above terminal command docker run -it -v $(pwd):/Ade ubuntu:latest /bin/bash maps the folder
/home/u0015906/Downloads on the host to the folder Ade in the container, anything typed or saved
is done in real-time and appears in the host immediately (-v = bind mount a volume and
$(pwd) = is a short form of typing your present working directory, in this case,
/home/u0015906/Downloads)
Screenshot 6: user and group root
The files created belong to the user and group root and not the user and group u0015906
Screenshot 7: sudo chown
The terminal command sudo chown allows us to change the ownership of the files from root to
u0015906, the correct terminal command docker run -it -v $(pwd):/Ade -u 1000:1000
ubuntu:latest /bin/bash would save the file user and group ownership as that of user u0015906
45 Contents

Screenshot 8: Docker hub account
Creating a Docker Hub account
Screenshot 9: Logged into my Docker Hub account
Logged into my Docker Hub account
Screenshot 10: docker login
Using the terminal command docker login to log me into the Docker Hub and store my credentials
for use in future
46 Contents

Screenshot 11: Dockerfile
# Ade Ajasa --> A comment that is not executed with the rest of the command.
FROM ubuntu:15.04 --> The base image will be built on top of the Ubuntu 15.04 base operating
system.
MAINTAINER --> An instruction that tells Docker the author of the image and their email address.
Useful for finding out who the owner of the image is if you need and contact him or her.
RUN --> executes commands on the current image updates to the installed APT repositories,
installation of the nginx package, and creation of the /usr/share/nginx/html/index.html file
containing a text.
EXPOSE --> Tells Docker that an application in this container will use port 80 on the container, you
can not automatically access any service running on port 80 on the container, due to security
reasons, Docker does not open the port automatically.
Screenshot 12: docker build
docker build -t u0015906/ade:project (-t = signifies the new image belongs to u0015906, repository
name is ade, project is the tag and . = Dockerfile is in the local directory )
47 Contents

Build was successful
Screenshot 13: docker images
Showing the new built image
Screenshot 14: docker history
docker history terminal command shows you how the image was created
Screenshot 15: docker run
The terminal command sudo docker run -d -p 80 --name ade u0015906/ade:project nginx -g
"daemon off;" to lunch a container called ade (-d = print container ID and run it in the background,
nginx -g "daemon off;" = nginx is lunched in the foreground to run the web server, -p = it manages
the network ports Docker will exposes at runtime and --name = assigns a name to the container)
The container has successfully lunched
48 Contents

Screenshot 17: docker ps -l
docker ps -l terminal command shows us that port 32774 is mapped to the container port of 80 (l =
shows the latest container created)
Screenshot 18: docker port
docker port also shows us port 32774 is mapped to the container port of 80
Screenshot 19: docker push
docker push terminal command uploads the the image u0015906/ade to Docker Hub
49 Contents

Screenshot 20: Image
Confirmation that the image is on Docker Hub
Screenshot 21: Bind
-p 127.0.0.1::80 allows you to bind to a random port on an interface
Screenshot 22: localhost:32768
Typing localhost:32768 in Firefox web browser results in the above message
50 Contents

Screenshot 23: u0015906/ade:project
The screenshot shows the the application nginx was installed in the image (u0015906/ade:project)
Screenshot 24: docker info
The terminal command docker info gives you the information of where images are installed
51 Contents

Screenshot 25: docker inspect
The terminal command docker inspect allows you to get the gateway IP address (172.17.42.1)
which lets other containers view the website from outside
Screenshot 26: Gateway
Gateway IP address (172.17.42.1)
Screenshot 27: mkdir and touch
Made a directory called u0015906 and created a file called u0015906.txt in the directory
52 Contents

Screenshot 28: docker diff
The terminal command docker diff inspects changes to a container
Screenshot 29: docker commit
The terminal command docker commit creates a new image from the changed container
Screenshot 30: u0015906:project2.changed
Screenshot of the new created image (u0015906:project2.changed)
Screenshot 31: docker stats
docker stats terminal command displays the containers resource usage statistics
Container resource usage statistics output
53 Contents

Screenshot 32: docker logs
docker logs terminal command gets logs from the container
Screenshot 33: docker top
docker top terminal command shows the processes running in a container
Screenshot 34: Upgrading docker
Using the terminal command sudo curl -sSL https://get.docker.com | sh The command curl, is used
to transfer data to or from a server. (L = location, s = silent and S = show error) | sh command,
allows us to send the output to a shell
54 Contents

Docker has been upgraded successfully from 1.7.1 to 1.8.3
Appendix 4: Installation of my webpage permanently into a Docker image
Screenshot 1: docker run -it -v $(pwd):/Ade u0015906:project /bin/bash
The above terminal command docker run -it -v $(pwd):/Ade u0015906:project /bin/bash maps the
folder/home/u0015906/Downloads/u0015906 on the host to the folder Ade in the container. (-v =
bind mount a volume and $(pwd) = is a short form of typing your present working directory, in this
case, /home/u0015906/Downloads)
55 Contents

Screenshot 2: cp *.* /var/www/html
cp *.* /var/www/html copies contents from the host computer into the Docker container. Note: The
directories images and styles did not copy over to the container, this is because i forgot to use the -R
switch with the cp command. (-R = copies directories recursively)
Screenshot 3: rm index.nginx-debian.html
Using the terminal command rm to remove the file index.nginx-debian.html from the container
Screenshot 4: mv images /var/www/html and mv style /var/www/html
Using the terminal command mv images /var/www/html and mv style /var/www/html to move
directories from the host computer into the Docker container
56 Contents

The terminal command sudo docker run -d -p 80 --name ade u0015906/static nginx -g
"daemon off;" to lunch a container called staticweb (-d = print container ID and run it in the
background, nginx -g "daemon off;" = nginx is lunched in the foreground to run the web server, -p
= it manages the network ports Docker will exposes at runtime and --name = assigns a name to the
container)
Screenshot 6: docker ps -l
The terminal command docker ps -l displays the container that was created after running the image
we created. (l = listening)
Screenshot 7: localhost:32768
Typing the command localhost:32768 in the web browser, displays my web page
57 Contents

Looking at a different page on my web page
58 Contents

59 Contents

Screenshot 8: docker login
Logging into my Docker account
Screenshot 9: docker push
Uploading the image u0015906/static to the repository
60 Contents

Screenshot 10: Docker hub
A description of how to run the image and container
Appendix 5: Phoronix test suite installed into a Docker image
Screenshot 1: Phoronix folder
Copying the Phoronix folder from the host directory to the container
Running the image with Phoronix installed
61 Contents

Screenshot 2: phoronix-test-suite
Running the terminal command phoronix-test-suite in the container
Screenshot 3: Repository
Uploaded image with Phoronix in my repository
62 Contents

Appendix 6: Installing nmap into a Docker image
Screenshot 1: Dockerfile
Dockerfile for nmap
Screenshot 2: ifconfig
Using ifconfig to get the ip address of the computer
Screenshot 3: u0015906/nmap -v 172.17.42.1
Running nmap from the Docker image u0015906/nmap (-v = print more information)
63 Contents

Screenshot 4: u0015906/nmap -v comptia.org
Running nmap from the Docker image u0015906/nmap
(-v = makes nmap print more information about the scan in progress)
Screenshot 5: Uploaded u0015906/nmap to my Docker hub
u0015906/nmap uploaded to my docker hub
64 Contents

Appendix 7: Running Kali 2.0 Linux and Metasploit in a Docker container
Screenshot 1: Pulling down the Kali Linux image from GitHub
This is a Base image of Kali Linux, all packages are not included in this image
Screenshot 2: The image
Confirmation that the image has been pulled successfully
Screenshot 3: Launching the Kali container
Inside Kali Linux container
Screenshot 4: Fixing an error
Fixing an error within the container
65 Contents

Screenshot 5: Installing metasploit-framework into Kali Linux container
Add metasploit-framework to the container
Screenshot 6: Running Metasploit in a Kali Linux container
It works
66 Contents

Appendix 8: How to run GUI applications in Docker
Note: No matter how much information got from the internet on how to install and run GUI
(Graphical User Interface) applications with Docker, all that information was half baked, to be
brutally honest, it took two weeks to fix the problems encountered when trying to accomplish
the above task. The screenshots below are proof.
This could not be accomplished within VirtualBox i.e. running Ubuntu 15.04 in VirtualBox and then
installing Docker in Ubuntu 15.04, encountered so many errors and came to the conclusion that
this has to be down to the limitations of VirtualBox. The next solution was to install docker on the
host machine running Linux Mint 17.2 Rafaela.
Screenshot 1: Checking if there is any docker images on the host machine
While running the command docker images, i encountered an error
Screenshot 2: The id terminal command
Checking to see if i am a member of the docker group, this enables me to type commands directly
to the terminal without typing sudo before every command i type
Screenshot 3: The id $USER command
Checking my user group ID, this would be needed for my Dockerfile
67 Contents

Screenshot 4: Building the image
Ran into an error while trying to build the image
Screenshot 5: Updating Docker on the host machine
Updating Docker
Screenshot 6: Checking the new update
Using docker version command to see if docker on the host machine has een updated
68 Contents

Screenshot 7: Re-building the image
Re-building the image
Screenshot 8: Re-building the image failed
More errors encountered
69 Contents

Screenshot 9: My Dockerfile for Firefox
The instructions:- FROM Base image is set for subsequent instructions. RUN Execution of
commands and the results are committed. USER setting of my user name for ENTRYPOINT /
CMD / RUN Commands. ENV The environment variable is set.
The screenshot below explains all other commands in the Dockerfile for Firefox. Ran the image
with the command docker run and looked at the user developer
70 Contents

Screenshot 10: Re-building the image again
Success at last
Screenshot 11: Running the image again
Tried to run the image, but another error encountered
71 Contents

An evaluation of Docker’s security

An evaluation of Docker’s security

Recommended

Recommended

More Related Content

Similar to An evaluation of Docker’s security

Similar to An evaluation of Docker’s security (20)

Recently uploaded

Recently uploaded (20)

An evaluation of Docker’s security