Nov 6, 2020
Docker Security
Docker Vs Virtual Machines:
No separate OS
Create a Dockerfile mentioning, what all packages/dependencies to be installed and the port to be exposed:
FROM centos
RUN yum install httpd -y
COPY index.html /var/www/html/
CMD [“/usr/sbin/httpd”,” -D”,” FOREGROUND”]
EXPOSE 80“docker images” to list all images
Running docker image:
docker run -itd -p8080:80 alpine:latest
8080 will be open on host machine to connected with 80 port of docker image
If no port to be opened, no need to use -p
docker ps will list out the running containers
Interactive shell:
docker exec -it (container id) sh
sh is used to get a shell, /bin/bash can also be used.
Docker container in an instance for an docker image
cgorups
A linux Kernal Feature that allows you to limit the access processes and containers can have on CPU/RAM/IOPS and Network
example:
docker run -itd — pids 6-limit 6 alpine
Only 6 pid limitation
Namespaces
Linux feature to isolate container from host:
PID Process Isolation
User ID for user isolation
If any directory of host machine is mounted in container, root user of container can be root on this directory
How to know if you are in docker after compromizing:
cat /proc/self/group, if in docker, it will be mentioned there.
Privilege escalation through volume mount
Docker Socket
Some container requires access to docker.sock to interact with other containers like scanners.
Having access to docker.sock means you are root.
If I am inside a docker container and docker.sock is mounted, I will run another docker images and mount host root to that new container.
Privilege Flag
If a docker is started with privilege flag, it has a lot of capabilities i.e. CAP_SYS_MODULE, it can lead to some Kernal Modules getting loaded
Docker API
Can be abused to launch a docker image which will give a reverse shell
Docker env to get the environment variables
Clair for image scanning, if the image is having apache and mysql, clair will tell the vulnerabilities in apache, mysql and os.
While running a docker container, we can assign a non root user so that user inside a docker container is not root
Docker BenchSecurity can be used for best practices to run docker containers.
Defenses
- Apparmor to limit access to file, path etc
- Seccomp can limit the access to system calls like chown
- Root user is very powerful, the power comes from the capabilities, it has.
Using the capabilities option, you can limit some of the capabilities and make root user less capable.
- Seccomp reduces the chance that a kernel vulnerability will be successfully exploited.
- AppArmor prevents an application from accessing files it should not access.
- Capability dropping reduces the damage a compromised privileged process can do
