Docker : Security
Login to Docker Hub
If login repeatedly FAIL/ERROR (even HTTP 502
, 503
, ...) …
Error response from daemon: Get https://registry-1.docker.io/v2/: received unexpected HTTP status: 503 Service Unavailable
FIX: DELETE all "credStore": ...
key(s) @ config.json
@ Logout, want …
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "Z3n...cHM="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.11 (linux)"
}
}
docker logout #... ALWAYS DO THIS FIRST.
# Login:
docker login
# OR
docker login --u $username
# ... either prompt for password(|token)
Password: <PASTE password or token>
# OR, use this one liner sans prompt ...
echo $pw_or_token |docker login -u $username --password-stdin
- Create access token from Docker Hub account > Security > ...
- Login URL is
https://index.docker.io/v2/
~/.docker/config.json
@ Logout, want …
{
"auths": {},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.11 (linux)"
}
}
@ Login, want …
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "Z3n...cHM="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.11 (linux)"
}
}
Note credentials,
"auths": ...
, are UNENCRYPTED, Base64 encoded.echo 'Z3n...cHM=' |base64 -d - #... returns ... <USERNAME>:<PW_OR_TOKEN>
Docker Container Security | devops-directive
Best Practices
Do not run container as root
@ Dockerfile:
USER uzer
# Set/Add User and Group ARG UNAME=tor ARG UID=100 ARG GID=65533 RUN groupadd -g $GID $UNAME && useradd -m -u $UID -g $GID -s /bin/bash -c "Docker-image user" $UNAME #... else ... && useradd -m -u $UID -g $GID -s /sbin/nologin -c "Docker-image user" $UNAME #... forbid login by all but for root. USER root # Install software etal RUN dnf install -y vim # Run as unprivileged user USER $UNAME ...
Multi-stage build producing a distro-less image.
Secure the VM/Host OS
- Goolge COS
- AppArmor
Container Image Scanner
Secure Containers @ RedHatGov.io
Remove setuid
/setgid
binaries
Or just defang the image, as shown below.
SETUID/SETGID Overview
There are two special permissions that can be set on executable files: Set User ID (setuid) and Set Group ID (sgid). These permissions allow the file being executed to be executed with the privileges of the owner or the group. For example, if a file was owned by the root user and has the setuid bit set, no matter who executed the file it would always run with root user privileges.
Chances are that your application does not need any elevated privileges. setuid or setgid binaries. If you can disable or remove such binaries, you stop any chance of them being used for buffer overruns, path traversal/injection and privilege escalation attacks.
Defang the image
RUN find / -xdev -perm +6000 -type f -exec chmod a-s {} \; || true
Firewalls : Security Groups etal
The issues below (Docker mucking with iptables
) are all in the context of deploying sans VPC-based firewalls. That is, they rely upon node-based protections (the node is that hosting the Docker server).
Docker / UFW security flaw
UFW is a popular iptables front end on Ubuntu that makes it easy to manage firewall rules. But when Docker is installed, Docker bypass the UFW rules and the published ports can be accessed from outside.
Bad "Fix":
# Open Docker server config:
vi /etc/default/docker
# Add k/v:
DOCKER_OPTS="--iptables=false"
# Restart Docker server
sudo systemctl restart docker
- But this spwans a new nest of problems
Solving UFW-Docker issues
/h3>
-
sudo iptables -L
- The Linux firewall utility; setup, maintain firewall rules; for node-based protection. Okay, but better to handle upstream at the subnet level.
UFW (Uncomplicated Firewall)
sudo iptables -L
- The Linux firewall utility; setup, maintain firewall rules; for node-based protection. Okay, but better to handle upstream at the subnet level.
UFW (Uncomplicated Firewall)