Docker Security

"It works on my computer." - A statement that is becoming less important with the advent and introduction of containerisation. This is one of the main reasons for the massive upswing in container technologies

1. Virtualization Techniques

• Container-Based: Efficient, lightweight solutions using OS isolation.
• Hypervisor-Based: Strong isolation with VMs, but more resource-intensive.

2. Docker Overview

• Client-Server Model
  • Docker daemon (dockerd): Manages containers, images, networks.
  • Docker client (docker run/pull): User interface for Docker.
  • Docker registries (docker push/pull): Repositories for Docker images.

3. Docker Commands & Security Implications

• User Group Modification: sudo usermod -aG docker [user]
  • Grants Docker group access.
• Mounting Host Filesystem: docker run -v /:/privesc -it [image] /bin/bash
  • Poses a security risk.
• Altering Sudoers: echo “[user] ALL=(ALL) NOPASSWD: ALL” >> /privesc/etc/sudoers
  • Affects host’s security.

4. Security Threats and Practices

• Basic Commands for Monitoring and Cleanup:
  • List all containers: docker ps -a
  • Inspect a container: docker inspect [id]
  • Remove a container: docker rm [id]
• Prevention Techniques:
  • Run as non-root: docker run --name [app] -u [user]
  • Read-only volumes: docker run -v /:/privesc:ro -it debian /bin/bash
  • Limit resources: docker run --cpus=0.5 --memory=128m
  • Network segregation: docker network create, docker network rm
  • Secure Dockerfile practices: Audit with grep.
  • Image inspection: docker image inspect, docker image history

References

• Bui, Thanh. “Analysis of Docker Security.” ArXiv, 2015. Link
• Polop, Carlos. “Docker Breakout/Privilege Escalation.” Link. Accessed 19-10-2023.
• Docker Inc. “Docker Overview | Docker Docs.” Link. Accessed 7-09-2023.
• Segura, Thomas. “Docker Security Best Practices.” Link. Accessed 3-10-2023.