Part 1
But why Containers?
We use docker for its easy use, portability, and scalability in a very efficient way. I believe it’s a big win if you compare it to VMs or hypervisors.
Scenario: Suppose, I am building a web app and the web app is working in my system as I have configured it by fixing a few errors. Now I have to show it to the client, Client requested He wants to set up and check in his system before going live. Now, I have to set it up in his system and again fix errors depending on the system, he is using.
Docker is a savior, Docker says “I have a feature, let me pack everything that you have configured and I will save this as a docker image, So once your client opens the image in his machine. He will be good to go everything that you have fixed will be in a safe state and packed into the image” See how great it is?
Well, docker is very efficient and optimized when it comes to storage & lot of other features. The reason people choose docker over hypervisor. The scalable solution of docker is Kubernetes.
starting a docker daemon :sudo snap start dockerBuilding your docker image :
docker pull ubuntuInstalled a few tools (node server) in ubuntu and now let's save this as our image.
docker commit [Container-ID] [newimagename]docker commit d2e5bd46fd24 ourubuntuimageTo verify, let's see what images we have now in docker?
docker imagesdocker run -itd -p 8080:80 ourubuntuimage (check localhost:80 in the base machine)To check running containers
docker psContainers vs Images –
Docker image is a lightweight, standalone, executable package of software that includes everything needed to run an application or a service.
A Docker container is an instance of an image. It is a standard unit of software that packages up code and all its dependencies.
As a security guy, I am wondering but how are these images located on the local machine and how is the data associated with the containers written onto the disk?
Docker infoThis will give us all the details about the docker, A point to be noted here
Docker Root Dir: /var/lib/docker or /var/snap/docker (Most of the configuration and data associated with Docker is going to be stored inside this directly.)
Storage Driver : overlay2 (latest storage driver)
Jumping into /var/lib/docker/overlay2 ls
Control Groups
Control groups are features of the Linux kernel. It allows us to limit the access processes and containers hav-e to system resources such as CPU, RAM, IOPS, and network. We can enforce limits on docker containers too.
A common use case is to limit the PIDs to prevent fork bombs.
docker run -it —name=cgroups ourubuntuimagefind /sys/fs/cgroup/ -name “CONTAINERID”cat pids.maxLimiting PID for our docker image
docker run -itd —pids-limit 6 ourubuntuimageNamespaces
Namespaces are another Linux kernel feature. Isolation is one of the fundamental aspects of containers in Linux.
Docker uses to isolate its containers. Docker Engine uses the following namespaces on Linux :
PID namespace for process isolation
NET namespace for managing network interfaces
IPC namespace for managing access to IPC resources.
MNT namespace for managing file system mount points
UTS namespace for isolating kernel and vision identifiers
User ID (user) namespace for privilege isolation.
Scenario –
Let’s consider a simple example to understand user namespaces, Let’s say that you have built an application that is running inside a container and your application is given root privileges on the container when starting the container.
Let’s assume that you have mounted the segment directly of the host machine onto the container. Now, let’s also assume that an attacker compromised this application and gained root access to the container. Now the question is, can this attacker who gained access to the container modify files on the host’s segment directly?
To be precise An attacker compromised this application and got root access to the container, We mounted the /bin directory of the host onto the container, Can someone modify files on the host’s /bin directory?
Well, It can be. Find out why…