Docker : Security

Login to Docker Hub

If login repeatedly FAIL/ERROR (even HTTP 502, 503, ...) …

Error response from daemon: Get https://registry-1.docker.io/v2/: received unexpected HTTP status: 503 Service Unavailable

FIX: DELETE all "credStore": ... key(s) @ config.json

@ Logout, want …

    {
        "auths": {
            "https://index.docker.io/v1/": {
                "auth": "Z3n...cHM="
            }
        },
        "HttpHeaders": {
            "User-Agent": "Docker-Client/19.03.11 (linux)"
        }
    }
docker logout #... ALWAYS DO THIS FIRST.
# Login:
docker login
# OR
docker login --u $username 
# ... either prompt for password(|token)
Password: <PASTE password or token>

# OR, use this one liner sans prompt ...
echo $pw_or_token |docker login -u $username --password-stdin

~/.docker/config.json

@ Logout, want …

    {
        "auths": {},
        "HttpHeaders": {
            "User-Agent": "Docker-Client/19.03.11 (linux)"
        }
    }

@ Login, want …

    {
        "auths": {
            "https://index.docker.io/v1/": {
                "auth": "Z3n...cHM="
            }
        },
        "HttpHeaders": {
            "User-Agent": "Docker-Client/19.03.11 (linux)"
        }
    }

Docker Container Security | devops-directive

Best Practices

  1. Do not run container as root

    • @ Dockerfile: USER uzer

      # Set/Add User and Group
      ARG UNAME=tor
      ARG UID=100
      ARG GID=65533
      RUN groupadd -g $GID $UNAME && useradd -m -u $UID -g $GID -s /bin/bash -c "Docker-image user" $UNAME
      #... else ... && useradd -m -u $UID -g $GID -s /sbin/nologin -c "Docker-image user" $UNAME
      #... forbid login by all but for root.
      USER root
      
      # Install software etal
      RUN dnf install -y vim
      
      # Run as unprivileged user
      USER $UNAME
      ...
      
  2. Multi-stage build producing a distro-less image.

  3. Secure the VM/Host OS

    • Goolge COS
    • AppArmor
  4. Container Image Scanner

Secure Containers @ RedHatGov.io

Remove setuid/setgid binaries

Or just defang the image, as shown below.

SETUID/SETGID Overview

There are two special permissions that can be set on executable files: Set User ID (setuid) and Set Group ID (sgid). These permissions allow the file being executed to be executed with the privileges of the owner or the group. For example, if a file was owned by the root user and has the setuid bit set, no matter who executed the file it would always run with root user privileges.

Chances are that your application does not need any elevated privileges. setuid or setgid binaries. If you can disable or remove such binaries, you stop any chance of them being used for buffer overruns, path traversal/injection and privilege escalation attacks.

Defang the image

RUN find / -xdev -perm +6000 -type f -exec chmod a-s {} \; || true

Firewalls : Security Groups etal

The issues below (Docker mucking with iptables) are all in the context of deploying sans VPC-based firewalls. That is, they rely upon node-based protections (the node is that hosting the Docker server).

Docker / UFW security flaw

UFW is a popular iptables front end on Ubuntu that makes it easy to manage firewall rules. But when Docker is installed, Docker bypass the UFW rules and the published ports can be accessed from outside.

github.com/chaifeng

Bad "Fix":

# Open Docker server config:
vi /etc/default/docker 
# Add k/v:
DOCKER_OPTS="--iptables=false"
# Restart Docker server
sudo systemctl restart docker

Solving UFW-Docker issues

... more ...

/h3>