Shulou(Shulou.com)05/31 Report--

This article mainly introduces "dockerfile and mirror security example analysis". In daily operation, I believe many people have doubts about dockerfile and image security example analysis. The editor consulted all kinds of data and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "dockerfile and image security example analysis". Next, please follow the editor to study!

I. Dockerfile practice

Avoid unnecessary installation packages

One container, one process.

Minimize the number of layers

Sort multiline parameters

2. Dockerfile example # Base images basic image FROM centos#MAINTAINER maintainer information MAINTAINER lorenwe # ENV setting environment variable ENV PATH / usr/local/nginx/sbin:$PATH#ADD file is placed in the current directory Copying in the past will automatically extract ADD nginx-1.13.7.tar.gz / tmp/#RUN and execute the following command: RUN rpm--import / etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7\ & & yum update-y\ & & yum install-y vim less wget curl gcc automake autoconf libtool make gcc-c++ zlib zlib-devel openssl openssl-devel perl perl-devel pcre pcre-devel libxslt libxslt-devel\ & & yum clean all\ & & rm-rf / usr/local/src/*RUN useradd-s / sbin/nologin-M www#WORKDIR is equivalent to cdWORKDIR / tmp/nginx-1.13.7RUN. / configure-- prefix=/usr/local/nginx-- user=www-- group=www-- with-http_ssl_module-- with-pcre & & make & & make installRUN cd / & & rm-rf / tmp/COPY nginx.conf / usr/local/nginx/conf/#EXPOSE mapping port EXPOSE 80 443#ENTRYPOINT run the following command ENTRYPOINT ["nginx" ] # CMD run the following command CMD ["- h"]

ENV sets environment variables. To put it simply, setting this can help the system find the software it needs to run. For example, what I wrote above is "ENV PATH / usr/local/nginx/sbin:$PATH". This sentence means to tell the system that if you run a program that does not have a specified path, you can find it in the / usr/local/nginx/sbin path. Only when this is set, can you directly use the ngixn command to start nginx. Otherwise, the system will indicate that the application cannot be found.

ADD is used to add files. The source file can be either a file or a URL. If the source file is a zip file, it will be unzipped automatically when building the image. The example is ADD nginx-1.13.7.tar.gz / tmp/, in which the nginx-1.13.7.tar.gz package must be in the dockefile file directory.

RUN is the execution of commands. RUN can execute multiple commands separated by & &. If the command is too long to wrap, you can add'\'at the end of the command, yum clean all, to clear all yum caches, which can reduce the size of the built image. Rm-rf / usr/local/src/ removes user source files, all of which play a role in reducing the size of the build image. Each time you use the RUN command, a layer of mirroring is generated.

When both ENTRYPOINT and CMD exist, the command in CMD will start the container in the form of the parameters of the command in ENTRYPOINT. For example, dockerfile above will start the container with the command nginx-h when starting the container. Unfortunately, this does not keep the container running, so you can start docker run-it lorenwe/centos_nginx-c / usr/local/nginx/conf/nginx.conf like this. Then the command that the container runs at startup is nginx-c / usr/local/nginx/conf/nginx.conf, and you can customize the startup parameters.

If a service does not need any permission to run, you can use the USER directive to change to a non-Root user, simply add the RUN directive RUN groupadd-r postgres & & useradd-r-g postgres postgres to the Dockerfile

The VOLUME directive is used to expose database storage areas, configurations, files, or folders created by the docker container. It is recommended to use VOLUME to maintain the variable part of the user service, that is, external storage that exposes mutable data.

3. Dockerfile Security 3.1 uses non-root users to run the container

Docker runs the container using the root user by default. When you then map the namespace to the root user in the running container, this means that the container may have root access to the Docker host. If the container itself has vulnerabilities, running the application on the container by root users can further expand the attack surface and provide an easy way for privilege escalation. To minimize exposure, choose to create a dedicated user and a dedicated group for the application in the Docker image; use the USER directive in Dockerfile to ensure that the container runs the application with minimal privileged access. A specific user may not exist in the image; create the user using the instructions in Dockerfile

FROM ubuntu:latestRUN useradd-r-u 1001-g appuser appuserUSER appuserENTRYPOINT ["sleep", "infinity"] FROM ubuntuRUN mkdir / appRUN groupadd-r lirantal & & useradd-r-s / bin/false-g lirantal lirantalWORKDIR / appCOPY. / appRUN chown-R lirantal:lirantal / appUSER lirantalCMD node index.js

Create a system user with no password, no home directory, and no shell (- r)

Add the created user to the previously created existing group (using groupadd)

Associate with the created group and add the final parameter set to the user name we want to create

3.2 configure to use a trusted mirror source

Docker content Trust (DCT)

Docker Content Trust (DCT) provides the ability to use digital signatures to process data sent to and from a remote Docker registry. These signatures allow the client or runtime to verify the integrity and publisher of a specific mirror label.

If consumers enable DCT, they can only pull, run, or build using trusted images. Enabling DCT is a bit like applying a filter to the registry. Consumers only "see" the signed mirror tag, while what is "invisible" to them is the unsigned image tag that they do not want to use.

The prerequisite for a signature image is the Docker registry (such as Docker Hub or Docker Trusted Registry) that is connected to the notary server. In Docker CLI, we can sign and push the container image using the $docker trust command syntax.

Add the delegate private key to the local Docker truststore. (by default, it is stored in ~ / .docker / trust/). If you use $docker trust key generate to generate the delegate key, the private key is automatically added to the local trust store. If you are importing a separate key (for example, from the UCP client bundle), you need to use the $docker trust key load command. Next, you need to add the delegate public key to the Notary server. This is specific to a specific image repository called a globally unique name (GUN) in notaries. If this is the first time you have added a delegate to the mirror repository, this command will also use the local Notary specification root key to start the repository.

# generate key$ docker trust key generate jeff# or use the existing key$ docker trust key load key.pem-name jeff# to configure the environment variable of DCT, and enable DCT$ export DOCKER_CONTENT_TRUST=1# to tag the image, so that it can be pushed to the target image library. In this case, it is pushed to the mirror library under my Docker Hub personal account namespace. Docker image tag alpine:latest nigelpoulton/dockerbook:v1# logs in to Docker Hub (or other mirror libraries) to push the image. $docker login# uses push push image $docker push dtr.example.com/admin/demo:1# to view remote trust data for tags or repositories $docker trust inspect-- pretty dtr.example.com/admin/demo:1

Docker Content Trust in Docker Enterprise Engine prevents users from using container images from unknown sources and also prevents users from building container images from the underlying layer of unknown sources. Trusted sources may include Official Docker Images or user trusted sources found on Docker Hub, which contain repositories and tags signed with the above command.

Engine signature verification prevents the following situations:

An unsigned or changed image that the docker container is running.

Docker pulls unsigned or changed images.

Docker build where the FROM image is not signed or erased.

When obtaining an image, obtain the image of the trusted source by configuring the docker daemon / etc/docker/daemon.json configuration. Docker CE does not support

{"content-trust": {"trust-pinning": {"official-library-images": true}, "mode": "enforced"}}

Pull off the mirror image

$docker pull dtr.example.com/user/image:1Error: remote trust data does not exist for dtr.example.com/user/image: dtr.example.com does not have trust data for dtr.example.com/user/image$ docker pull dtr.example.com/user/image@sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d850b2a2a67f2819asha256:ee7491c9c31db1ffb7673d91e9fac5d6354a89d0e97408567e09df069a1687c1: Pulling from user/imageff3a5c916c92: Pull completea59a168caba3: Pull completeDigest: sha256:ee7491c9c31db1ffb7673d91e9fac5d6354a89d0e97408567e09df069a1687c1Status: Downloaded newer image for dtr.example.com/user/image@sha256:ee7491c9c31db1ffb7673d91e9fac5d6354a89d0e97408567e09df069a1687c13.3 uses the smallest basic image and does not install any redundant software packages

If not, increase the size of the image file and increase the attack surface.

3.4 perform a mirror scan

Some open source image scanning tools

Anchore Engine:Anchore Engine is a tool for analyzing container images. In addition to CVE-based security vulnerability reports, Anchore Engine can also use custom policies to evaluate Docker images. The policy is based on whitelist or blacklist, credentials, file contents, configuration type, or other user-generated prompts. Anchore packaged as an Docker container image can be run either standalone or on a business platform such as Kubernetes. It can also be integrated with CI/CD 's Jenkins and GitLab.

Clair:Clair ingests many vulnerable data sources, such as Debian Security Bug Tracker,Ubuntu CVE Tracker and Red Hat Security Data. Because Clair uses many CVE databases, its auditing is comprehensive. Clair first indexes the list of features in the container image. Then, with Clair API, developers can query the database for vulnerabilities related to specific images.

Dagda:a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

OpenScap: an automated auditing tool for checking software for configurations and known vulnerabilities in accordance with the NIST-certified secure content Automation Protocol (SCAP). Is not specific to containers, but does include a degree of support.

Introduce Clair.

Installation process:

$mkdir $PWD/clair_config$ curl-L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample-o $PWD/clair_config/config.yaml$ docker run-d-e POSTGRES_PASSWORD= "password"-p 5432 POSTGRES_PASSWORD= 5432 postgres:9.6$ docker run-- net=host-d-p 6060-6061 PWD/clair_config$ curl 6060-6061-v $PWD/clair_config:/config quay.io/coreos/clair:latest-config=/config/config.yaml

The configuration file of config.yaml needs to be modified (corresponding line)

Source: host=localhost port=5432 user=postgres password=password sslmode=disable statement_timeout=60000

Test deployment successful

[root@localhost] # curl-X GET-I http://localhost:6061/healthHTTP/1.1 200 OKServer: clairDate: Wed, 18 Mar 2020 13:32:33 GMTContent-Length: 0 [root@localhost] # curl http://localhost:6060/v1/namespaces...

API interface is not easy to use, integrate other tools https://github.com/quay/clair/blob/master/Documentation/integrations.md

Install the third-party client claircli, perform the scan, and generate the html report locally.

[root@localhost home] # pip install claircli [root@localhost home] # claircli-l 127.0.0.1 postgres 2020-03-18 21 21 claircli 50870 | INFO | Starting local http server2020-03-18 21 21 root@localhost home 45 50 871 | INFO | Local http server serving at port: 109632020-03-18 21 21 root@localhost home 45 50 872 | INFO | * * 2020-03-18 21 21 INFO 45 INFO | INFO | Analyzing 2020-03-18 21 21 INFO | Push layer [1Univer 14]: 5c77fc16775dbda7fafd2db94684c22de93066e29dd686a2f46d9956154584762020-03-18 21 21 INFO | INFO | Push layer [2Univer 14]: 54a426d01ba59fb558c7cf6681c6840736e5d0654a62f0c383d227637cdee0db2020-03-18 21 21 INFO | INFO | Push layer [3Univer 14]: a31210340f3a4905656af9be0ee9ffe3291380e6764c5d2d62831c26264512312020-03-18 21 21 purge 4556787 | INFO | Push layer [4Univer 14]: fb1bc94faf7fe27b7f7a36c980c8407d9f28bab2c047cf389dda8eb9349cfa322020-03-18 21 purge 4514801 | INFO | Push layer [5can14]: 8f5652501fa074cb5b9d54c6dceaa966c6591000837076de4c8aaf90ad3c919a2020-03-18 2121V 458034 | INFO | Push layer [614]: 3f89d1179df8c036baf12dd620a6f174e3cf096b0d25b40bb623202020e3cf026b0d25e040bb623bf132020 03-18 21 21 1034326be7395271eed2e8e3fbb6e8719ec21533776646eda190ab6d5d6904042020 45 1034326be7395271eed2e8e3fbb6e8719ec21533776646eda190ab6d5d6904042020 56876 | INFO | Push layer [7Univer 14]: 1034326be7395271eed2e8e3fbb6e8719ec21533776646eda190ab6d5d6904042020-03-18 21 21 purge 45 56886 | INFO | Push layer [8Univer 14]: eba8f87a20b5efae0ab4540e5932e3920879ffbfcde08fd2664bd35a8392a48e2020-03-18 21 21 1034326be7395271eed2e8e3fbb6e8719ec21533776646eda190ab6d5d6904042020 45 1034326be7395271eed2e8e3fbb6e8719ec21533776646eda190ab6d5d6904042020 56896 | INFO | Push layer [9 Univer 14]: 9fcb1e2984e4683b4c8e724b64836097b19d03e77f98fbe226ffd581fdfe0bcd2020-03-18 21 21 Push layer 57101 | INFO | Push layer [10 Univer 14]: 17685e9204242fce5aa038a05cf160bd4a7f6b516bb461a5c8ca5977f2fa1e742020-03-18 21 21 purge 45 4a4b72a0e224e07071b6d60e8c4335b5996ff58f894fc3c10e7bbf523de924e82020 57110 | INFO | Push layer [11Univer 14]: 4a4b72a0e224e07071b6d60e8c4335b5996ff58f894fc3c10e7bbf523de924e82020-03-18 21 Fringe 45 57121 | INFO | Push layer [12ame14]: 02053f40fe92249821c297ab7b9a10ee2071b005c541e022d74c3d1fbde5a28f2020-03-18 21 21 Fraser 45 57132 | INFO | Push layer [13gam14]: 92e8c07039ed217658e3d78e3681dc19bcf8193caee4c85445ffa2a77cce19252020-03-03 -18 21 9d681078d309476626ccd11c7d2fa2f9010d6d4f67b3dd935075fd9ab16fad882020 45 9d681078d309476626ccd11c7d2fa2f9010d6d4f67b3dd935075fd9ab16fad882020 57142 | INFO | Push layer [14 Univer 14]: 9d681078d309476626ccd11c7d2fa2f9010d6d4f67b3dd935075fd9ab16fad882020-03-18 21 21 purge 45 57153 | INFO | Fetch vulnerabilities for 2020-03-18 21 21 High 57172 | INFO | Critical: 02020-03-18 21 High 57172 | INFO | INFO | Medium: 02020-03-18 21 High 4515 57172 | WARNING | Low: 102020-03-18 21 21 9d681078d309476626ccd11c7d2fa2f9010d6d4f67b3dd935075fd9ab16fad882020 45 57173 | WARNING | Negligible: 47 [root@localhost home] # lsclair-postgres.html3.5 Enforcement HEALTHCHECK

HEALTHCHECK instructions come in two forms:

HEALTHCHECK [OPTIONS] CMD command (check the health of the container by running the command inside the container)

HEALTHCHECK NONE (disable any health check inherited from the base image)

The HEALTHCHECK directive tells Docker how to test the container to see if it is still working. This detects situations such as when the Web server is stuck in an infinite loop and cannot handle new connections, even if the server process is still running.

After the health check of the specified container, it has a health state in addition to its normal state. This state begins at the beginning. As long as the health check passes, it becomes healthy (no matter what state it used to be). After a certain number of continuous failures, it becomes unhealthy.

The options that can be displayed before CMD are:

-- interval=DURATION (default: 30s)

-- timeout=DURATION (default: 30s)

-- start-period=DURATION (default: 0s)

-- retries=N (default: 3)

The health check will be run first within seconds after the container starts, and then within the number of seconds after each previous check is completed.

If the time spent on a single check exceeds the number of timeout seconds, the check is considered to have failed, and a continuous health check failure needs to be retried in order to treat the container as unhealthy.

The start time period provides initialization time for containers that need time to boot. Probe failures during this period will not be counted as the maximum number of retries. However, if the health check succeeds during startup, the container is considered to have been started and all consecutive failures are counted as the maximum number of retries.

There can be only one HEALTHCHECK instruction in Dockerfile. If you list more than one, only the last Health check will take effect.

The commands after the CMD keyword can be shell commands (such as HEALTHCHECK CMD / bin / check-running) or exec arrays (like other Dockerfile commands; see ENTRYPOINT for more information).

The exit status of the command indicates the health status of the container. Possible values are:

0: success-the container is healthy and ready to use

1: unhealthy-the container does not work properly

2: reserved-do not use this exit code

For example, check every five minutes so that the web server can serve the home page of the site within three seconds:

HEALTHCHECK-- interval=5m-- timeout=3s\ CMD curl-f http://localhost/ | | exit 1

To help debug failed probes, any output text (UTF-8 encoding) written by this command on stdout or stderr will be stored in a healthy state and can be queried through docker inspect. This type of output should be kept short (currently only the first 4096 bytes are stored).

When the health state of the container changes, the health_status event is generated in the new state.

3.6 you should not use the OS package manager to update instructions, such as apt-get update or yum update, either alone or on a single line in Dockerfile

Adding an update instruction to a line on Dockerfile will cause the update layer to be cached. When you later build any image using the same directive, this will result in the use of the update layer of the previous local cache, which may prevent any new updates from being applied to future builds.

When installing a software package, you should use update instructions, installation instructions, and version notes at the same time. This prevents caching and forces the desired version to be extracted. Alternatively, you can use the-- no-cache flag during docker construction to avoid using cached layers.

Docker build [OPTIONS] PATH | URL |-- no-cache3.7 removes setuid and setgid permissions

Two special permissions can be set on the executable: setting user ID (setuid) and setting group ID (sgid). These permissions allow you to use the privileges of the owner or group to execute the file to be executed. For example, if the file is owned by the root user and the setuid bit is set, it will always run with root user privileges, no matter who executes the file.

The application may not need any setuid or setgid binaries. If you can disable or delete such binaries, you can stop any possibility of using them for buffer overflow, path traversal / injection, and privilege escalation attacks.

The setuid bit is used for files with executable permissions. The setuid bit only means that when the executable is run, it sets permissions to the user (owner) who created it, not to the user who started it. Similarly, there is a setgid bit that does the same thing to gid. Setgid affects files and directories. When used on a file, it executes with the privileges of the user group that owns the file, not the user group that executes the file. When the directory is set to this bit, the set of files in that directory will have the same group as the group of the parent directory, not the group of the user who created the files. This is used for file sharing because all users who belong to the parent directory group can now modify it.

Find and delete files with setuid permissions in linux

Find /-perm + 6000-type f-exec\ ls-ld {}\; 2 > / dev/null # find $docker run debian find /-perm + 6000-type f-exec ls-ld {}\; 2 > / dev/null in the container

Remove setuid permissions when running the container

$docker run-d-cap-drop SETGID-cap-drop SETUID

Perform setuid and setgid checks after dockerfile build is successful

Docker run-- rm defanged-debian find /-perm + 6000-type f-exec ls-ld {}\; 2 > / dev/null | wc-l

A result of 0 means that the created image does not have special permissions for the file.

3.8 use the CPOY instruction in Dockerfile without the ADD instruction

The COPY directive only copies files from the local host to the container file system. The ADD instruction may retrieve files from the remote URL and perform operations such as decompressing them. Therefore, the ADD directive poses a security risk. For example, malicious files may be accessed directly from URL without scanning, or there may be vulnerabilities related to the decompressor.

3.9 Dockerfile should not contain information such as passwords and keys

There may be an access control vulnerability in dockerfile's own access rights, and users with permission to run docker history on docker hosts can see the key information in dockerfile.

The following example Dockerfile is just to prove that the key can be accessed, and the key information is displayed in the build output. The final image built does not have a key file:

$docker build-- no-cache-- progress=plain-- secret id=mysecret,src=mysecret.txt.... # 8 [2Acer 3] RUN-- mount=type=secret,id=mysecret cat / run/secrets/mysecret#8 digest: sha256:5d8cbaeb66183993700828632bfbde246cae8feded11aad40e524f54ce7438d6#8 name: "[2Acer 3] RUN-- mount=type=secret Id=mysecret cat / run/secrets/mysecret "# 8 started: 2018-08-31 21 RUN 30.703550864 + 0000 UTC#8 1.081 WARMACHINEROX#8 completed: 2018-08-31 21 21 03V 32.051053831 + 0000 UTC#8 duration: 1.347502967s#9 [3foobar#9 digest 3] RUN-- mount=type=secret,id=mysecret,dst=/foobar cat / foobar#9 digest: sha256:6c7ebda4599ec6acb40358017e51ccb4c5471dc434573b9b7188143757459efa#9 name:" [3Univer 3] RUN-- mount=type=secret,id=mysecret Dst=/foobar cat / foobar "# 9 started: 2018-08-31 21 started 033 UTC#9 32.052880985 + 0000 UTC#9 1.216 WARMACHINEROX#9 completed: 2018-08-31 21 purl 033purl 33.523282118 + 0000 UTC#9 duration: 1.470401133s.

The best way is to get the key information from the network server.

FROM busyboxRUN echo "The secret is:" & &\ wget-O-Q http://localhost:8000/secret.txt3.10 uses the software whitelist and installs only verified software packages

Usually in the process of integration into devops

Dependency check, support for various languages, continuous community updates, command line, docker deployment, rich reporting formats. The principle is based on the open source NVD open source vulnerability database to monitor security vulnerabilities, but the disadvantage is that using Lucene participle to match cpe based on file names is not accurate, this link introduces a part of the problem of false positives.

Dependency track, a new tool of owasp, has a good interface and is easy to manage.

For node applications, there is a npm audit fix command that can automatically upgrade the version. The principle is to query vulnerabilities through the interface of nodesecurity.io. For more information, please see https://www.npmjs.com/solutions/security-compliance.

If it is based on github, then free services such as snyk.io,git alert, lgtm, and sonar oss are available. In addition, gitlab Enterprise Edition also provides security features directly.

Commercial products

At this point, the study on "example Analysis of dockerfile and Mirror Security" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.