An Introduction to Docker Security | Andrew Rose | P15224093

docker logo
Overview Install Docker & Post Installation Docker Security Contact Me
play_circle_filled

What is Docker?

Click the video to find out more
Read our features

Introduction

A quick history and description of Docker
Docker originated in France and was created by a man called Solomon Hykes. It was first shown to the public in 2013 and then released shortly afterwards. It uses it’s own libcontainer library and is programmed mostly in the Go language. However containers can be created with many of the current programming languages. In this document I will show the main vulnerabilities associated with the use of Docker Containers. Following that I will relate some ways to remedy the situation and a Super-Container I have created to check the inside of Containers whilst still running to minimalism these problems. We will also look at other super-containers for auditing purposes and commands which will give us snapshots of the current state of parts of the system. Docker is now an extremely popular way of running services on servers. It allows an organisation to run what is in effect a very generic set of servers/hardware and yet be extremely flexible and easily configured for a different role in very little time and from a remote location some distance away. This is a level of flexibility that could only have been dreamt of awhile ago. A few years ago a system would require a physical server or piece of hardware for each task. Then virtualisation allowed many virtual servers to placed on one physical server. However these needed to be installed and run almost as if they were still physical, and took time to boot up even when the host was already running thereby only really saving on hardware. Now the detached, agent and firewall services can all be replicated on one general purpose server using Docker Containers. These can initiated in milliseconds rather than minutes and taken down in the same time if required. The deployment of Docker Containers can be compared to sending an attachment in an email. Using remote system management tools such as Kubernetes and Portainer not just Containers but whole swarms of containers can be controlled from a distance. A ready made image can be pulled down from a registry and then run on the host with very few commands in an extremely short time. This has led indirectly to an improvement in security, as organisations can now run more services on less hardware. They can easily afford to run simultaneous hot standby systems with built in redundancy and the customer receives a service which is more robust and reliable. The down side to all this is that these small pieces of software have to share the host system’s kernel because they only contain sufficient features to run the service it was intended for. This sharing of the kernel is the weak point, as if one container is hacked then the intruder is not far from having root access to the whole set-up. Another aspect of system security is good management of the system, therefore ways of monitoring and maintaining it will also be accessed. proident minim.
Read our features

Equipment

A home computer or laptop with Ubuntu 17.04 will be required to practice these exercises.
Read our features
Lorem ipsum dolor sit amet
Qui sint ut et qui nisi cupidatat. Reprehenderit nostrud proident officia exercitation anim et pariatur ex.
Lorem ipsum dolor sit amet
Qui sint ut et qui nisi cupidatat. Reprehenderit nostrud proident officia exercitation anim et pariatur ex.

Features

Minim duis incididunt est cillum est ex occaecat consectetur. Qui sint ut et qui nisi cupidatat. Reprehenderit nostrud proident officia exercitation anim et pariatur ex.

Contents

Quick Install Docker On Linux

Follow the instructions below to get up and running with docker on linux

#Quick Install
sudo curl -fsSL get.docker.com -o get-docker.sh
sudo sh get-docker.sh
#Add a user
sudo usermod -aG docker "your-user"
#Check installation
sudo docker run hello-world
#Another good check
sudo docker run -it ubuntu bash
Post Installation

To create the docker group and add your user: Create the docker group.

$ sudo groupadd docker

Add your user to the docker group.

$ sudo usermod -aG docker $USER

Log out and log back in so that your group membership is re-evaluated. If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

$ docker run hello-world
Install a Container

Create an empty directory. Change directories (cd) into the new directory, create a file called Dockerfile, copy-and-paste the following content into that file, and save it. Take note of the comments that explain each statement in your new Dockerfile.

# Set the working directory to /app

WORKDIR /app

# Copy the current directory contents into the container at /app

ADD . /app

# Install any needed packages specified in requirements.txt

RUN pip install --trusted-host pypi.python.org -r requirements.txt

# Make port 80 available to the world outside this container

EXPOSE 80

# Define environment variable

ENV NAME World

# Run app.py when the container launches

CMD ["python", "app.py"]
Docker Commands
docker attach→ Attach local standard input, output, and error streams to a running container
docker build→ Build an image from a Dockerfile
docker checkpoint Manage checkpoints
docker commit→ Create a new image from a container’s changes
docker config→ Manage Docker configs
docker container→Manage containers
docker cp→ Copy files/folders between a container and the local filesystem
docker create→ Create a new container
docker deploy→ Deploy a new stack or update an existing stack
docker diff→ Inspect changes to files or directories on a container’s filesystem
docker events→ Get real time events from the server
docker exec→ Run a command in a running container
docker export→ Export a container’s filesystem as a tar archive
docker history→ Show the history of an image
docker image→ Manage images
docker images→ List images
docker import→ Import the contents from a tarball to create a filesystem image
docker info→ Display system-wide information
docker inspect→ Return low-level information on Docker objects
docker kill→ Kill one or more running containers
docker load→ Load an image from a tar archive or STDIN
docker login→ Log in to a Docker registry
docker logout→ Log out from a Docker registry
docker logs→ Fetch the logs of a container
docker network→ Manage networks
docker network→ Manage networks
docker node→ Manage Swarm nodes
docker pause→ Pause all processes within one or more containers
docker plugin→ Manage plugins
docker port→ List port mappings or a specific mapping for the container
docker ps→ List containers
docker pull→ Pull an image or a repository from a registry
docker push→ Push an image or a repository to a registry
docker rename→ Rename a container
docker restart→ Restart one or more containers
docker rm→ Remove one or more containers
docker rmi→ Remove one or more images
docker run→ Run a command in a new container
docker save→ Save one or more images to a tar archive (streamed to STDOUT by default)
docker search→ Search the Docker Hub for images
docker secret→ Manage Docker secrets
docker service→ Manage services
docker stack→ Manage Docker stacks
docker start→ Start one or more stopped containers
docker stats→ Display a live stream of container(s) resource usage statistics
docker stop→ Stop one or more running containers
docker swarm→ Manage Swarm
docker system→ Manage Docker
docker tag→ Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
docker top→ Display the running processes of a container
docker unpause→ Unpause all processes within one or more containers
docker update→ Update configuration of one or more containers
docker version→ Show the Docker version information
docker volume→ Manage volumes
docker wait→ Block until one or more containers stop, then print their exit codes
Latest Updates

If you haven’t already, open a terminal and ssh into the machine where you run your manager node. For example, the tutorial uses a machine named manager1.Deploy Redis 3.0.6 to the swarm and configure the swarm with a 10 second update delay:

$ docker service create \
--replicas 3 \
--name redis \
--update-delay 10s \
redis:3.0.6
0u6a4s31ybk7yw2wyvtikmu50

Docker Security

$ docker service create \
--replicas 3 \
--name redis \
--update-delay 10s \
redis:3.0.6
0u6a4s31ybk7yw2wyvtikmu50

Kernel Namespaces

Namespaces assist in the isolation of containers and stop any processes bleeding into other containers or even the host system. Containers have their own network stack which means they are in effect their own little operating system with just the minimum processes to run what they need. They do not have access to the interfaces or sockets of others without the host system allowing this. In which case they can send packets in the standard formats between each other in their virtual network. Namespaces were introduced in July 2008 with the Linux kernel versions 2.6.15 to 2.6.26. They are a more recent way of delivering OpenVZ a slightly older version of virtualisation. Basically the problem is caused by the host’s root user having too much connectivity to the Container’s root. This segregation is achieved by remapping the server’s user identification (UID) and group identification (GID) to totally different ranges within the Containers. What we are trying to achieve is masking the visibility of the host’s processes by manipulation as this is where the most damage could occur. Therefore what we want is a namespace with very little privileges outside the namespace but with root privileges inside the the namespace.

Contact Me

Mob: 07878787878

Message Me

Find Us at | GH5.53