Last active
December 4, 2020 03:28
-
-
Save saiyam1814/eaa9a7d8e037d168d993e37b80101391 to your computer and use it in GitHub Desktop.
Docker security 101
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Docker content trust | |
| export DOCKER_CONTENT_TRUST=1 | |
| docker pull nginx | |
| #see the key for the image pulled | |
| docker trust inspect --pretty nginx | |
| #pull image from some other non trusted repository | |
| docker pull saiyam911/red | |
| ================================================== | |
| #getting the image ID's | |
| docker run -d ubuntu sh | |
| docker inspect -f '{{.Id}}' $(docker ps -aq) | |
| docker images --no-trunc | grep $(docker inspect -f '-e {{.Image}}' $(docker ps -aq)) | |
| ================ | |
| #Docker Bench CIS benchmarking | |
| docker run -it --net host --pid host --userns host --cap-add audit_control \ | |
| -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ | |
| -v /var/lib:/var/lib \ | |
| -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v /usr/lib/systemd:/usr/lib/systemd \ | |
| -v /etc:/etc --label docker_bench_security \ | |
| docker/docker-bench-security | |
| =================== | |
| Aquasec trivy | |
| docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy python:3.4-alpine | |
| =================== | |
| #Dockerfile - safely download within dockerfile | |
| RUN gpg --keyserver pool.sks-keyservers.net \ | |
| --recv-keys 7937DFD2AB06298B2293C3187D33FF9D0246406D \ | |
| 114F43EE0176B71C7BC219DD50A3051F888C628D 1 | |
| ENV NODE_VERSION 0.10.38 | |
| ENV NPM_VERSION 2.10.0 | |
| RUN curl -SLO "http://nodejs.org/dist/v$NODE_VERSION/node-v\ | |
| $NODE_VERSION-linux-x64.tar.gz" \ 2 | |
| && curl -SLO "http://nodejs.org/dist/v$NODE_VERSION/\ | |
| SHASUMS256.txt.asc" \ 3 | |
| && gpg --verify SHASUMS256.txt.asc \ 4 | |
| && grep " node-v$NODE_VERSION-linux-x64.tar.gz\$" \ | |
| SHASUMS256.txt.asc | sha256sum -c - 5 | |
| RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 \ | |
| --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 | |
| RUN echo "deb http://nginx.org/packages/mainline/debian/\ | |
| jessie nginx" >> /etc/apt/sources.list | |
| The first command obtains the signing key for Nginx (which is added to the keystore), and the second command adds the Nginx package repository to the list of repositories to check for software. After this, Nginx can be simply and securely installed with apt-get install -y nginx (preferably with a version number). | |
| Assuming no signed package or checksum is available, creating your own is easy. For example, to create a checksum for a Redis release: | |
| ================================ | |
| #creating SHA-1 Checksum | |
| $ curl -s -o redis.tar.gz \ | |
| http://download.redis.io/releases/redis-3.0.1.tar.gz | |
| $ sha1sum -b redis.tar.gz 1 | |
| fe1d06599042bfe6a0e738542f302ce9533dde88 *redis.tar.gz | |
| 1 | |
| Here, we’re creating a 160-bit SHA-1 checksum. The -b flag tells the sha1sum utility that it is dealing with binary data, not text. | |
| Once you’ve tested and verified the software, you can add something like the following to your Dockerfile: | |
| RUN curl -sSL -o redis.tar.gz \ | |
| http://download.redis.io/releases/redis-3.0.1.tar.gz \ | |
| && echo "fe1d06599042bfe6a0e738542f302ce9533dde88\ | |
| *redis.tar.gz" | sha1sum -c - | |
| ====================================== | |
| #Security Tips | |
| #Never run docker as root | |
| RUN groupadd -r user_grp && useradd -r -g user_grp user | |
| USER user | |
| m#any images create a non priviliged user : | |
| #!/bin/bash | |
| set -e | |
| if [ "$1" = 'redis-server' ]; then | |
| chown -R redis . | |
| exec gosu redis "$@" | |
| fi | |
| exec "$@" | |
| gives all the permission to redis user and then exec replace the current shell with redis and PID 1 | |
| ============================ | |
| docker run --rm ubuntu:trusty sudo ps aux | |
| # Volume read only, limiting restart, limiting cPU, limiting memory, limiting capabilities | |
| docker run --read-only debian touch x | |
| docker run -v $(pwd):/pwd:ro debian touch /pwd/x | |
| docker run -d --restart=on-failure:10 my-flaky-image | |
| docker run -d --name load1 -c 2048 amouat/stress | |
| docker run -m 128m --memory-swap 128m amouat/stress \ | |
| stress --vm 1 --vm-bytes 127m -t 5s | |
| --cap-add and --cap-drop = limit capabilities | |
| docker run --cap-drop all --cap-add CHOWN debian \ | |
| chown 100 /tmp | |
| ================================= | |
| Dockerfile with non root user | |
| FROM Centos:7 | |
| # Add a new user "sam" with user id 8877 | |
| RUN useradd -u 8877 sam | |
| # Change to non-root privilege | |
| USER sam | |
| sudo docker build -t nonrootimage . | |
| sudo docker run --rm nonrootimage id | |
| ===================== | |
| Other useful links | |
| https://sysdig.com/blog/docker-image-scanning/ | |
| https://sysdig.com/blog/20-docker-security-tools/ | |
| https://www.aquasec.com/wiki/display/containers/Open+Source+Security+Tools+for+Containers |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment