Introducing Docker and demonstrating hands-on some of the security issues related to Docker. This presentation accompanied the demonstrations.

1. Hands-On Introduction to
Docker Security for
Docker Newbies
Presented by:
Yigal Elefant
DevSecOps IL
Ysquared

2. #WhoAmI
 Yigal Elefant
 Technology Enthusiast
 Lead SDLC implementation
 Analyst & Security researcher
 Lecturer Guide
 Married + 1

3. What’s the plan?
 Initial Introduction to Docker
 1st run of Docker
 The Docker Components
 Playing some more with the Docker
 Understanding the Docker building blocks
 So, security?
 Concluding the journey

4. What is Docker?
Docker is the world’s leading software container platform. Developers use Docker
to eliminate “works on my machine” problems when collaborating on code with
co-workers. Operators use Docker to run and manage apps side-by-side in
isolated containers to get better compute density. Enterprises use Docker to
build agile software delivery pipelines to ship new features faster, more securely
and with confidence for both Linux and Windows Server apps.
(www.docker.com)

5. What is Docker?
Docker allows you to package an application with all
of its dependencies into a standardized unit for
software development.
(www.quru.com)

6. OK, lets start
 Connect to Docker Host
 Run command:
docker run hello-world
For this presentation I am using CentOS 7.0.1406 with Docker version 1.12.6.

7. Docker run hello-world

8. Docker Components
 Docker Registry – A server distributing Docker Images. Images can be kept
privately or publicly and can be downloaded and uploaded.
The biggest public registry known is Docker Hub.
 Docker Images – Read-only templates used to create containers. An image can
contain an operating system, an application, an operating system with
applications installed and configured.
An image can be created independently or downloaded from public registries.
 Docker Container – The active part of the Docker environment. Each container
is created from an image and it can be run, stopped, started, moved, etc.

9. Docker Components
 Docker Daemon – The main Docker process on the Docker Host. Listens for
commands from the Docker Client or from a REST API that it publishes.
 Docker Client – Docker runs as client-server. Docker client allows sending the
docker commands, receives the data from the Daemon and prints it.
 Docker Host – The machine running the Docker Daemon.

10. Docker Commands
 docker run [options] image:version [command]
Run a container from an image
 “-d”: detached mode
 “-t”: TTY
 “-i”: interactive
 “--name”: set a name for the container.
 “-P”: Expose the default ports needed for this container.
 “-p”: Expose specified ports to this container. Syntax: <host-interface>:<host-
port>:<container-port>
 “-v”: Mount the specified volume on the container. Syntax:
/host/volume:/container/volume
 “--readonly”: Mount the container's root filesystem as read only.
 “--rm”: Automatically remove the container when it exits.

11. Docker Commands
 docker pull image:version
pull an image from the registry
 docker exec [options] container-name [command]
execute a command on an active container
 docker attach container-name
attach to a running container

12. Docker Commands
 docker build
build an image from a Dockerfile
 docker push name
push an image to the Registry
 docker info
show information about the docker environment
 docker inspect name
show detailed information about containerimagetask

13. Docker Commands
 docker rm name
Remove a container
 docker rmi name
Remove image

14. Playing some more
docker run –d --name nginx1 –h nginx1 –P nginx
docker run –dit --name c1 –h c1 centos /bin/bash
docker run –it --name c2 –h c2 centos /bin/bash
docker run –d –p 33003:80 --name nginx2 –h nginx2 nginx

15. The Docker Building Blocks
 UnionFS (Union File System)
File systems that operate by creating layers, making them very lightweight
and fast. Docker uses union file systems to provide the building blocks for
containers
 Namespaces
A technology used to organize objects of various kinds in a separate
environment.
 Linux Containers (LXC)
Allows running processes separately from each other. Uses namespaces and
cgroups for this.

16. The Docker Building Blocks
 cgroups (control groups)
“Linux kernel feature to limit, account for and isolate the resource usage
(CPU, Memory, disk I/O, network, etc.) of a collection of processes.”
(Wikipedia)

17. Docker VS Virtualization

18. So, security?
 Is a container opaque?
 With running containers, from the Docker Host run the command:
ps –ef
 As we can see in the result, the Docker Host can see the processes running
within containers.

19. So, security?
 Docker Host OS hardening
 From the Docker Host run the command:
df –h
 This is to demonstrate that unless a partition was created for the Docker data
(/var/lib/docker), this can quickly fill up our HDD and block our access to the
Docker Host.

20. So, security?
 Can containers communicate with each
other?
 Lets try this with the default environment settings:
docker run -d --name nginx3 -P nginx
docker inspect nginx3 | egrep “Name|IPAddress”
docker run –it --name netest –h netest centos /bin/bash
curl 172.17.0.4:80 (The internal IP address found using the inspect command)
 As we can see, by default Docker containers can communicate even without
defining this. This is due to ICC – Inter Container Communication, that is set
by default to “true”.
This is a setting in the Docker Daemon that can be changed to “false”.

21. So, security?
 Sharing folders to the container
 From the Docker Host, create a container with shared folders:
docker run –it --name shared1 –h shared1 –v /:/hostOS centos /bin/bash
cat /hostOS/etc/shadow
 Although the root folder of the Docker Host is shared, we cannot access
sensitive system file such as /etc/shadow. Sensitive business data will still be
accessible.

22. So, security?
 Privileged containers
 From the Docker Host to connect to a non-privileged container and run:
docker exec –it [container-name] /bin/bash
ls /dev
 Now to create a privileged container and run the same command:
docker run -it --privileged --name priv1 –h priv1 centos /bin/bash
ls /dev
 As we can see, the privileged container can access a lot more hardware than
the non-privileged container

23. So, security?
 Privileged containers
 But, is that all?
 Lets create a privileged container from the Docker host with shared folders:
docker run -it --privileged --name privshared1 –h privshared1 –v /:/hostOS centos
/bin/bash
cat /hostOS/etc/shadow
 As we can see it is privileged to access sensitive files.
 Note that if developers use containers with the docker socket file
(docker.sock) shared in to the container so that they can run docker
commands from within the container, the same command can be run leading
to privilege escalation on the Docker Host.

24. Conclusions
 There are many more settings that can be discussed, we only discussed some
of the options.
 Docker is a technology that is in development, it is relatively young but
developing quickly.
 Can save companies a lot of money but can also cause a lot of damage if used
incorrectly.
 This is true to most technology.
 Humans need to manage technology correctly.
 As long as we use it right, it will serve us right 

25. Thank you!!
Yigal Elefant
DevSecOps IL meetup - https://www.meetup.com/DevSecOps-Israel/
Yigal@ysqrd.net