SlideShare a Scribd company logo

Docker Container Security

Download as PPTX, PDF
Suraj Khetani
Suraj Khetani

This presentation covers the basics of dockers, its security related features and how certain misconfigurations can be used to escape from container to host

1 of 37
Downloaded 43 times
DOCKER CONTAINER SECURITY SURAJ KHETANI TWITTER - @R00TREAVER
CONTENTS • What is Docker • Basics of Docker containers • A brief history of containers • Container VS Virtual Machines • Docker Architecture • Building and Running Docker Containers - Demo • Docker Internals • Namespaces • Cgroups • Capabilities • Seccomp • Attacking misconfigurations in Docker - Demo • References
WHAT EVERY DEVELOPER SAYS
WHAT IS DOCKER Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. • Docker is currently the only ecosystem providing the full package: • Image management • Resource Isolation • File System Isolation • Network Isolation • Change Management • Process Management Source: https://medium.com/@yannmjl/what-is-docker-in-simple-english-a24e8136b90b
BASICS OF DOCKER • Docker Engine is a client-server application with these major components: • A CLI client (Docker) • A REST API • A server called the daemon process
A BRIEF HISTORY OF CONTAINERS
A BRIEF HISTORY OF CONTAINERS 1979 Unix V7 •During the development of Unix V7 in 1979, the chroot system call was introduced, changing the root directory of a process and its children to a new location in the filesystem. This advance was the beginning process isolation: segregating file access for each process. Chroot was added to BSD in 1982. 2000 FreeBSD Jails •FreeBSD Jails allows administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration. •Similar Jail was introduced in Linux VServer in 2001. 2004 Solaris Containers •Combines system resource controls and boundary separation provided by zones, which were able to leverage features like snapshots and cloning from ZFS. Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s- chroot-to-docker-2016
A BRIEF HISTORY OF CONTAINERS [CONTD.] 2006 Process Containers • It was designed for limiting, accounting and isolating resource usage (CPU, memory, disk I/O, network) of a collection of processes. It was renamed “Control Groups (cgroups)” a year later and eventually merged to Linux kernel 2.6.24. 2008 Linux Containers • The most complete implementation of Linux container manager. It was implemented using cgroups and Linux namespaces, and it works on a single Linux kernel without requiring any patches. 2013 Docker • Docker used LXC in its initial stages and later replaced that container manager with its own library, libcontainer. But there’s no doubt that Docker separated itself from the pack by offering an entire ecosystem for container management. Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s- chroot-to-docker-2016
CONTAINER VS VIRTUAL MACHINES
CONTAINER VS VIRTUAL MACHINES Source: https://runnable.com/docker/why-use-docker
DOCKER ARCHITECTURE • The Docker client - primary way that many Docker users interact with Docker • The Docker daemon - listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. • Docker registries - A Docker registry stores Docker images. Eg: Docker Hub and Docker Cloud
DOCKER ARCHITECTURE • Docker objects • Images - An image is a read-only template with instructions for creating a Docker container. To build your own image, you create a Dockerfile. • Containers - A container is a runnable instance of an image. • Services - Services allow you to scale containers across multiple Docker daemons, which all work together as a swarm with multiple managers and workers. By default, the service is load-balanced across all worker nodes.
DEMO – CREATING AND RUNNING DOCKER CONTAINERS DEMO 1 - CREATING MY FIRST DOCKER IMAGE DEMO 2 - RUNNING MY FIRST DOCKER CONTAINER
BUILDING AND RUNNING DOCKER CONTAINERS • Create Dockerfile • Build the Docker image – docker build . • Turns Docker image to container – docker run <image-id> • Other ways to run containers: • Pull images from docker repo – docker pull <image-id> • Run the image: docker run <image-id>
DOCKER INTERNALS AND FEATURES • Namespaces • Control Groups • Security • Capability • SELinux • seccomp
NAMESPACES • Network Namespace – when containers are launched, a unique network interface and IP address is created. • docker run -it alpine ip addr show • By changing the namespace to host, the container will share the same network interface and IP address of the host machine • docker run -it --net=host alpine ip addr show • By changing the namespace to the host, the container can also see all other system processes running on the operating system • docker run -it --pid=host alpine ps aux
NAMESPACES • docker run -it alpine ip addr show
NAMESPACES • By changing the namespace to host, the container will share the same network interface and IP address of the host machine • docker run -it -- net=host alpine ip addr show
NAMESPACES • docker run -it alpine ps aux
NAMESPACES • By changing the namespace to the host, the container can also see all other system processes running on the operating system • docker run -it -- pid=host alpine ps aux
CGROUPS • Control the resource utilization and keep a limit on the memory CPUs etc. • docker run -d --name wordpress --memory 100m alpine top • This would allow up to 100mb to the wordpress container • Similarly --cpu-shares can be used to set a cap on cpu resource utilization • docker stats --no-stream to verify the above implemented configuration
CGROUPS • sudo docker run --name unrestricted-mem -d myfirstimage
CGROUPS • Control the resource utilization and keep a limit on the memory CPUs etc. • docker run -d --name restricted-mem --memory 100m myfirstimage • This would allow up to 100mb to the myfirstimage container
SECURITY: CAPABILITIES • Ability of the kernel to break down root privileges is Capability. • CAP_CHOWN – allows root user to make changes to file UIDs and GUIDs • CAP_DAC_OVERRIDE – allows roots user to bypass kernel permission on file read, write and execute • CAP_NET_RAW – used by ping command • Drop capabilities – CAP_NET_RAW • sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
SECURITY: CAPABILITIES • Before Dropping capabilities – CAP_NET_RAW • sudo docker run -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
SECURITY: CAPABILITIES • Drop capabilities – CAP_NET_RAW • sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
SECURITY: SECCOMP • SecComp defines which system calls should and should not be allowed to be executed by a container. • They're defined in a JSON file that is applied when a container starts.
SECURITY: SECCOMP • In this initial step we've defined seccomp permissions to disable allowing containers to run chmod, chown and chown32. • Create json formatted file for defining seccomp policies
SECURITY: SECCOMP Running a container with the seccomp policy
ATTACKING COMMON SECURITY MISCONFIGURATIONS IN DOCKER • Attacking insecure volume mounts • Attacking container capabilities • Attacking unauthenticated docker api
ATTACKING INSECURE VOLUME MOUNTS • Demo
ATTACKING CONTAINER CAPABILITIES • Demo
ATTACKING UNAUTHENTICATED DOCKER API • Demo
DOCKER COMMAND CHEAT SHEET FOR ADMINS AND PENTESTERS • service dockerd start – starts Docker daemon service • docker ps – lists all running containers • docker ps -a – lists all containers that have been stopped, running, created, etc • docker run -name <container-name> -it <image-name>:<tag> /bin/bash – take an interactive tty shell inside a container • docker log -f <container-name> - inspect docker logs • docker inspect <container-name> or <image-name> - • docker history <container-name> - lists changes done on the image • docker network ls • docker build <dir> . • docker login • docker secret ls • docker commit c3f279d17e0a svendowideit/testimage:version3
NEXT TOPICS TO COVER • Container Orchestration platform – Kubernetes and its (In)Security
REFERENCES AND FURTHER READING • Attack demos inspired from Madhu Akulas’ workshop from defcon • https://www.katacoda.com • https://docker.com • http://docker-saigon.github.io/post/Docker-Internals/
Docker Container Security
Ad

Recommended

Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
What is microsoft 365
What is microsoft 365What is microsoft 365
What is microsoft 365
Ammar Hasayen
 
Pitching Microsoft 365
Pitching Microsoft 365Pitching Microsoft 365
Pitching Microsoft 365
Robert Crane
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
DuckDuckGo
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
Srikanth Kappagantula
 
Azure dev ops
Azure dev opsAzure dev ops
Azure dev ops
Tomy Rhymond
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker
DockerDocker
Docker
A.K.M. Ahsrafuzzaman
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Kubernetes
KubernetesKubernetes
Kubernetes
erialc_w
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and image
ejlp12
 
Dockerfile
Dockerfile Dockerfile
Dockerfile
Jeffrey Ellin
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerization
Balint Pato
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
Ansible
AnsibleAnsible
Ansible
Rahul Bajaj
 
Docker Devops document for short summary
Docker Devops document for short summaryDocker Devops document for short summary
Docker Devops document for short summary
AdiB912552
 
Docker: Introduction to Container Moduls
Docker: Introduction to Container ModulsDocker: Introduction to Container Moduls
Docker: Introduction to Container Moduls
OpikTaufiq1
 
Ad

More Related Content

What's hot (20)

Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker
DockerDocker
Docker
A.K.M. Ahsrafuzzaman
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Kubernetes
KubernetesKubernetes
Kubernetes
erialc_w
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and image
ejlp12
 
Dockerfile
Dockerfile Dockerfile
Dockerfile
Jeffrey Ellin
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerization
Balint Pato
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
Ansible
AnsibleAnsible
Ansible
Rahul Bajaj
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker
DockerDocker
Docker
A.K.M. Ahsrafuzzaman
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Kubernetes
KubernetesKubernetes
Kubernetes
erialc_w
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and image
ejlp12
 
Dockerfile
Dockerfile Dockerfile
Dockerfile
Jeffrey Ellin
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerization
Balint Pato
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
Ansible
AnsibleAnsible
Ansible
Rahul Bajaj
 

Similar to Docker Container Security (20)

Docker Devops document for short summary
Docker Devops document for short summaryDocker Devops document for short summary
Docker Devops document for short summary
AdiB912552
 
Docker: Introduction to Container Moduls
Docker: Introduction to Container ModulsDocker: Introduction to Container Moduls
Docker: Introduction to Container Moduls
OpikTaufiq1
 
Docker and Microservice
Docker and MicroserviceDocker and Microservice
Docker and Microservice
Samuel Chow
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
Ramit Surana
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
abhishek chawla
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
Ravindu Fernando
 
Intro docker and demo monitor on docker
Intro docker and demo monitor on dockerIntro docker and demo monitor on docker
Intro docker and demo monitor on docker
Watcharin Yang-Ngam
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with docker
Wyn B. Van Devanter
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCS
Frank Munz
 
Everything you need to know about Docker
Everything you need to know about DockerEverything you need to know about Docker
Everything you need to know about Docker
Alican Akkuş
 
Getting Started With Docker: Simplifying DevOps
Getting Started With Docker: Simplifying DevOpsGetting Started With Docker: Simplifying DevOps
Getting Started With Docker: Simplifying DevOps
demoNguyen
 
IBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerIBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and Docker
David Currie
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introduction
Jason Hu
 
Docker
DockerDocker
Docker
Abhishek Tomar
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...
Lucas Jellema
 
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM France Lab
 
Orchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresOrchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failures
Docker, Inc.
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Docker Devops document for short summary
Docker Devops document for short summaryDocker Devops document for short summary
Docker Devops document for short summary
AdiB912552
 
Docker: Introduction to Container Moduls
Docker: Introduction to Container ModulsDocker: Introduction to Container Moduls
Docker: Introduction to Container Moduls
OpikTaufiq1
 
Docker and Microservice
Docker and MicroserviceDocker and Microservice
Docker and Microservice
Samuel Chow
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
Ramit Surana
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
abhishek chawla
 
Getting started with Docker
Getting started with DockerGetting started with Docker
Getting started with Docker
Ravindu Fernando
 
Intro docker and demo monitor on docker
Intro docker and demo monitor on dockerIntro docker and demo monitor on docker
Intro docker and demo monitor on docker
Watcharin Yang-Ngam
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with docker
Wyn B. Van Devanter
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCS
Frank Munz
 
Everything you need to know about Docker
Everything you need to know about DockerEverything you need to know about Docker
Everything you need to know about Docker
Alican Akkuş
 
Getting Started With Docker: Simplifying DevOps
Getting Started With Docker: Simplifying DevOpsGetting Started With Docker: Simplifying DevOps
Getting Started With Docker: Simplifying DevOps
demoNguyen
 
IBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and DockerIBM WebSphere Application Server traditional and Docker
IBM WebSphere Application Server traditional and Docker
David Currie
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introduction
Jason Hu
 
Docker
DockerDocker
Docker
Abhishek Tomar
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...
Lucas Jellema
 
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM Bluemix Paris Meetup #14 - Le Village by CA - 20160413 - Introduction à D...
IBM France Lab
 
Orchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresOrchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failures
Docker, Inc.
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Ad

Recently uploaded (20)

TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Ad

Docker Container Security

  • 2. CONTENTS • What is Docker • Basics of Docker containers • A brief history of containers • Container VS Virtual Machines • Docker Architecture • Building and Running Docker Containers - Demo • Docker Internals • Namespaces • Cgroups • Capabilities • Seccomp • Attacking misconfigurations in Docker - Demo • References
  • 4. WHAT IS DOCKER Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. • Docker is currently the only ecosystem providing the full package: • Image management • Resource Isolation • File System Isolation • Network Isolation • Change Management • Process Management Source: https://medium.com/@yannmjl/what-is-docker-in-simple-english-a24e8136b90b
  • 5. BASICS OF DOCKER • Docker Engine is a client-server application with these major components: • A CLI client (Docker) • A REST API • A server called the daemon process
  • 6. A BRIEF HISTORY OF CONTAINERS
  • 7. A BRIEF HISTORY OF CONTAINERS 1979 Unix V7 •During the development of Unix V7 in 1979, the chroot system call was introduced, changing the root directory of a process and its children to a new location in the filesystem. This advance was the beginning process isolation: segregating file access for each process. Chroot was added to BSD in 1982. 2000 FreeBSD Jails •FreeBSD Jails allows administrators to partition a FreeBSD computer system into several independent, smaller systems – called “jails” – with the ability to assign an IP address for each system and configuration. •Similar Jail was introduced in Linux VServer in 2001. 2004 Solaris Containers •Combines system resource controls and boundary separation provided by zones, which were able to leverage features like snapshots and cloning from ZFS. Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s- chroot-to-docker-2016
  • 8. A BRIEF HISTORY OF CONTAINERS [CONTD.] 2006 Process Containers • It was designed for limiting, accounting and isolating resource usage (CPU, memory, disk I/O, network) of a collection of processes. It was renamed “Control Groups (cgroups)” a year later and eventually merged to Linux kernel 2.6.24. 2008 Linux Containers • The most complete implementation of Linux container manager. It was implemented using cgroups and Linux namespaces, and it works on a single Linux kernel without requiring any patches. 2013 Docker • Docker used LXC in its initial stages and later replaced that container manager with its own library, libcontainer. But there’s no doubt that Docker separated itself from the pack by offering an entire ecosystem for container management. Source: https://blog.aquasec.com/a-brief-history-of-containers-from-1970s- chroot-to-docker-2016
  • 10. CONTAINER VS VIRTUAL MACHINES Source: https://runnable.com/docker/why-use-docker
  • 11. DOCKER ARCHITECTURE • The Docker client - primary way that many Docker users interact with Docker • The Docker daemon - listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. • Docker registries - A Docker registry stores Docker images. Eg: Docker Hub and Docker Cloud
  • 12. DOCKER ARCHITECTURE • Docker objects • Images - An image is a read-only template with instructions for creating a Docker container. To build your own image, you create a Dockerfile. • Containers - A container is a runnable instance of an image. • Services - Services allow you to scale containers across multiple Docker daemons, which all work together as a swarm with multiple managers and workers. By default, the service is load-balanced across all worker nodes.
  • 13. DEMO – CREATING AND RUNNING DOCKER CONTAINERS DEMO 1 - CREATING MY FIRST DOCKER IMAGE DEMO 2 - RUNNING MY FIRST DOCKER CONTAINER
  • 14. BUILDING AND RUNNING DOCKER CONTAINERS • Create Dockerfile • Build the Docker image – docker build . • Turns Docker image to container – docker run <image-id> • Other ways to run containers: • Pull images from docker repo – docker pull <image-id> • Run the image: docker run <image-id>
  • 15. DOCKER INTERNALS AND FEATURES • Namespaces • Control Groups • Security • Capability • SELinux • seccomp
  • 16. NAMESPACES • Network Namespace – when containers are launched, a unique network interface and IP address is created. • docker run -it alpine ip addr show • By changing the namespace to host, the container will share the same network interface and IP address of the host machine • docker run -it --net=host alpine ip addr show • By changing the namespace to the host, the container can also see all other system processes running on the operating system • docker run -it --pid=host alpine ps aux
  • 17. NAMESPACES • docker run -it alpine ip addr show
  • 18. NAMESPACES • By changing the namespace to host, the container will share the same network interface and IP address of the host machine • docker run -it -- net=host alpine ip addr show
  • 19. NAMESPACES • docker run -it alpine ps aux
  • 20. NAMESPACES • By changing the namespace to the host, the container can also see all other system processes running on the operating system • docker run -it -- pid=host alpine ps aux
  • 21. CGROUPS • Control the resource utilization and keep a limit on the memory CPUs etc. • docker run -d --name wordpress --memory 100m alpine top • This would allow up to 100mb to the wordpress container • Similarly --cpu-shares can be used to set a cap on cpu resource utilization • docker stats --no-stream to verify the above implemented configuration
  • 22. CGROUPS • sudo docker run --name unrestricted-mem -d myfirstimage
  • 23. CGROUPS • Control the resource utilization and keep a limit on the memory CPUs etc. • docker run -d --name restricted-mem --memory 100m myfirstimage • This would allow up to 100mb to the myfirstimage container
  • 24. SECURITY: CAPABILITIES • Ability of the kernel to break down root privileges is Capability. • CAP_CHOWN – allows root user to make changes to file UIDs and GUIDs • CAP_DAC_OVERRIDE – allows roots user to bypass kernel permission on file read, write and execute • CAP_NET_RAW – used by ping command • Drop capabilities – CAP_NET_RAW • sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
  • 25. SECURITY: CAPABILITIES • Before Dropping capabilities – CAP_NET_RAW • sudo docker run -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
  • 26. SECURITY: CAPABILITIES • Drop capabilities – CAP_NET_RAW • sudo docker run --cap-drop NET_RAW -d -it ab0d83586b6e • sudo docker exec -it <container-id> sh
  • 27. SECURITY: SECCOMP • SecComp defines which system calls should and should not be allowed to be executed by a container. • They're defined in a JSON file that is applied when a container starts.
  • 28. SECURITY: SECCOMP • In this initial step we've defined seccomp permissions to disable allowing containers to run chmod, chown and chown32. • Create json formatted file for defining seccomp policies
  • 29. SECURITY: SECCOMP Running a container with the seccomp policy
  • 30. ATTACKING COMMON SECURITY MISCONFIGURATIONS IN DOCKER • Attacking insecure volume mounts • Attacking container capabilities • Attacking unauthenticated docker api
  • 31. ATTACKING INSECURE VOLUME MOUNTS • Demo
  • 34. DOCKER COMMAND CHEAT SHEET FOR ADMINS AND PENTESTERS • service dockerd start – starts Docker daemon service • docker ps – lists all running containers • docker ps -a – lists all containers that have been stopped, running, created, etc • docker run -name <container-name> -it <image-name>:<tag> /bin/bash – take an interactive tty shell inside a container • docker log -f <container-name> - inspect docker logs • docker inspect <container-name> or <image-name> - • docker history <container-name> - lists changes done on the image • docker network ls • docker build <dir> . • docker login • docker secret ls • docker commit c3f279d17e0a svendowideit/testimage:version3
  • 35. NEXT TOPICS TO COVER • Container Orchestration platform – Kubernetes and its (In)Security
  • 36. REFERENCES AND FURTHER READING • Attack demos inspired from Madhu Akulas’ workshop from defcon • https://www.katacoda.com • https://docker.com • http://docker-saigon.github.io/post/Docker-Internals/

Editor's Notes

  • #4: How many of you have heard this from developers? Quite a lot right? So this is essentially one of the most important challenges that containers solve for us. So using docker you can simply create a compact runtime environment for your application to run without worrying about the dependencies on your host.
  • #8: The idea of containers is very old. Dating back to 1979. A chroot jail is a way to isolate a process and its children from the rest of the system. The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the chroot() system call to change the root directory to be at the base of this new tree and start the process running in that chroot'd environment.
  • #9: Process containers in 2006 was designed for limiting, accounting and isolating resource usage. It was renamed Control groups(cgroups)
  • #10: You can think of a vm as a self contained computer packed in a single file but something needs to be able to run that file. Thats where the hypervisor comes into play. Guest OS. For eg: you want to run 3 applications on an isolation. You will need to spin up 3 Guest OS. The problem here is that each guest os would need min 700MB ram. So 3 applications running in an isolation would require a min of 2.1GB of resources + CPU power + HD space + each resource would need its own set of binaries and libraries for it to run. … A lot of resources wasted. So what docker helps, you is in just having the essential libraries and binaries required to run the application. So you would have around 100-200 MB of a base image, 10 MB of your code and 50MB of RAM Now lets compare that to docker containers – here we have a docker daemon instead of a hypervisor. The docker daemon is a service that runs on the background on your host os and manages everything required to run and interact with docker containers. Next we have our bin/libs just like we do on our VMs. But instead of them being run on a guest os, they get built into special packages called docker images, then the docker daemon runs those images. Then we have the applications that would be run and managed independently by docker daemon. Typically each application and its dependencies get packed into the same docker image and each application is isolated.
  • #15: ps -ef --forest
  • #16: -v what it is trying to do is mapping the unix socket of the docker to inside a container. CI/CD pipelines used container pipelines to run jobs. So what they do is rather than giving host access, they perform docker in docker. Which means that they will run your code inside a docker environment which is already running inside a docker
  • #17: What makes containers possible. What makes it possible to run a process in isolation. And without an overhead of boointng an os. Answwer to that lies in linux kernel which offers us these features that makes it possible to run these processes in isolation and sandboxed environment. File stystem namespace. Each container can have its own OS/filesystem. Each container can have its own network namespace and have its own ip address and interface. Each container can have its own hostname. A new security feature has been added where we can have a user namespace. Earlier if you were a root user inside the container, if you could breakout of the container, you could gain root access on the system but its no more possible because you can map it to a non-root user on the system even if you breakout of the container. So that’s what makes running processes in isolation possible. UnionFS Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper.
  • #18: Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  • #19: Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  • #20: Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  • #21: Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  • #22: Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. These are running in a vm but appear to run in isolation because these are namespaces. What you have inside a container is a list of namespaces or pid for your own process itself and that gets mapped to certain pids on the host system. Inside containers the pids are 1,2,3,4 they are actually mapped to the process on the host There are other namespaces which make it look like running a vm and that’s what isolates one container from another.
  • #23: Control groups Now when these processes are run in isolation, and run multiple containers on the same host, there is a possibility that there is a container that has a memory leak for eg: it would affect the rest of the system / containers. This is where cgroups come into play. What control groups allow you to do is control as the name says. Control the resource utilization and keep a limit on the memory CPUs etc. Cgroups are also used for monitoring the containers
  • #24: Control groups Now when these processes are run in isolation, and run multiple containers on the same host, there is a possibility that there is a container that has a memory leak for eg: it would affect the rest of the system / containers. This is where cgroups come into play. What control groups allow you to do is control as the name says. Control the resource utilization and keep a limit on the memory CPUs etc. Cgroups are also used for monitoring the containers
  • #25: Control groups Now when these processes are run in isolation, and run multiple containers on the same host, there is a possibility that there is a container that has a memory leak for eg: it would affect the rest of the system / containers. This is where cgroups come into play. What control groups allow you to do is control as the name says. Control the resource utilization and keep a limit on the memory CPUs etc. Cgroups are also used for monitoring the containers
  • #26: This Breaking down of root privileges into granular capabilities allows you to: Remove individual capabilities from the root user account, making it less powerful/dangerous. Add privileges to non-root users at a very granular level. By default, Docker drops all capabilities except those needed, using a whitelist approach. Lets take an example if you want to perform logging of containers. This would require your In each node of your cluster, you should have an agent running to make sure logs are coming into the system. To gather information from the container namespace, they need to have this visibility. These logging tools require additionacl privileges than your normal containers. So this attack will on abusing such capabilities. One such capability is sys_ptrace which allows to trace the host process. Going ahead we assume that we have a shell access on the container. And we will try break out of it.
  • #27: This Breaking down of root privileges into granular capabilities allows you to: Remove individual capabilities from the root user account, making it less powerful/dangerous. Add privileges to non-root users at a very granular level. By default, Docker drops all capabilities except those needed, using a whitelist approach. Lets take an example if you want to perform logging of containers. This would require your In each node of your cluster, you should have an agent running to make sure logs are coming into the system. To gather information from the container namespace, they need to have this visibility. These logging tools require additionacl privileges than your normal containers. So this attack will on abusing such capabilities. One such capability is sys_ptrace which allows to trace the host process. Going ahead we assume that we have a shell access on the container. And we will try break out of it.
  • #28: This Breaking down of root privileges into granular capabilities allows you to: Remove individual capabilities from the root user account, making it less powerful/dangerous. Add privileges to non-root users at a very granular level. By default, Docker drops all capabilities except those needed, using a whitelist approach. Lets take an example if you want to perform logging of containers. This would require your In each node of your cluster, you should have an agent running to make sure logs are coming into the system. To gather information from the container namespace, they need to have this visibility. These logging tools require additionacl privileges than your normal containers. So this attack will on abusing such capabilities. One such capability is sys_ptrace which allows to trace the host process. Going ahead we assume that we have a shell access on the container. And we will try break out of it.
  • #33: We assume that we already have a shell inside the container with a web application vulnerability or an insider who administers one of the containers. We assume there is a command injection vulnerability, application used is DVNA by appseco We get a reverse shell We upload docker binary Check if docker.sock exists in /var/run/docker.sock Run another container which is volume mounted on the host ./docker run -i -v /:/host debian:jessie /bin/bash Change the root directory to /host - chroot /host cat /etc/hostname – we see that we can read files from host
  • #34: We assume that we already have a shell inside the container with a web application vulnerability or an insider who administers one of the containers. We assume that we have access to a container with a web application vulnerability and this container runs in privileged mode with pid of the host shared with the container for debugging purposes by the developer. So if we see ps aux we can see the host system processes and we need to inject our payload on one of the process. But how will we know that which process is of host and container? cat /proc/444/cgroup find /proc/*/cgroup -type f -print -exec cat {} \; | grep docker -B4 We perform process injection in this case because we can view processes on the host as well as have all privileges to do debugging.
  • #35: Nmap –p2375 If port 2375 is open for you on a network pentest, then there is a high possibility that it is docker daemon service. You can try docker -H 1.1.1.1:2375 ps to run commands on the host