Docker Security

Docker Vs Virtual Machines:

No separate OS

Create a Dockerfile mentioning, what all packages/dependencies to be installed and the port to be exposed:

FROM centos
RUN yum install httpd -y
COPY index.html /var/www/html/

CMD [“/usr/sbin/httpd”,” -D”,” FOREGROUND”]
EXPOSE 80

“docker images” to list all images

Running docker image:

docker run -itd -p8080:80 alpine:latest

8080 will be open on host machine to connected with 80 port of docker image

If no port to be opened, no need to use -p

docker ps will list out the running containers

Interactive shell:

docker exec -it (container id) sh

sh is used to get a shell, /bin/bash can also be used.

Docker container in an instance for an docker image

cgorups

A linux Kernal Feature that allows you to limit the access processes and containers can have on CPU/RAM/IOPS and Network

example:

docker run -itd — pids 6-limit 6 alpine

Only 6 pid limitation

Namespaces

Linux feature to isolate container from host:

PID Process Isolation

User ID for user isolation

If any directory of host machine is mounted in container, root user of container can be root on this directory

How to know if you are in docker after compromizing:

cat /proc/self/group, if in docker, it will be mentioned there.

Privilege escalation through volume mount

Docker Socket

Some container requires access to docker.sock to interact with other containers like scanners.

Having access to docker.sock means you are root.

If I am inside a docker container and docker.sock is mounted, I will run another docker images and mount host root to that new container.

Privilege Flag

If a docker is started with privilege flag, it has a lot of capabilities i.e. CAP_SYS_MODULE, it can lead to some Kernal Modules getting loaded

Docker API

Can be abused to launch a docker image which will give a reverse shell

Docker env to get the environment variables

Clair for image scanning, if the image is having apache and mysql, clair will tell the vulnerabilities in apache, mysql and os.

While running a docker container, we can assign a non root user so that user inside a docker container is not root

Docker BenchSecurity can be used for best practices to run docker containers.

Defenses

  1. Seccomp can limit the access to system calls like chown
  2. Root user is very powerful, the power comes from the capabilities, it has.

Using the capabilities option, you can limit some of the capabilities and make root user less capable.

  • AppArmor prevents an application from accessing files it should not access.
  • Capability dropping reduces the damage a compromised privileged process can do

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store