3. What’s the plan?
Initial Introduction to Docker
1st run of Docker
The Docker Components
Playing some more with the Docker
Understanding the Docker building blocks
So, security?
Concluding the journey
4. What is Docker?
Docker is the world’s leading software container platform. Developers use Docker
to eliminate “works on my machine” problems when collaborating on code with
co-workers. Operators use Docker to run and manage apps side-by-side in
isolated containers to get better compute density. Enterprises use Docker to
build agile software delivery pipelines to ship new features faster, more securely
and with confidence for both Linux and Windows Server apps.
(www.docker.com)
5. What is Docker?
Docker allows you to package an application with all
of its dependencies into a standardized unit for
software development.
(www.quru.com)
6. OK, lets start
Connect to Docker Host
Run command:
docker run hello-world
For this presentation I am using CentOS 7.0.1406 with Docker version 1.12.6.
8. Docker Components
Docker Registry – A server distributing Docker Images. Images can be kept
privately or publicly and can be downloaded and uploaded.
The biggest public registry known is Docker Hub.
Docker Images – Read-only templates used to create containers. An image can
contain an operating system, an application, an operating system with
applications installed and configured.
An image can be created independently or downloaded from public registries.
Docker Container – The active part of the Docker environment. Each container
is created from an image and it can be run, stopped, started, moved, etc.
9. Docker Components
Docker Daemon – The main Docker process on the Docker Host. Listens for
commands from the Docker Client or from a REST API that it publishes.
Docker Client – Docker runs as client-server. Docker client allows sending the
docker commands, receives the data from the Daemon and prints it.
Docker Host – The machine running the Docker Daemon.
10. Docker Commands
docker run [options] image:version [command]
Run a container from an image
“-d”: detached mode
“-t”: TTY
“-i”: interactive
“--name”: set a name for the container.
“-P”: Expose the default ports needed for this container.
“-p”: Expose specified ports to this container. Syntax: <host-interface>:<host-
port>:<container-port>
“-v”: Mount the specified volume on the container. Syntax:
/host/volume:/container/volume
“--readonly”: Mount the container's root filesystem as read only.
“--rm”: Automatically remove the container when it exits.
11. Docker Commands
docker pull image:version
pull an image from the registry
docker exec [options] container-name [command]
execute a command on an active container
docker attach container-name
attach to a running container
12. Docker Commands
docker build
build an image from a Dockerfile
docker push name
push an image to the Registry
docker info
show information about the docker environment
docker inspect name
show detailed information about containerimagetask
14. Playing some more
docker run –d --name nginx1 –h nginx1 –P nginx
docker run –dit --name c1 –h c1 centos /bin/bash
docker run –it --name c2 –h c2 centos /bin/bash
docker run –d –p 33003:80 --name nginx2 –h nginx2 nginx
15. The Docker Building Blocks
UnionFS (Union File System)
File systems that operate by creating layers, making them very lightweight
and fast. Docker uses union file systems to provide the building blocks for
containers
Namespaces
A technology used to organize objects of various kinds in a separate
environment.
Linux Containers (LXC)
Allows running processes separately from each other. Uses namespaces and
cgroups for this.
16. The Docker Building Blocks
cgroups (control groups)
“Linux kernel feature to limit, account for and isolate the resource usage
(CPU, Memory, disk I/O, network, etc.) of a collection of processes.”
(Wikipedia)
18. So, security?
Is a container opaque?
With running containers, from the Docker Host run the command:
ps –ef
As we can see in the result, the Docker Host can see the processes running
within containers.
19. So, security?
Docker Host OS hardening
From the Docker Host run the command:
df –h
This is to demonstrate that unless a partition was created for the Docker data
(/var/lib/docker), this can quickly fill up our HDD and block our access to the
Docker Host.
20. So, security?
Can containers communicate with each
other?
Lets try this with the default environment settings:
docker run -d --name nginx3 -P nginx
docker inspect nginx3 | egrep “Name|IPAddress”
docker run –it --name netest –h netest centos /bin/bash
curl 172.17.0.4:80 (The internal IP address found using the inspect command)
As we can see, by default Docker containers can communicate even without
defining this. This is due to ICC – Inter Container Communication, that is set
by default to “true”.
This is a setting in the Docker Daemon that can be changed to “false”.
21. So, security?
Sharing folders to the container
From the Docker Host, create a container with shared folders:
docker run –it --name shared1 –h shared1 –v /:/hostOS centos /bin/bash
cat /hostOS/etc/shadow
Although the root folder of the Docker Host is shared, we cannot access
sensitive system file such as /etc/shadow. Sensitive business data will still be
accessible.
22. So, security?
Privileged containers
From the Docker Host to connect to a non-privileged container and run:
docker exec –it [container-name] /bin/bash
ls /dev
Now to create a privileged container and run the same command:
docker run -it --privileged --name priv1 –h priv1 centos /bin/bash
ls /dev
As we can see, the privileged container can access a lot more hardware than
the non-privileged container
23. So, security?
Privileged containers
But, is that all?
Lets create a privileged container from the Docker host with shared folders:
docker run -it --privileged --name privshared1 –h privshared1 –v /:/hostOS centos
/bin/bash
cat /hostOS/etc/shadow
As we can see it is privileged to access sensitive files.
Note that if developers use containers with the docker socket file
(docker.sock) shared in to the container so that they can run docker
commands from within the container, the same command can be run leading
to privilege escalation on the Docker Host.
24. Conclusions
There are many more settings that can be discussed, we only discussed some
of the options.
Docker is a technology that is in development, it is relatively young but
developing quickly.
Can save companies a lot of money but can also cause a lot of damage if used
incorrectly.
This is true to most technology.
Humans need to manage technology correctly.
As long as we use it right, it will serve us right
מומלץ להזהר בפקודת ה attack, אפשר להתחבר לתהליך רץ
אם התחברנו...Ctrl+p, ctrl+q
Unionfs – first introduced in 1993 but was not completed until several years later. Only in 2014 a version of unionfs is part of the Linux Kernel
Namespaces first introduces in 2002
LXC is introduced in 2008
Unionfs – first introduced in 1993 but was not completed until several years later. Only in 2014 a version of unionfs is part of the Linux Kernel
Namespaces first introduces in 2002
LXC is introduced in 2008
Cgroups developed starting 2006, added to the linux kernel in 2008