Docker security - user per container and other notes

[abitrolly]

An alternative scheme to running everything under cyber user is to allocate a separate user for every docker container. This way cyber could be a container build worker and orchestrator. It will:

1. build containers and upload them to Docker Hub
2. allocate volumes and permissions to share container data
3. run, stop and upgrade containers in automatic mode

This will reduce attack vectors from within containers only to their own data and data that they have access to (shared mounts, databases and remote services). The problem to resolve is permissions to the shared mounts.

This basic setup will help to understand how Kubernetes works by comparison.

[abitrolly]

Docker doesn't isolate services that are running on a single host. Every user can access every exposed port of Docker container even if that port is not mapped with -p or -P (is not published). Test:

$ docker run -d rethinkdb
...
135ddb5698a9fd54acfb08a325f4ad6b1bf3e5257862e47466c5c4d00c535a5a
$ docker ps -a
anatoli@enterprise-mars:~$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
135ddb5698a9        rethinkdb           "rethinkdb --bind all"   46 seconds ago      Up 46 seconds       8080/tcp, 28015/tcp, 29015/tcp   naughty_vara
f53d85f94198        fullnode-btcd       "/cyberapp/btcd --dat"   5 days ago          Up 5 days           0.0.0.0:8333->8333/tcp           btcd
$ docker logs 135
Recursively removing directory /data/rethinkdb_data/tmp
Initializing directory /data/rethinkdb_data
Running rethinkdb 2.3.5~0jessie (GCC 4.9.2)...
Running on Linux 4.8.0-54-generic x86_64
Loading data from directory /data/rethinkdb_data
Listening for intracluster connections on port 29015
Listening for client driver connections on port 28015
Listening for administrative HTTP connections on port 8080
Listening on cluster addresses: 127.0.0.1, 172.17.0.3, ::1, fe80::42:acff:fe11:3%20
Listening on driver addresses: 127.0.0.1, 172.17.0.3, ::1, fe80::42:acff:fe11:3%20
Listening on http addresses: 127.0.0.1, 172.17.0.3, ::1, fe80::42:acff:fe11:3%20
Server ready, "135ddb5698a9_rac" 8377e4aa-0d9c-4ded-b50d-45a0ef52f50e

Docker EXPOSE docs say:

EXPOSE does not make the ports of the container accessible to the host. To do that, you must use either the -p flag to publish a range of ports or the -P flag to publish all of the exposed ports.

But even without publishing RethingDB ports are available to host on docker0 interface:

$ sudo su cyber
cyber@enterprise-mars:/home/anatoli$ nc 172.17.0.3 28015
aaaa
ERROR: Received an unsupported protocol version. This port is for RethinkDB queries. Does your client driver version not match the server?

Port publishing make EXPOSEd ports available from host, not to it. Docker documentation is wrong.

The security consequence of that is that we need to additionally guard all service endpoints that are considered "secure by not publishing" their administrative ports from Docker container.

[abitrolly]

More about securing Docker - http://rhelblog.redhat.com/2016/10/17/secure-your-containers-with-this-one-weird-trick/