Published on June 27, 2017
1. Hands-On Introduction to Docker Security for Docker Newbies Presented by: Yigal Elefant DevSecOps IL Ysquared
2. #WhoAmI Yigal Elefant Technology Enthusiast Lead SDLC implementation Analyst & Security researcher Lecturer Guide Married + 1
3. What’s the plan? Initial Introduction to Docker 1st run of Docker The Docker Components Playing some more with the Docker Understanding the Docker building blocks So, security? Concluding the journey
4. What is Docker? Docker is the world’s leading software container platform. Developers use Docker to eliminate “works on my machine” problems when collaborating on code with co-workers. Operators use Docker to run and manage apps side-by-side in isolated containers to get better compute density. Enterprises use Docker to build agile software delivery pipelines to ship new features faster, more securely and with confidence for both Linux and Windows Server apps. (www.docker.com)
5. What is Docker? Docker allows you to package an application with all of its dependencies into a standardized unit for software development. (www.quru.com)
6. OK, lets start Connect to Docker Host Run command: docker run hello-world For this presentation I am using CentOS 7.0.1406 with Docker version 1.12.6.
7. Docker run hello-world
8. Docker Components Docker Registry – A server distributing Docker Images. Images can be kept privately or publicly and can be downloaded and uploaded. The biggest public registry known is Docker Hub. Docker Images – Read-only templates used to create containers. An image can contain an operating system, an application, an operating system with applications installed and configured. An image can be created independently or downloaded from public registries. Docker Container – The active part of the Docker environment. Each container is created from an image and it can be run, stopped, started, moved, etc.
9. Docker Components Docker Daemon – The main Docker process on the Docker Host. Listens for commands from the Docker Client or from a REST API that it publishes. Docker Client – Docker runs as client-server. Docker client allows sending the docker commands, receives the data from the Daemon and prints it. Docker Host – The machine running the Docker Daemon.
10. Docker Commands docker run [options] image:version [command] Run a container from an image “-d”: detached mode “-t”: TTY “-i”: interactive “--name”: set a name for the container. “-P”: Expose the default ports needed for this container. “-p”: Expose specified ports to this container. Syntax: <host-interface>:<host- port>:<container-port> “-v”: Mount the specified volume on the container. Syntax: /host/volume:/container/volume “--readonly”: Mount the container's root filesystem as read only. “--rm”: Automatically remove the container when it exits.
11. Docker Commands docker pull image:version pull an image from the registry docker exec [options] container-name [command] execute a command on an active container docker attach container-name attach to a running container
12. Docker Commands docker build build an image from a Dockerfile docker push name push an image to the Registry docker info show information about the docker environment docker inspect name show detailed information about containerimagetask
13. Docker Commands docker rm name Remove a container docker rmi name Remove image
14. Playing some more docker run –d --name nginx1 –h nginx1 –P nginx docker run –dit --name c1 –h c1 centos /bin/bash docker run –it --name c2 –h c2 centos /bin/bash docker run –d –p 33003:80 --name nginx2 –h nginx2 nginx
15. The Docker Building Blocks UnionFS (Union File System) File systems that operate by creating layers, making them very lightweight and fast. Docker uses union file systems to provide the building blocks for containers Namespaces A technology used to organize objects of various kinds in a separate environment. Linux Containers (LXC) Allows running processes separately from each other. Uses namespaces and cgroups for this.
16. The Docker Building Blocks cgroups (control groups) “Linux kernel feature to limit, account for and isolate the resource usage (CPU, Memory, disk I/O, network, etc.) of a collection of processes.” (Wikipedia)
17. Docker VS Virtualization
18. So, security? Is a container opaque? With running containers, from the Docker Host run the command: ps –ef As we can see in the result, the Docker Host can see the processes running within containers.
19. So, security? Docker Host OS hardening From the Docker Host run the command: df –h This is to demonstrate that unless a partition was created for the Docker data (/var/lib/docker), this can quickly fill up our HDD and block our access to the Docker Host.
20. So, security? Can containers communicate with each other? Lets try this with the default environment settings: docker run -d --name nginx3 -P nginx docker inspect nginx3 | egrep “Name|IPAddress” docker run –it --name netest –h netest centos /bin/bash curl 172.17.0.4:80 (The internal IP address found using the inspect command) As we can see, by default Docker containers can communicate even without defining this. This is due to ICC – Inter Container Communication, that is set by default to “true”. This is a setting in the Docker Daemon that can be changed to “false”.
21. So, security? Sharing folders to the container From the Docker Host, create a container with shared folders: docker run –it --name shared1 –h shared1 –v /:/hostOS centos /bin/bash cat /hostOS/etc/shadow Although the root folder of the Docker Host is shared, we cannot access sensitive system file such as /etc/shadow. Sensitive business data will still be accessible.
22. So, security? Privileged containers From the Docker Host to connect to a non-privileged container and run: docker exec –it [container-name] /bin/bash ls /dev Now to create a privileged container and run the same command: docker run -it --privileged --name priv1 –h priv1 centos /bin/bash ls /dev As we can see, the privileged container can access a lot more hardware than the non-privileged container
23. So, security? Privileged containers But, is that all? Lets create a privileged container from the Docker host with shared folders: docker run -it --privileged --name privshared1 –h privshared1 –v /:/hostOS centos /bin/bash cat /hostOS/etc/shadow As we can see it is privileged to access sensitive files. Note that if developers use containers with the docker socket file (docker.sock) shared in to the container so that they can run docker commands from within the container, the same command can be run leading to privilege escalation on the Docker Host.
24. Conclusions There are many more settings that can be discussed, we only discussed some of the options. Docker is a technology that is in development, it is relatively young but developing quickly. Can save companies a lot of money but can also cause a lot of damage if used incorrectly. This is true to most technology. Humans need to manage technology correctly. As long as we use it right, it will serve us right
25. Thank you!! Yigal Elefant DevSecOps IL meetup - https://www.meetup.com/DevSecOps-Israel/ [email protected]