Open abitrolly opened 7 years ago
Docker doesn't isolate services that are running on a single host. Every user can access every exposed port of Docker container even if that port is not mapped with -p or -P (is not published). Test:
$ docker run -d rethinkdb
...
135ddb5698a9fd54acfb08a325f4ad6b1bf3e5257862e47466c5c4d00c535a5a
$ docker ps -a
anatoli@enterprise-mars:~$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
135ddb5698a9 rethinkdb "rethinkdb --bind all" 46 seconds ago Up 46 seconds 8080/tcp, 28015/tcp, 29015/tcp naughty_vara
f53d85f94198 fullnode-btcd "/cyberapp/btcd --dat" 5 days ago Up 5 days 0.0.0.0:8333->8333/tcp btcd
$ docker logs 135
Recursively removing directory /data/rethinkdb_data/tmp
Initializing directory /data/rethinkdb_data
Running rethinkdb 2.3.5~0jessie (GCC 4.9.2)...
Running on Linux 4.8.0-54-generic x86_64
Loading data from directory /data/rethinkdb_data
Listening for intracluster connections on port 29015
Listening for client driver connections on port 28015
Listening for administrative HTTP connections on port 8080
Listening on cluster addresses: 127.0.0.1, 172.17.0.3, ::1, fe80::42:acff:fe11:3%20
Listening on driver addresses: 127.0.0.1, 172.17.0.3, ::1, fe80::42:acff:fe11:3%20
Listening on http addresses: 127.0.0.1, 172.17.0.3, ::1, fe80::42:acff:fe11:3%20
Server ready, "135ddb5698a9_rac" 8377e4aa-0d9c-4ded-b50d-45a0ef52f50e
Docker EXPOSE docs say:
EXPOSE does not make the ports of the container accessible to the host. To do that, you must use either the -p flag to publish a range of ports or the -P flag to publish all of the exposed ports.
But even without publishing RethingDB ports are available to host on docker0
interface:
$ sudo su cyber
cyber@enterprise-mars:/home/anatoli$ nc 172.17.0.3 28015
aaaa
ERROR: Received an unsupported protocol version. This port is for RethinkDB queries. Does your client driver version not match the server?
Port publishing make EXPOSEd ports available from host, not to it. Docker documentation is wrong.
The security consequence of that is that we need to additionally guard all service endpoints that are considered "secure by not publishing" their administrative ports from Docker container.
More about securing Docker - http://rhelblog.redhat.com/2016/10/17/secure-your-containers-with-this-one-weird-trick/
An alternative scheme to running everything under
cyber
user is to allocate a separate user for every docker container. This waycyber
could be a container build worker and orchestrator. It will:This will reduce attack vectors from within containers only to their own data and data that they have access to (shared mounts, databases and remote services). The problem to resolve is permissions to the shared mounts.
This basic setup will help to understand how Kubernetes works by comparison.