SlideShare a Scribd company logo

Docker Container Security

Download as PPTX, PDF
Suraj Khetani
Suraj Khetani

This presentation covers the basics of dockers, its security related features and how certain misconfigurations can be used to escape from container to host

Technology
1 of 37
DOCKER CONTAINER SECURITY SURAJ KHETANI TWITTER - @R00TREAVER
CONTENTS • What is Docker • Basics of Docker containers • A brief history of containers • Container VS Virtual Machines • Docker Architecture • Building and Running Docker Containers - Demo • Docker Internals • Namespaces • Cgroups • Capabilities • Seccomp • Attacking misconfigurations in Docker - Demo • References
WHAT EVERY DEVELOPER SAYS
WHAT IS DOCKER Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. • Docker is currently the only ecosystem providing the full package: • Image management • Resource Isolation • File System Isolation • Network Isolation • Change Management • Process Management Source: https://medium.com/@yannmjl/what-is-docker-in-simple-english-a24e8136b90b
BASICS OF DOCKER • Docker Engine is a client-server application with these major components: • A CLI client (Docker) • A REST API • A server called the daemon process
A BRIEF HISTORY OF CONTAINERS
A BRIEF HISTORY OF CONTAINERS 1979 Unix V7 •During the development of Unix V7 in 1979, the chroot system call was introduced, changing the root directory of a process and its children to a new location in the filesystem. This advance was the beginning process isolation: segregating file access for each process. Chroot was added to BSD in 1982. 2000 FreeBSD Jails •FreeBSD Jails allows administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration. •Similar Jail was introduced in Linux VServer in 2001. 2004 Solaris Containers •Combines system resource controls and boundary separation provided by zones, which were able to leverage features like snapshots and cloning from ZFS. Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s- chroot-to-docker-2016
A BRIEF HISTORY OF CONTAINERS [CONTD.] 2006 Process Containers • It was designed for limiting, accounting and isolating resource usage (CPU, memory, disk I/O, network) of a collection of processes. It was renamed “Control Groups (cgroups)” a year later and eventually merged to Linux kernel 2.6.24. 2008 Linux Containers • The most complete implementation of Linux container manager. It was implemented using cgroups and Linux namespaces, and it works on a single Linux kernel without requiring any patches. 2013 Docker • Docker used LXC in its initial stages and later replaced that container manager with its own library, libcontainer. But there’s no doubt that Docker separated itself from the pack by offering an entire ecosystem for container management. Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s- chroot-to-docker-2016
CONTAINER VS VIRTUAL MACHINES
CONTAINER VS VIRTUAL MACHINES Source: https://runnable.com/docker/why-use-docker
DOCKER ARCHITECTURE • The Docker client - primary way that many Docker users interact with Docker • The Docker daemon - listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. • Docker registries - A Docker registry stores Docker images. Eg: Docker Hub and Docker Cloud
DOCKER ARCHITECTURE • Docker objects • Images - An image is a read-only template with instructions for creating a Docker container. To build your own image, you create a Dockerfile. • Containers - A container is a runnable instance of an image. • Services - Services allow you to scale containers across multiple Docker daemons, which all work together as a swarm with multiple managers and workers. By default, the service is load-balanced across all worker nodes.
DEMO – CREATING AND RUNNING DOCKER CONTAINERS DEMO 1 - CREATING MY FIRST DOCKER IMAGE DEMO 2 - RUNNING MY FIRST DOCKER CONTAINER
BUILDING AND RUNNING DOCKER CONTAINERS • Create Dockerfile • Build the Docker image – docker build . • Turns Docker image to container – docker run <image-id> • Other ways to run containers: • Pull images from docker repo – docker pull <image-id> • Run the image: docker run <image-id>
DOCKER INTERNALS AND FEATURES • Namespaces • Control Groups • Security • Capability • SELinux • seccomp
NAMESPACES • Network Namespace – when containers are launched, a unique network interface and IP address is created. • docker run -it alpine ip addr show • By changing the namespace to host, the container will share the same network interface and IP address of the host machine • docker run -it --net=host alpine ip addr show • By changing the namespace to the host, the container can also see all other system processes running on the operating system • docker run -it --pid=host alpine ps aux
NAMESPACES • docker run -it alpine ip addr show
NAMESPACES • By changing the namespace to host, the container will share the same network interface and IP address of the host machine • docker run -it -- net=host alpine ip addr show
NAMESPACES • docker run -it alpine ps aux
NAMESPACES • By changing the namespace to the host, the container can also see all other system processes running on the operating system • docker run -it -- pid=host alpine ps aux
CGROUPS • Control the resource utilization and keep a limit on the memory CPUs etc. • docker run -d --name wordpress --memory 100m alpine top • This would allow up to 100mb to the wordpress container • Similarly --cpu-shares can be used to set a cap on cpu resource utilization • docker stats --no-stream to verify the above implemented configuration
CGROUPS • sudo docker run --name unrestricted-mem -d myfirstimage
CGROUPS • Control the resource utilization and keep a limit on the memory CPUs etc. • docker run -d --name restricted-mem --memory 100m myfirstimage • This would allow up to 100mb to the myfirstimage container
SECURITY: CAPABILITIES • Ability of the kernel to break down root privileges is Capability. • CAP_CHOWN – allows root user to make changes to file UIDs and GUIDs • CAP_DAC_OVERRIDE – allows roots user to bypass kernel permission on file read, write and execute • CAP_NET_RAW – used by ping command • Drop capabilities – CAP_NET_RAW • sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
SECURITY: CAPABILITIES • Before Dropping capabilities – CAP_NET_RAW • sudo docker run -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
SECURITY: CAPABILITIES • Drop capabilities – CAP_NET_RAW • sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
SECURITY: SECCOMP • SecComp defines which system calls should and should not be allowed to be executed by a container. • They're defined in a JSON file that is applied when a container starts.
SECURITY: SECCOMP • In this initial step we've defined seccomp permissions to disable allowing containers to run chmod, chown and chown32. • Create json formatted file for defining seccomp policies
SECURITY: SECCOMP Running a container with the seccomp policy
ATTACKING COMMON SECURITY MISCONFIGURATIONS IN DOCKER • Attacking insecure volume mounts • Attacking container capabilities • Attacking unauthenticated docker api
ATTACKING INSECURE VOLUME MOUNTS • Demo
ATTACKING CONTAINER CAPABILITIES • Demo
ATTACKING UNAUTHENTICATED DOCKER API • Demo
DOCKER COMMAND CHEAT SHEET FOR ADMINS AND PENTESTERS • service dockerd start – starts Docker daemon service • docker ps – lists all running containers • docker ps -a – lists all containers that have been stopped, running, created, etc • docker run -name <container-name> -it <image-name>:<tag> /bin/bash – take an interactive tty shell inside a container • docker log -f <container-name> - inspect docker logs • docker inspect <container-name> or <image-name> - • docker history <container-name> - lists changes done on the image • docker network ls • docker build <dir> . • docker login • docker secret ls • docker commit c3f279d17e0a svendowideit/testimage:version3
NEXT TOPICS TO COVER • Container Orchestration platform – Kubernetes and its (In)Security
REFERENCES AND FURTHER READING • Attack demos inspired from Madhu Akulas’ workshop from defcon • https://www.katacoda.com • https://docker.com • http://docker-saigon.github.io/post/Docker-Internals/
Docker Container Security

Recommended

Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
Amit Manwade
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux Kernel
Docker, Inc.
 
Docker 101: An Introduction
Docker 101: An IntroductionDocker 101: An Introduction
Docker 101: An Introduction
POSSCON
 

Recommended

Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
Amit Manwade
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux Kernel
Docker, Inc.
 
Docker 101: An Introduction
Docker 101: An IntroductionDocker 101: An Introduction
Docker 101: An Introduction
POSSCON
 
Dockerfile
Dockerfile Dockerfile
Dockerfile
Jeffrey Ellin
 
Docker
DockerDocker
Docker
A.K.M. Ahsrafuzzaman
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and Containers
Yajushi Srivastava
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
Docker, Inc.
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
dotCloud
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
A Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfA Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdf
Edith Puclla
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
Ravindu Fernando
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
Peng Xiao
 
Docker introduction for the beginners
Docker introduction for the beginnersDocker introduction for the beginners
Docker introduction for the beginners
Juneyoung Oh
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
Sreenivas Makam
 
Docker.pptx
Docker.pptxDocker.pptx
Docker.pptx
balaji257
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
Edureka!
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
DuckDuckGo
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
Docker, Inc.
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Luong Vo
 
Docker basics
Docker basicsDocker basics
Docker basics
AmanSoni129
 
Docker and Microservice
Docker and MicroserviceDocker and Microservice
Docker and Microservice
Samuel Chow
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
Ramit Surana
 

More Related Content

What's hot

Dockerfile
Dockerfile Dockerfile
Dockerfile
Jeffrey Ellin
 
Docker
DockerDocker
Docker
A.K.M. Ahsrafuzzaman
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and Containers
Yajushi Srivastava
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
Docker, Inc.
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
dotCloud
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
A Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfA Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdf
Edith Puclla
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
Ravindu Fernando
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
Peng Xiao
 
Docker introduction for the beginners
Docker introduction for the beginnersDocker introduction for the beginners
Docker introduction for the beginners
Juneyoung Oh
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
Sreenivas Makam
 
Docker.pptx
Docker.pptxDocker.pptx
Docker.pptx
balaji257
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
Edureka!
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
DuckDuckGo
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
Docker, Inc.
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Luong Vo
 
Docker basics
Docker basicsDocker basics
Docker basics
AmanSoni129
 

What's hot (20)

Dockerfile
Dockerfile Dockerfile
Dockerfile
 
Docker
DockerDocker
Docker
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and Containers
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
A Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfA Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdf
 
Container Security
Container SecurityContainer Security
Container Security
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Docker introduction for the beginners
Docker introduction for the beginnersDocker introduction for the beginners
Docker introduction for the beginners
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
Docker.pptx
Docker.pptxDocker.pptx
Docker.pptx
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Docker basics
Docker basicsDocker basics
Docker basics
 

Similar to Docker Container Security

Docker and Microservice
Docker and MicroserviceDocker and Microservice
Docker and Microservice
Samuel Chow
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
Ramit Surana
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
abhishek chawla
 
Intro docker and demo monitor on docker
Intro docker and demo monitor on dockerIntro docker and demo monitor on docker
Intro docker and demo monitor on docker
Watcharin Yang-Ngam
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with docker
Wyn B. Van Devanter
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCS
Frank Munz
 
Everything you need to know about Docker
Everything you need to know about DockerEverything you need to know about Docker
Everything you need to know about Docker
Alican Akkuş
 
IBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerIBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and Docker
David Currie
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introduction
Jason Hu
 
Docker
DockerDocker
Docker
Abhishek Tomar
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...
Lucas Jellema
 
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM France Lab
 
Orchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresOrchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failures
Docker, Inc.
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Docker - the what why and hows
Docker - the what why and howsDocker - the what why and hows
Docker - the what why and hows
Souvik Maji
 
Using Docker with OpenStack - Hands On!
Using Docker with OpenStack - Hands On! Using Docker with OpenStack - Hands On!
Using Docker with OpenStack - Hands On!
Adrian Otto
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
Rajesh Kolla
 

Similar to Docker Container Security (20)

Docker and Microservice
Docker and MicroserviceDocker and Microservice
Docker and Microservice
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
 
Intro docker and demo monitor on docker
Intro docker and demo monitor on dockerIntro docker and demo monitor on docker
Intro docker and demo monitor on docker
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with docker
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCS
 
Everything you need to know about Docker
Everything you need to know about DockerEverything you need to know about Docker
Everything you need to know about Docker
 
IBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerIBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and Docker
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introduction
 
Docker
DockerDocker
Docker
 
Containers 101
Containers 101Containers 101
Containers 101
 
Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...
 
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
 
Orchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresOrchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failures
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Docker - the what why and hows
Docker - the what why and howsDocker - the what why and hows
Docker - the what why and hows
 
Using Docker with OpenStack - Hands On!
Using Docker with OpenStack - Hands On! Using Docker with OpenStack - Hands On!
Using Docker with OpenStack - Hands On!
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
 

Recently uploaded

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 

Recently uploaded (20)

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 

Docker Container Security

  • 2. CONTENTS • What is Docker • Basics of Docker containers • A brief history of containers • Container VS Virtual Machines • Docker Architecture • Building and Running Docker Containers - Demo • Docker Internals • Namespaces • Cgroups • Capabilities • Seccomp • Attacking misconfigurations in Docker - Demo • References
  • 4. WHAT IS DOCKER Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. • Docker is currently the only ecosystem providing the full package: • Image management • Resource Isolation • File System Isolation • Network Isolation • Change Management • Process Management Source: https://medium.com/@yannmjl/what-is-docker-in-simple-english-a24e8136b90b
  • 5. BASICS OF DOCKER • Docker Engine is a client-server application with these major components: • A CLI client (Docker) • A REST API • A server called the daemon process
  • 6. A BRIEF HISTORY OF CONTAINERS
  • 7. A BRIEF HISTORY OF CONTAINERS 1979 Unix V7 •During the development of Unix V7 in 1979, the chroot system call was introduced, changing the root directory of a process and its children to a new location in the filesystem. This advance was the beginning process isolation: segregating file access for each process. Chroot was added to BSD in 1982. 2000 FreeBSD Jails •FreeBSD Jails allows administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration. •Similar Jail was introduced in Linux VServer in 2001. 2004 Solaris Containers •Combines system resource controls and boundary separation provided by zones, which were able to leverage features like snapshots and cloning from ZFS. Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s- chroot-to-docker-2016
  • 8. A BRIEF HISTORY OF CONTAINERS [CONTD.] 2006 Process Containers • It was designed for limiting, accounting and isolating resource usage (CPU, memory, disk I/O, network) of a collection of processes. It was renamed “Control Groups (cgroups)” a year later and eventually merged to Linux kernel 2.6.24. 2008 Linux Containers • The most complete implementation of Linux container manager. It was implemented using cgroups and Linux namespaces, and it works on a single Linux kernel without requiring any patches. 2013 Docker • Docker used LXC in its initial stages and later replaced that container manager with its own library, libcontainer. But there’s no doubt that Docker separated itself from the pack by offering an entire ecosystem for container management. Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s- chroot-to-docker-2016
  • 10. CONTAINER VS VIRTUAL MACHINES Source: https://runnable.com/docker/why-use-docker
  • 11. DOCKER ARCHITECTURE • The Docker client - primary way that many Docker users interact with Docker • The Docker daemon - listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. • Docker registries - A Docker registry stores Docker images. Eg: Docker Hub and Docker Cloud
  • 12. DOCKER ARCHITECTURE • Docker objects • Images - An image is a read-only template with instructions for creating a Docker container. To build your own image, you create a Dockerfile. • Containers - A container is a runnable instance of an image. • Services - Services allow you to scale containers across multiple Docker daemons, which all work together as a swarm with multiple managers and workers. By default, the service is load-balanced across all worker nodes.
  • 13. DEMO – CREATING AND RUNNING DOCKER CONTAINERS DEMO 1 - CREATING MY FIRST DOCKER IMAGE DEMO 2 - RUNNING MY FIRST DOCKER CONTAINER
  • 14. BUILDING AND RUNNING DOCKER CONTAINERS • Create Dockerfile • Build the Docker image – docker build . • Turns Docker image to container – docker run <image-id> • Other ways to run containers: • Pull images from docker repo – docker pull <image-id> • Run the image: docker run <image-id>
  • 15. DOCKER INTERNALS AND FEATURES • Namespaces • Control Groups • Security • Capability • SELinux • seccomp
  • 16. NAMESPACES • Network Namespace – when containers are launched, a unique network interface and IP address is created. • docker run -it alpine ip addr show • By changing the namespace to host, the container will share the same network interface and IP address of the host machine • docker run -it --net=host alpine ip addr show • By changing the namespace to the host, the container can also see all other system processes running on the operating system • docker run -it --pid=host alpine ps aux
  • 17. NAMESPACES • docker run -it alpine ip addr show
  • 18. NAMESPACES • By changing the namespace to host, the container will share the same network interface and IP address of the host machine • docker run -it -- net=host alpine ip addr show
  • 19. NAMESPACES • docker run -it alpine ps aux
  • 20. NAMESPACES • By changing the namespace to the host, the container can also see all other system processes running on the operating system • docker run -it -- pid=host alpine ps aux
  • 21. CGROUPS • Control the resource utilization and keep a limit on the memory CPUs etc. • docker run -d --name wordpress --memory 100m alpine top • This would allow up to 100mb to the wordpress container • Similarly --cpu-shares can be used to set a cap on cpu resource utilization • docker stats --no-stream to verify the above implemented configuration
  • 22. CGROUPS • sudo docker run --name unrestricted-mem -d myfirstimage
  • 23. CGROUPS • Control the resource utilization and keep a limit on the memory CPUs etc. • docker run -d --name restricted-mem --memory 100m myfirstimage • This would allow up to 100mb to the myfirstimage container
  • 24. SECURITY: CAPABILITIES • Ability of the kernel to break down root privileges is Capability. • CAP_CHOWN – allows root user to make changes to file UIDs and GUIDs • CAP_DAC_OVERRIDE – allows roots user to bypass kernel permission on file read, write and execute • CAP_NET_RAW – used by ping command • Drop capabilities – CAP_NET_RAW • sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
  • 25. SECURITY: CAPABILITIES • Before Dropping capabilities – CAP_NET_RAW • sudo docker run -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
  • 26. SECURITY: CAPABILITIES • Drop capabilities – CAP_NET_RAW • sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
  • 27. SECURITY: SECCOMP • SecComp defines which system calls should and should not be allowed to be executed by a container. • They're defined in a JSON file that is applied when a container starts.
  • 28. SECURITY: SECCOMP • In this initial step we've defined seccomp permissions to disable allowing containers to run chmod, chown and chown32. • Create json formatted file for defining seccomp policies
  • 29. SECURITY: SECCOMP Running a container with the seccomp policy
  • 30. ATTACKING COMMON SECURITY MISCONFIGURATIONS IN DOCKER • Attacking insecure volume mounts • Attacking container capabilities • Attacking unauthenticated docker api
  • 31. ATTACKING INSECURE VOLUME MOUNTS • Demo
  • 34. DOCKER COMMAND CHEAT SHEET FOR ADMINS AND PENTESTERS • service dockerd start – starts Docker daemon service • docker ps – lists all running containers • docker ps -a – lists all containers that have been stopped, running, created, etc • docker run -name <container-name> -it <image-name>:<tag> /bin/bash – take an interactive tty shell inside a container • docker log -f <container-name> - inspect docker logs • docker inspect <container-name> or <image-name> - • docker history <container-name> - lists changes done on the image • docker network ls • docker build <dir> . • docker login • docker secret ls • docker commit c3f279d17e0a svendowideit/testimage:version3
  • 35. NEXT TOPICS TO COVER • Container Orchestration platform – Kubernetes and its (In)Security
  • 36. REFERENCES AND FURTHER READING • Attack demos inspired from Madhu Akulas’ workshop from defcon • https://www.katacoda.com • https://docker.com • http://docker-saigon.github.io/post/Docker-Internals/

Editor's Notes

  1. How many of you have heard this from developers? Quite a lot right? So this is essentially one of the most important challenges that containers solve for us. So using docker you can simply create a compact runtime environment for your application to run without worrying about the dependencies on your host.
  2. The idea of containers is very old. Dating back to 1979. A chroot jail is a way to isolate a process and its children from the rest of the system. The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the chroot() system call to change the root directory to be at the base of this new tree and start the process running in that chroot'd environment.
  3. Process containers in 2006 was designed for limiting, accounting and isolating resource usage. It was renamed Control groups(cgroups)
  4. You can think of a vm as a self contained computer packed in a single file but something needs to be able to run that file. Thats where the hypervisor comes into play. Guest OS. For eg: you want to run 3 applications on an isolation. You will need to spin up 3 Guest OS. The problem here is that each guest os would need min 700MB ram. So 3 applications running in an isolation would require a min of 2.1GB of resources + CPU power + HD space + each resource would need its own set of binaries and libraries for it to run. … A lot of resources wasted. So what docker helps, you is in just having the essential libraries and binaries required to run the application. So you would have around 100-200 MB of a base image, 10 MB of your code and 50MB of RAM Now lets compare that to docker containers – here we have a docker daemon instead of a hypervisor. The docker daemon is a service that runs on the background on your host os and manages everything required to run and interact with docker containers. Next we have our bin/libs just like we do on our VMs. But instead of them being run on a guest os, they get built into special packages called docker images, then the docker daemon runs those images. Then we have the applications that would be run and managed independently by docker daemon. Typically each application and its dependencies get packed into the same docker image and each application is isolated.
  5. ps -ef --forest
  6. -v what it is trying to do is mapping the unix socket of the docker to inside a container. CI/CD pipelines used container pipelines to run jobs. So what they do is rather than giving host access, they perform docker in docker. Which means that they will run your code inside a docker environment which is already running inside a docker
  7. What makes containers possible. What makes it possible to run a process in isolation. And without an overhead of boointng an os. Answwer to that lies in linux kernel which offers us these features that makes it possible to run these processes in isolation and sandboxed environment. File stystem namespace. Each container can have its own OS/filesystem. Each container can have its own network namespace and have its own ip address and interface. Each container can have its own hostname. A new security feature has been added where we can have a user namespace. Earlier if you were a root user inside the container, if you could breakout of the container, you could gain root access on the system but its no more possible because you can map it to a non-root user on the system even if you breakout of the container. So that’s what makes running processes in isolation possible. UnionFS Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper.
  8. Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  9. Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  10. Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  11. Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  12. Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  13. Control groups Now when these processes are run in isolation, and run multiple containers on the same host, there is a possibility that there is a container that has a memory leak for eg: it would affect the rest of the system / containers. This is where cgroups come into play. What control groups allow you to do is control as the name says. Control the resource utilization and keep a limit on the memory CPUs etc. Cgroups are also used for monitoring the containers
  14. Control groups Now when these processes are run in isolation, and run multiple containers on the same host, there is a possibility that there is a container that has a memory leak for eg: it would affect the rest of the system / containers. This is where cgroups come into play. What control groups allow you to do is control as the name says. Control the resource utilization and keep a limit on the memory CPUs etc. Cgroups are also used for monitoring the containers
  15. Control groups Now when these processes are run in isolation, and run multiple containers on the same host, there is a possibility that there is a container that has a memory leak for eg: it would affect the rest of the system / containers. This is where cgroups come into play. What control groups allow you to do is control as the name says. Control the resource utilization and keep a limit on the memory CPUs etc. Cgroups are also used for monitoring the containers
  16. This Breaking down of root privileges into granular capabilities allows you to: Remove individual capabilities from the root user account, making it less powerful/dangerous. Add privileges to non-root users at a very granular level. By default, Docker drops all capabilities except those needed, using a whitelist approach. Lets take an example if you want to perform logging of containers. This would require your In each node of your cluster, you should have an agent running to make sure logs are coming into the system. To gather information from the container namespace, they need to have this visibility. These logging tools require additionacl privileges than your normal containers. So this attack will on abusing such capabilities. One such capability is sys_ptrace which allows to trace the host process. Going ahead we assume that we have a shell access on the container. And we will try break out of it.
  17. This Breaking down of root privileges into granular capabilities allows you to: Remove individual capabilities from the root user account, making it less powerful/dangerous. Add privileges to non-root users at a very granular level. By default, Docker drops all capabilities except those needed, using a whitelist approach. Lets take an example if you want to perform logging of containers. This would require your In each node of your cluster, you should have an agent running to make sure logs are coming into the system. To gather information from the container namespace, they need to have this visibility. These logging tools require additionacl privileges than your normal containers. So this attack will on abusing such capabilities. One such capability is sys_ptrace which allows to trace the host process. Going ahead we assume that we have a shell access on the container. And we will try break out of it.
  18. This Breaking down of root privileges into granular capabilities allows you to: Remove individual capabilities from the root user account, making it less powerful/dangerous. Add privileges to non-root users at a very granular level. By default, Docker drops all capabilities except those needed, using a whitelist approach. Lets take an example if you want to perform logging of containers. This would require your In each node of your cluster, you should have an agent running to make sure logs are coming into the system. To gather information from the container namespace, they need to have this visibility. These logging tools require additionacl privileges than your normal containers. So this attack will on abusing such capabilities. One such capability is sys_ptrace which allows to trace the host process. Going ahead we assume that we have a shell access on the container. And we will try break out of it.
  19. We assume that we already have a shell inside the container with a web application vulnerability or an insider who administers one of the containers. We assume there is a command injection vulnerability, application used is DVNA by appseco We get a reverse shell We upload docker binary Check if docker.sock exists in /var/run/docker.sock Run another container which is volume mounted on the host ./docker run -i -v /:/host debian:jessie /bin/bash Change the root directory to /host - chroot /host cat /etc/hostname – we see that we can read files from host
  20. We assume that we already have a shell inside the container with a web application vulnerability or an insider who administers one of the containers. We assume that we have access to a container with a web application vulnerability and this container runs in privileged mode with pid of the host shared with the container for debugging purposes by the developer. So if we see ps aux we can see the host system processes and we need to inject our payload on one of the process. But how will we know that which process is of host and container? cat /proc/444/cgroup find /proc/*/cgroup -type f -print -exec cat {} \; | grep docker -B4 We perform process injection in this case because we can view processes on the host as well as have all privileges to do debugging.
  21. Nmap –p2375 If port 2375 is open for you on a network pentest, then there is a high possibility that it is docker daemon service. You can try docker -H 1.1.1.1:2375 ps to run commands on the host