Docker Security
Proccess Isolation
Docker containers are just linux Proccesses that are assigned a proccess ID
sudo docker ps
1CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2af957dfb19cf ubuntu "sleep 3600" 6 seconds ago Up 5 seconds stoic_pascal
sudo ps aux
1USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
2root 1 0.0 0.0 173708 16716 ? Ss Oct30 0:23 /usr/lib/systemd/systemd rhgb 5000000000
3root 325998 0.0 0.0 2788 1016 ? Ss 13:26 0:00 sleep 3600
Users
By default Docker runs proccesses as containers as the root user
Set user
Use the User flag
1docker run --rm --user=1000 ubuntu sleep 3600
sudo docker ps
1CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
28f66d31c52ff ubuntu "sleep 3600" 3 minutes ago Up 3 minutes recursing_fermi
3af957dfb19cf ubuntu "sleep 3600" 6 seconds ago Up 5 seconds stoic_pascal
sudo ps aux
1USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
2root 1 0.0 0.0 173708 16716 ? Ss Oct30 0:23 /usr/lib/systemd/systemd rhgb 5000000000
31000 324294 0.0 0.0 2788 1052 ? Ss 13:19 0:00 sleep 3600
To get the User ID of your current user
echo ${UID}
1000
Dockerfile change User
1FROM ubuntu
2
3USER 1000
Root user
Root user in container != Root User on host
Root user in container has root permission to Virtual filesystem in container
Linux Capabilities
Full list at /usr/include/capability.h
- CHOWN
- DAC
- KILL
- SETFCAP
- SETPCAP
- SETGID
- SETUID
- NETBIND
- NETRAW
- MAC_ADMIN
- BROADCAST
- NET_ADMIN
- SYS_ADMIN
- SYS_CHROOT
- AUDIT_WRITE
- ...etc
Add Capabilities
CLI
1--cap-add <CAPABILITY>
1docker run --rm --cap-add MAC_ADMIN ubuntu sleep 360
Remove Privileges
1--cap-drop <CAPABILITY>
1docker run --rm --cap-drop KILL ubuntu sleep 360
ALL PRIVLEDGES
1docker run --rm --privileged ubuntu sleep 360