Shulou(Shulou.com)06/03 Report--

What are the security issues with Docker? Everyone is already familiar with the understanding and use of Docker, but relatively little is known about the security vulnerabilities of Docker. Today I will talk to you about the potential security problems of Docker.

The difference between Docker and virtual machine isolation and sharing virtual machine by adding Hypervisor layer, virtual network card, memory, CPU and other virtual hardware, and then establish a virtual machine on it, each virtual machine has its own system kernel Docker container is through isolation, the file system, processes, devices, networks and other resources are isolated, and then control permissions, CPU resources, etc., so that the containers do not affect each other

The container cannot affect the host. The container and the host share resources such as kernel, file system, hardware, etc. Performance and loss compared with virtual machines, the consumption of container resources is less. Under the same host, more containers can be built than virtual machines. However, the security of the virtual machine is slightly better than that of the container. To break from the virtual machine to the host or other virtual machines, you need to break through the Hypervisor layer first, which is extremely difficult, while the docker container shares the kernel, file system and other resources with the host.

More likely to have an impact on other containers and hosts. Security problems in Docker Docker itself loopholes as an application Docker itself implementation will have code defects. There are more than 20 vulnerabilities in the historical version of Docker officially documented by CVE.

-the GJ methods commonly used by hackers include code execution, privilege enhancement, information disclosure, permission bypass, and so on. At present, Docker versions are changing very fast, and Docker users had better upgrade Docker to the latest version. Docker source code problem 1) if a hacker inserts viruses, backdoors and other malicious software into the created image, the environment will not be secure from the very beginning, and there will be no security to speak of in the future. 2) Images use vulnerable software Docker Hub. Of the images that can be downloaded, 75% are equipped with vulnerable software. Therefore, after downloading the image, you need to check the version information of the software, whether there are loopholes in the corresponding version, and update and patch it in time. 3) the man-in-the-middle GJ tampering image may be tampered with during transmission. At present, the new version of Docker has provided a corresponding verification mechanism to prevent this problem. Docker architecture defects and security mechanism architecture defects

Local area Network GJ between containers

The containers on the host can form a local area network, so the ARP spoofing, sniffing, broadcast storm and other GJ methods for the local area network can be used. Therefore, deploying multiple containers on a single host requires reasonable configuration of the network and setting iptable rules.

DDoS GJ runs out of resources

Cgroups security mechanism is to prevent this kind of GJ, do not allocate too many resources to a single container to avoid such problems.

Vulnerable system call

An important difference between Docker and virtual machines is that Docker shares an operating system kernel with the host.

Once there is a vulnerability in the host kernel that can exceed authority or raise rights, although Docker is executed by ordinary users, when the container is RQ, GJ users can also take advantage of kernel vulnerabilities to jump to the host to do more things.

Share root user rights

If you run the container as root, the root user in the container will have the root permission of the host. Six aspects of Docker security baseline standard 1. Kernel level

(1) update the kernel in time.

(2) User NameSpace (the root permission in the container is not in a high permission state outside the container).

(3) Cgroups (quota and measurement of resources).

(4) SELiux/AppArmor/GRSEC (control file access).

(5) Capability (authority division).

(6) Seccomp (qualify system calls).

(7) it is forbidden to share the container namespace with the host process namespace.

two。 Host level

(1) create a separate partition for the container.

(2) run only the necessary services.

(3) it is forbidden to map sensitive directories on the host to containers.

(4) audit the Docker daemon, related files and directories.

(5) set the appropriate default number of file descriptors.

(file descriptor: the kernel (kernel) uses the file descriptor (file descriptor) to access files. The file descriptor is a nonnegative integer.

When opening an existing file or creating a new file, the kernel returns a file descriptor. Reading and writing files also requires the use of file descriptors to specify the files to be read and written)

(6) the access rights of Docker-related files with user permission of root should be 644 or lower.

(7) periodically check the container list of each host and clean up unnecessary containers.

3. Network level

(1) prohibit or allow network traffic between containers through iptables setting rules.

(2) allow Dokcer to modify iptables.

(3) do not bind Docker to other IP/Port or Unix Socket.

(4) it is forbidden to map privileged ports on containers.

(5) only the required ports are open on the container.

(6) the use of host network mode on the container is prohibited.

(7) if the host has multiple network cards, bind the container inbound traffic to a specific host network card.

4. Mirror level

(1) create a local image repository server.

(2) the software in the image is the latest version.

(3) use a trusted image file and download it through a secure channel.

(4) rebuild the image instead of patching the container and image.

(5) manage image tags reasonably and remove images that are no longer in use in time.

(6) use mirror scanning.

(7) use mirror signature.

5. Container level

(1) minimize the container and the minimum set of operating system images.

(2) the container runs as a single main process.

(3) prohibit privileged tags from using privileged containers.

(4) prohibit running ssh service on the container.

(5) Mount the container's root directory system in a read-only manner.

(6) clearly define the data drive letter that belongs to the container.

(7) by setting on-failure to limit the number of attempts to restart the container, it is easy to lose data when the container is restarted repeatedly.

(8) restrict the process trees available in the container to prevent fork bomb. (fork bomb, rapidly growing subprocesses, exhausting the number of system processes)

6. Other settin

(1) regular security audits of host systems and containers.

(2) run the container with the least resources and permissions.

(3) avoid deploying a large number of containers on the same host and maintain a manageable number.

(4) monitor the use, performance and other indicators of Docker containers.

(5) add the function of real-time interference detection and event response.

(6) use central and remote log collection services

Docker security rules container minimizes only the necessary services to run in the container. Services such as ssh are not enabled. [root@localhost ~] # docker exec-it mycontainer bashDocker remote api access control Docker remote call API interface exists unauthorized access vulnerability. Access to the public network should be restricted. [root@localhost ~] # docker-d-H uninx:///var/run/docker.sork-H tcp://192.168.142.128:2375 is specified in the docker default configuration file. Access control can then restrict traffic flow on the host iptables\ firewalld. You can use Iptables filters to restrict the source IP address range of the Docker container to communicate with the outside world Iptables-A FORWARD-s-j REJECT-- reject-with icmp-admin-prohibitedIptables-A FORWARD-I docker0-o eth0-j DROP Iptables-A FORWARD-I docker0-o eth0-m state-state ESTABLISHED-j ACCEPT using ordinary users to start Docker services using user mapping To solve the problem that user 0 in a specific container is equal to root on the host system, LXC allows remapping of users and groups ID [root@localhost ~] # yum-y install lxc uidmap [root@localhost ~] # vim / etc/lxc/default.conflxc.id_map = u 0 100000 65536lxc.id_map = g 0 100000 65536 file system limits that the mounted container root directory is absolutely read-only, and the file directory permissions corresponding to different containers are separated Optimize that each container has a separate partition su test01docker run-v dev:/home/mc_server/test01-it centos:latest / bin/bashsu test02docker run-v dev:/home/mc_server/test02-it centos:latest / bin/bash image security on the host

In general, be sure to get the image only from the trusted library and do not use the-- insecure-registry= [] parameter

Communication security between Docker client and Docker Daemon in order to place link hijacking, session persistence and other problems leading to Docker communication, the two ends of GJ,c/s should communicate through encrypted communication [root@localhost harbor] # docker-- tlsverify-- tlscacert=ca.pem-- tlscert=cert.pem-- tlskey=key.pem-Hang 0.0.0.0 Docker 2376 resource limit

Limit container resources to reduce security risks without affecting business

Docker run-tid-name ec2-cpuset-cpus 3-cpu-shares 2048-memory 2048m-rm-blkio-weight 2048-pids--limit 512host upgrade kernel vulnerabilities host failure or kernel upgrade problems Docker container should support hot migration should consider kernel upgrade scheme planning, execution and back migration scheme installation security reinforcement using secure Linux kernel, kernel patches such as SELinux, AppArmor

GRSEC, etc. Avoid information leakage in Docker container check contents of container creation template # check created usersgrep authorized keys $dockerfile# check OS usersgrep "etc/group" $dockerfile# Check sudo usersgrep "etc/sudoers.d" $dockerfile# Check ssh key pairgrep ".ssh /. * id rsa" $dockerfile# Add your checks in below log analysis collects and archives Docker-related security logs for audit and monitoring purposes Log collection, storage, and analysis using rsyslog or stdout+ELK use the following command on the host to access the log file docker run-v / dev/log:/dev/log / bin/shDocker built-in command docker logs-fDocker Bench for Security is a script to check dozens of common best practice environment installations for deploying Docker containers in a production environment

After downloading the binary file Add it to the environment variable PATH [root@localhost] # git clone https://github.com/docker/docker-bench-security.git[root@localhost] # cd docker-bench-security [root@localhost] # sudo sh docker-bench-security.shulimit, including core dump file size, process data segment size, class creation file size, resident memory set size, number of open files, process stack size, CPU time, maximum number of threads for a single user, Types of resources such as the maximum virtual memory of the process play a limiting role in setting the CPU time docker daemon-- default-ulimit cpu=1200docker run-- rm-ti-- ulimit cpu=1200 ubuntu bash entering the container to view ulimit-tDocker-TLS encrypted communication in order to prevent link hijacking, session hijacking and other problems leading to GJ in the middle of Docker communication. The communication between the two ends of c _ hand _ s should be encrypted. Deploy master server [root@localhost ~] # hostnamectl set-hostname master [root@localhost ~] # su [root@master ~] # vim / etc/hosts127.0.0.1 master [root@master ~] # mkdir / tls [root@master ~] # cd / tls/# create ca key [root@master tls] # openssl genrsa-aes256-out ca-key.pem 409 create ca certificate [root@master tls] # openssl req-new-x509-days 1000-key ca-key.pem -sha256-subj "/ CN=*"-out ca.pen# creates the server private key [root@master tls] # openssl genrsa-out server-key.pem 409signature private key [root@master tls] # openssl req-subj "/ CN=*"-sha256-new-key server-key.pem-out server.csr# uses ca certificate and private key certificate to sign, Enter 123123 [root@master tls] # openssl x509-req-days 1000-sha256-in server.csr-CA ca.pem-CAkey ca-key.pem-CAcreateserial-out server-cert.pem# to generate the client key [root@master tls] # openssl genrsa-out key.pem 409signed client [root@master tls] # openssl req-subj "/ CN=client"-new-key key.pem-out client.csr# to create the configuration file [root@master tls] # echo extendedKeyUsage=clientAuth > extfile.cnf# signing Certificate Enter 123123 required (signing client, ca certificate, Ca key) [root@master tls] # openssl x509-req-days 1800-sha256-in client.csr-CA ca.pem-CAkey ca-key.pem-CAcreateserial-out cert.pem-extfile extfile.cnf# Delete redundant files [root@master tls] # rm-rf ca.srl client.csr extfile.cnf server.csr# configuration docker [root@master tls] # vim / lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd-- tlsverify-- tlscacert=/tls/ca.pem- -tlscert=/tls/server-cert.pem-- tlskey=/tls/server-key.pem-H tcp://0.0.0.0:2376-H unix://var/run/docker.sock# restart process [root@master tls] # systemctl daemon-reload# restart service [root@master tls] # systemctl restart docker# copy / tls/ca.pem / tls/cert.pem / tls/key.pem three files to another host [root@master tls] # scp Ca.pem root@192.168.45.128:/etc/docker [root@master tls] # scp cert.pem root@192.168.45.128:/etc/docker [root@master tls] # scp key.pem root@192.168.45.128:/etc/docker 2. Deploy client server [root@localhost ~] # hostnamectl set-hostname client [root@localhost ~] # su [root@client ~] # vim / etc/hosts192.168.45.129 master3.client to test [root@client docker] # docker-tlsverify-tlscacert=ca.pen-tlscert=cert.pem-tlskey=key.pem-H tcp://master:2376 version

So much for sharing the potential security problems of Docker. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.