search

nuvlabox / nuvlabox-os-raspberrypi

NuvlaBox OS layers for building RaspberryPi images with Yocto
Apache License 2.0
0 stars 0 forks source link

run performance benchmarks on NB OS RPi #5

Closed cjdcordeiro closed 4 years ago

cjdcordeiro commented 4 years ago

build an uber suite with benchmarks for:

cjdcordeiro commented 4 years ago

UnixBench in Docker

RPi 4 with Raspbian Buster

========================================================================
   BYTE UNIX Benchmarks (Version 5.1.3)

   System: 8e755207919a: GNU/Linux
   OS: GNU/Linux -- 4.19.75-v7l+ -- #1270 SMP Tue Sep 24 18:51:41 BST 2019
   Machine: armv7l (unknown)
   Language: en_US.utf8 (charmap="ANSI_X3.4-1968", collate="ANSI_X3.4-1968")
   CPU 0: ARMv7 Processor rev 3 (v7l) (0.0 bogomips)

   CPU 1: ARMv7 Processor rev 3 (v7l) (0.0 bogomips)

   CPU 2: ARMv7 Processor rev 3 (v7l) (0.0 bogomips)

   CPU 3: ARMv7 Processor rev 3 (v7l) (0.0 bogomips)

   ; runlevel 

------------------------------------------------------------------------
Benchmark Run: Mon Apr 20 2020 14:02:35 - 14:30:30
4 CPUs in system; running 1 parallel copy of tests

Dhrystone 2 using register variables       13659676.2 lps   (10.0 s, 7 samples)
Double-Precision Whetstone                     2365.7 MWIPS (9.5 s, 7 samples)
Execl Throughput                               1156.4 lps   (29.8 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks         88512.3 KBps  (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks           24250.9 KBps  (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks        259926.5 KBps  (30.0 s, 2 samples)
Pipe Throughput                              162124.6 lps   (10.0 s, 7 samples)
Pipe-based Context Switching                  40811.1 lps   (10.0 s, 7 samples)
Process Creation                               2097.9 lps   (30.0 s, 2 samples)
Shell Scripts (1 concurrent)                   2415.3 lpm   (60.0 s, 2 samples)
Shell Scripts (8 concurrent)                    612.7 lpm   (60.0 s, 2 samples)
System Call Overhead                         492499.2 lps   (10.0 s, 7 samples)

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0   13659676.2   1170.5
Double-Precision Whetstone                       55.0       2365.7    430.1
Execl Throughput                                 43.0       1156.4    268.9
File Copy 1024 bufsize 2000 maxblocks          3960.0      88512.3    223.5
File Copy 256 bufsize 500 maxblocks            1655.0      24250.9    146.5
File Copy 4096 bufsize 8000 maxblocks          5800.0     259926.5    448.1
Pipe Throughput                               12440.0     162124.6    130.3
Pipe-based Context Switching                   4000.0      40811.1    102.0
Process Creation                                126.0       2097.9    166.5
Shell Scripts (1 concurrent)                     42.4       2415.3    569.7
Shell Scripts (8 concurrent)                      6.0        612.7   1021.2
System Call Overhead                          15000.0     492499.2    328.3
                                                                   ========
System Benchmarks Index Score                                         311.7

------------------------------------------------------------------------
Benchmark Run: Mon Apr 20 2020 14:30:30 - 14:58:53
4 CPUs in system; running 4 parallel copies of tests

Dhrystone 2 using register variables       25403449.3 lps   (10.0 s, 7 samples)
Double-Precision Whetstone                     4674.1 MWIPS (11.1 s, 7 samples)
Execl Throughput                               1864.1 lps   (29.9 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks         79504.0 KBps  (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks           21141.4 KBps  (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks        274301.0 KBps  (30.0 s, 2 samples)
Pipe Throughput                              327667.4 lps   (10.0 s, 7 samples)
Pipe-based Context Switching                  79995.0 lps   (10.0 s, 7 samples)
Process Creation                               3114.3 lps   (30.0 s, 2 samples)
Shell Scripts (1 concurrent)                   3726.7 lpm   (60.0 s, 2 samples)
Shell Scripts (8 concurrent)                    482.4 lpm   (60.3 s, 2 samples)
System Call Overhead                        1036922.0 lps   (10.0 s, 7 samples)

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0   25403449.3   2176.8
Double-Precision Whetstone                       55.0       4674.1    849.8
Execl Throughput                                 43.0       1864.1    433.5
File Copy 1024 bufsize 2000 maxblocks          3960.0      79504.0    200.8
File Copy 256 bufsize 500 maxblocks            1655.0      21141.4    127.7
File Copy 4096 bufsize 8000 maxblocks          5800.0     274301.0    472.9
Pipe Throughput                               12440.0     327667.4    263.4
Pipe-based Context Switching                   4000.0      79995.0    200.0
Process Creation                                126.0       3114.3    247.2
Shell Scripts (1 concurrent)                     42.4       3726.7    878.9
Shell Scripts (8 concurrent)                      6.0        482.4    803.9
System Call Overhead                          15000.0    1036922.0    691.3
                                                                   ========
System Benchmarks Index Score                                         446.0

RPi 4 with Yocto-based NB OS

========================================================================
   BYTE UNIX Benchmarks (Version 5.1.3)

   System: 65de0f4b9f94: GNU/Linux
   OS: GNU/Linux -- 4.19.113-v7l -- #1 SMP Thu Mar 26 16:40:35 UTC 2020
   Machine: armv7l (unknown)
   Language: en_US.utf8 (charmap="ANSI_X3.4-1968", collate="ANSI_X3.4-1968")
   CPU 0: ARMv7 Processor rev 3 (v7l) (0.0 bogomips)

   CPU 1: ARMv7 Processor rev 3 (v7l) (0.0 bogomips)

   CPU 2: ARMv7 Processor rev 3 (v7l) (0.0 bogomips)

   CPU 3: ARMv7 Processor rev 3 (v7l) (0.0 bogomips)

   ; runlevel 

------------------------------------------------------------------------
Benchmark Run: Mon Apr 20 2020 14:02:46 - 14:30:58
4 CPUs in system; running 1 parallel copy of tests

Dhrystone 2 using register variables        5484889.6 lps   (10.0 s, 7 samples)
Double-Precision Whetstone                      921.7 MWIPS (9.7 s, 7 samples)
Execl Throughput                                470.9 lps   (29.9 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks         36994.3 KBps  (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks           10056.2 KBps  (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks        118275.9 KBps  (30.0 s, 2 samples)
Pipe Throughput                               63043.2 lps   (10.0 s, 7 samples)
Pipe-based Context Switching                  16823.5 lps   (10.0 s, 7 samples)
Process Creation                                878.9 lps   (30.0 s, 2 samples)
Shell Scripts (1 concurrent)                   1433.7 lpm   (60.0 s, 2 samples)
Shell Scripts (8 concurrent)                    394.8 lpm   (60.0 s, 2 samples)
System Call Overhead                         194845.6 lps   (10.0 s, 7 samples)

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0    5484889.6    470.0
Double-Precision Whetstone                       55.0        921.7    167.6
Execl Throughput                                 43.0        470.9    109.5
File Copy 1024 bufsize 2000 maxblocks          3960.0      36994.3     93.4
File Copy 256 bufsize 500 maxblocks            1655.0      10056.2     60.8
File Copy 4096 bufsize 8000 maxblocks          5800.0     118275.9    203.9
Pipe Throughput                               12440.0      63043.2     50.7
Pipe-based Context Switching                   4000.0      16823.5     42.1
Process Creation                                126.0        878.9     69.8
Shell Scripts (1 concurrent)                     42.4       1433.7    338.1
Shell Scripts (8 concurrent)                      6.0        394.8    658.0
System Call Overhead                          15000.0     194845.6    129.9
                                                                   ========
System Benchmarks Index Score                                         136.8

------------------------------------------------------------------------
Benchmark Run: Mon Apr 20 2020 14:30:58 - 14:59:19
4 CPUs in system; running 4 parallel copies of tests

Dhrystone 2 using register variables       21812868.6 lps   (10.0 s, 7 samples)
Double-Precision Whetstone                     3670.1 MWIPS (9.7 s, 7 samples)
Execl Throughput                               1473.2 lps   (29.8 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks         60328.9 KBps  (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks           15364.4 KBps  (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks        218994.9 KBps  (30.0 s, 2 samples)
Pipe Throughput                              241211.8 lps   (10.0 s, 7 samples)
Pipe-based Context Switching                  69765.6 lps   (10.0 s, 7 samples)
Process Creation                               2567.2 lps   (30.0 s, 2 samples)
Shell Scripts (1 concurrent)                   3167.7 lpm   (60.0 s, 2 samples)
Shell Scripts (8 concurrent)                    425.4 lpm   (60.2 s, 2 samples)
System Call Overhead                         738281.5 lps   (10.0 s, 7 samples)

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0   21812868.6   1869.1
Double-Precision Whetstone                       55.0       3670.1    667.3
Execl Throughput                                 43.0       1473.2    342.6
File Copy 1024 bufsize 2000 maxblocks          3960.0      60328.9    152.3
File Copy 256 bufsize 500 maxblocks            1655.0      15364.4     92.8
File Copy 4096 bufsize 8000 maxblocks          5800.0     218994.9    377.6
Pipe Throughput                               12440.0     241211.8    193.9
Pipe-based Context Switching                   4000.0      69765.6    174.4
Process Creation                                126.0       2567.2    203.7
Shell Scripts (1 concurrent)                     42.4       3167.7    747.1
Shell Scripts (8 concurrent)                      6.0        425.4    709.1
System Call Overhead                          15000.0     738281.5    492.2
                                                                   ========
System Benchmarks Index Score                                         355.7

RPi 3 with Yocto


========================================================================
   BYTE UNIX Benchmarks (Version 5.1.3)

   System: a6a4e1e2b398: GNU/Linux
   OS: GNU/Linux -- 4.19.113-v7 -- #1 SMP Thu Mar 26 16:40:35 UTC 2020
   Machine: armv7l (unknown)
   Language: en_US.utf8 (charmap="ANSI_X3.4-1968", collate="ANSI_X3.4-1968")
   CPU 0: ARMv7 Processor rev 4 (v7l) (0.0 bogomips)

   CPU 1: ARMv7 Processor rev 4 (v7l) (0.0 bogomips)

   CPU 2: ARMv7 Processor rev 4 (v7l) (0.0 bogomips)

   CPU 3: ARMv7 Processor rev 4 (v7l) (0.0 bogomips)

   ; runlevel 

------------------------------------------------------------------------
Benchmark Run: Tue Apr 21 2020 10:59:16 - 11:27:33
4 CPUs in system; running 1 parallel copy of tests

Dhrystone 2 using register variables        2761278.7 lps   (10.0 s, 7 samples)
Double-Precision Whetstone                      575.9 MWIPS (9.9 s, 7 samples)
Execl Throughput                                535.1 lps   (29.9 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks         45138.3 KBps  (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks           12540.0 KBps  (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks        132635.6 KBps  (30.0 s, 2 samples)
Pipe Throughput                              126902.5 lps   (10.0 s, 7 samples)
Pipe-based Context Switching                  20337.7 lps   (10.0 s, 7 samples)
Process Creation                               1129.1 lps   (30.0 s, 2 samples)
Shell Scripts (1 concurrent)                   1203.8 lpm   (60.0 s, 2 samples)
Shell Scripts (8 concurrent)                    355.0 lpm   (60.1 s, 2 samples)
System Call Overhead                         294096.0 lps   (10.0 s, 7 samples)

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0    2761278.7    236.6
Double-Precision Whetstone                       55.0        575.9    104.7
Execl Throughput                                 43.0        535.1    124.4
File Copy 1024 bufsize 2000 maxblocks          3960.0      45138.3    114.0
File Copy 256 bufsize 500 maxblocks            1655.0      12540.0     75.8
File Copy 4096 bufsize 8000 maxblocks          5800.0     132635.6    228.7
Pipe Throughput                               12440.0     126902.5    102.0
Pipe-based Context Switching                   4000.0      20337.7     50.8
Process Creation                                126.0       1129.1     89.6
Shell Scripts (1 concurrent)                     42.4       1203.8    283.9
Shell Scripts (8 concurrent)                      6.0        355.0    591.6
System Call Overhead                          15000.0     294096.0    196.1
                                                                   ========
System Benchmarks Index Score                                         145.9

------------------------------------------------------------------------
Benchmark Run: Tue Apr 21 2020 11:27:33 - 11:55:58
4 CPUs in system; running 4 parallel copies of tests

Dhrystone 2 using register variables       10942675.9 lps   (10.0 s, 7 samples)
Double-Precision Whetstone                     2277.6 MWIPS (9.8 s, 7 samples)
Execl Throughput                               1422.8 lps   (29.9 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks         64133.0 KBps  (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks           17840.9 KBps  (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks        206519.8 KBps  (30.0 s, 2 samples)
Pipe Throughput                              498709.6 lps   (10.0 s, 7 samples)
Pipe-based Context Switching                  81862.0 lps   (10.0 s, 7 samples)
Process Creation                               2696.5 lps   (30.0 s, 2 samples)
Shell Scripts (1 concurrent)                   2849.5 lpm   (60.1 s, 2 samples)
Shell Scripts (8 concurrent)                    379.4 lpm   (60.4 s, 2 samples)
System Call Overhead                        1122662.0 lps   (10.0 s, 7 samples)

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0   10942675.9    937.7
Double-Precision Whetstone                       55.0       2277.6    414.1
Execl Throughput                                 43.0       1422.8    330.9
File Copy 1024 bufsize 2000 maxblocks          3960.0      64133.0    162.0
File Copy 256 bufsize 500 maxblocks            1655.0      17840.9    107.8
File Copy 4096 bufsize 8000 maxblocks          5800.0     206519.8    356.1
Pipe Throughput                               12440.0     498709.6    400.9
Pipe-based Context Switching                   4000.0      81862.0    204.7
Process Creation                                126.0       2696.5    214.0
Shell Scripts (1 concurrent)                     42.4       2849.5    672.0
Shell Scripts (8 concurrent)                      6.0        379.4    632.4
System Call Overhead                          15000.0    1122662.0    748.4
                                                                   ========
System Benchmarks Index Score                                         358.2

RPi 3 with Raspbian Buster

========================================================================
   BYTE UNIX Benchmarks (Version 5.1.3)

   System: e68ef829155d: GNU/Linux
   OS: GNU/Linux -- 4.19.97-v7+ -- #1294 SMP Thu Jan 30 13:15:58 GMT 2020
   Machine: armv7l (unknown)
   Language: en_US.utf8 (charmap="ANSI_X3.4-1968", collate="ANSI_X3.4-1968")
   CPU 0: ARMv7 Processor rev 4 (v7l) (0.0 bogomips)

   CPU 1: ARMv7 Processor rev 4 (v7l) (0.0 bogomips)

   CPU 2: ARMv7 Processor rev 4 (v7l) (0.0 bogomips)

   CPU 3: ARMv7 Processor rev 4 (v7l) (0.0 bogomips)

   ; runlevel 

------------------------------------------------------------------------
Benchmark Run: Tue Apr 21 2020 13:16:56 - 13:44:58
4 CPUs in system; running 1 parallel copy of tests

Dhrystone 2 using register variables        5526871.9 lps   (10.0 s, 7 samples)
Double-Precision Whetstone                     1168.6 MWIPS (9.8 s, 7 samples)
Execl Throughput                               1028.0 lps   (30.0 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks         89060.2 KBps  (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks           24938.5 KBps  (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks        250642.2 KBps  (30.0 s, 2 samples)
Pipe Throughput                              256191.0 lps   (10.0 s, 7 samples)
Pipe-based Context Switching                  39937.0 lps   (10.0 s, 7 samples)
Process Creation                               2186.6 lps   (30.0 s, 2 samples)
Shell Scripts (1 concurrent)                   1932.0 lpm   (60.0 s, 2 samples)
Shell Scripts (8 concurrent)                    569.4 lpm   (60.1 s, 2 samples)
System Call Overhead                         574561.9 lps   (10.0 s, 7 samples)

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0    5526871.9    473.6
Double-Precision Whetstone                       55.0       1168.6    212.5
Execl Throughput                                 43.0       1028.0    239.1
File Copy 1024 bufsize 2000 maxblocks          3960.0      89060.2    224.9
File Copy 256 bufsize 500 maxblocks            1655.0      24938.5    150.7
File Copy 4096 bufsize 8000 maxblocks          5800.0     250642.2    432.1
Pipe Throughput                               12440.0     256191.0    205.9
Pipe-based Context Switching                   4000.0      39937.0     99.8
Process Creation                                126.0       2186.6    173.5
Shell Scripts (1 concurrent)                     42.4       1932.0    455.7
Shell Scripts (8 concurrent)                      6.0        569.4    949.0
System Call Overhead                          15000.0     574561.9    383.0
                                                                   ========
System Benchmarks Index Score                                         277.5

------------------------------------------------------------------------
Benchmark Run: Tue Apr 21 2020 13:44:58 - 14:13:03
4 CPUs in system; running 4 parallel copies of tests

Dhrystone 2 using register variables       13051958.1 lps   (10.0 s, 7 samples)
Double-Precision Whetstone                     4666.4 MWIPS (9.8 s, 7 samples)
Execl Throughput                               2467.5 lps   (30.0 s, 2 samples)
File Copy 1024 bufsize 2000 maxblocks        112736.9 KBps  (30.0 s, 2 samples)
File Copy 256 bufsize 500 maxblocks           32208.0 KBps  (30.0 s, 2 samples)
File Copy 4096 bufsize 8000 maxblocks        370210.2 KBps  (30.0 s, 2 samples)
Pipe Throughput                             1002112.9 lps   (10.0 s, 7 samples)
Pipe-based Context Switching                 128264.7 lps   (10.0 s, 7 samples)
Process Creation                               4539.8 lps   (30.0 s, 2 samples)
Shell Scripts (1 concurrent)                   4463.9 lpm   (60.1 s, 2 samples)
Shell Scripts (8 concurrent)                    583.2 lpm   (60.2 s, 2 samples)
System Call Overhead                        2170885.4 lps   (10.0 s, 7 samples)

System Benchmarks Index Values               BASELINE       RESULT    INDEX
Dhrystone 2 using register variables         116700.0   13051958.1   1118.4
Double-Precision Whetstone                       55.0       4666.4    848.4
Execl Throughput                                 43.0       2467.5    573.8
File Copy 1024 bufsize 2000 maxblocks          3960.0     112736.9    284.7
File Copy 256 bufsize 500 maxblocks            1655.0      32208.0    194.6
File Copy 4096 bufsize 8000 maxblocks          5800.0     370210.2    638.3
Pipe Throughput                               12440.0    1002112.9    805.6
Pipe-based Context Switching                   4000.0     128264.7    320.7
Process Creation                                126.0       4539.8    360.3
Shell Scripts (1 concurrent)                     42.4       4463.9   1052.8
Shell Scripts (8 concurrent)                      6.0        583.2    972.0
System Call Overhead                          15000.0    2170885.4   1447.3
                                                                   ========
System Benchmarks Index Score                                         610.0
cjdcordeiro commented 4 years ago

Docker Security Benchmark

RPi 4 with Raspbian Buster

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Mon Apr 20 15:25:53 UTC 2020

[INFO] 1 - Host Configuration

[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened
[INFO] 1.1.2  - Ensure Docker is up to date
[INFO]        * Using 19.03.5, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:995:pi
[WARN] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[WARN] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[WARN] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO]         * File not found

[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[PASS] 2.13  - Ensure live restore is Enabled (Incompatible with swarm mode)
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[PASS] 2.15  - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16  - Ensure that experimental features are not implemented in production
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges

[INFO] 3 - Docker daemon configuration files
[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2  - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]       * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]       * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]       * No TLS Key found
[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO] 3.20  - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.21  - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.22  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive

[INFO] 4 - Container Images and Build File
[INFO] 4.1  - Ensure a user for the container has been created
[INFO]      * No containers running
[NOTE] 4.2  - Ensure that containers use only trusted base images
[NOTE] 4.3  - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [debian:latest]
[WARN]      * No Healthcheck found: [alpine:3.11]
[WARN]      * No Healthcheck found: [raspbian/stretch:latest]
[WARN]      * No Healthcheck found: [python:2.7-alpine]
[WARN]      * No Healthcheck found: [alpine:latest]
[WARN]      * No Healthcheck found: [alpine/socat:latest]
[WARN]      * No Healthcheck found: [nuvlabox/vpn-client:0.0.2]
[WARN]      * No Healthcheck found: [nuvladev/vpn-client:fix-up-script]
[WARN]      * No Healthcheck found: [nuvlabox/peripheral-manager-usb:1.0.1]
[WARN]      * No Healthcheck found: [nuvlabox/network-manager:0.0.1]
[WARN]      * No Healthcheck found: [nuvlabox/compute-api:0.2.5]
[WARN]      * No Healthcheck found: [nuvlabox/system-manager:0.4.1]
[WARN]      * No Healthcheck found: [nuvlabox/agent:1.1.0]
[WARN]      * No Healthcheck found: [nuvlabox/vpn-client:0.0.1]
[WARN]      * No Healthcheck found: [raspbianos/stretch:latest]
[WARN]      * No Healthcheck found: [sixsq/rabbitmq-mqtt:1.0]
[WARN]      * No Healthcheck found: [hello-world:latest]
[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[INFO]      * Update instruction found: [nuvlabox/agent:1.1.0]
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed
[INFO] 4.9  - Ensure that COPY is used instead of ADD in Dockerfiles
[INFO]      * ADD in image history: [raspbian/stretch:latest]
[INFO]      * ADD in image history: [python:2.7-alpine]
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure only verified packages are installed

[INFO] 5 - Container Runtime
[INFO]   * No containers running, skipping Section 5

[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Ensure that image sprawl is avoided
[INFO]      * There are currently: 23 images
[INFO]      * Only 3 out of 23 are in use
[INFO] 6.2  - Ensure that container sprawl is avoided
[INFO]      * There are currently a total of 3 containers, with 1 of them currently running

[INFO] 7 - Docker Swarm Configuration
[WARN] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure that the minimum number of manager nodes have been created in a swarm
[WARN] 7.3  - Ensure that swarm services are bound to a specific host interface
[WARN] 7.4  - Ensure that all Docker swarm overlay networks are encrypted
[WARN]      * Unencrypted overlay network: ingress (swarm)
[WARN]      * Unencrypted overlay network: lyghtness_network (swarm)
[INFO] 7.5  - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster
[WARN] 7.6  - Ensure that swarm manager is run in auto-lock mode
[NOTE] 7.7  - Ensure that the swarm manager auto-lock key is rotated periodically
[INFO] 7.8  - Ensure that node certificates are rotated as appropriate
[INFO] 7.9  - Ensure that CA certificates are rotated as appropriate
[INFO] 7.10  - Ensure that management plane traffic is separated from data plane traffic

[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 76
[INFO] Score: 0

RPi 4 with Yocto-based NB OS

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Mon Apr 20 15:25:02 UTC 2020

[INFO] 1 - Host Configuration

[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened
[INFO] 1.1.2  - Ensure Docker is up to date
[INFO]        * Using 19.03.8, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:995
[WARN] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[INFO] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO]        * File not found
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[WARN] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO]         * File not found

[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[PASS] 2.13  - Ensure live restore is Enabled (Incompatible with swarm mode)
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[INFO] 2.15  - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16  - Ensure that experimental features are not implemented in production
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges

[INFO] 3 - Docker daemon configuration files
[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2  - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]       * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]       * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]       * No TLS Key found
[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO]       * File not found
[INFO] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.20  - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.21  - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found
[INFO] 3.22  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found

[INFO] 4 - Container Images and Build File
[INFO] 4.1  - Ensure a user for the container has been created
[INFO]      * No containers running
[NOTE] 4.2  - Ensure that containers use only trusted base images
[NOTE] 4.3  - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [debian:latest]
[WARN]      * No Healthcheck found: [docker:latest]
[WARN]      * No Healthcheck found: [alpine:3.11 alpine:latest]
[WARN]      * No Healthcheck found: [alpine:3.11 alpine:latest]
[PASS] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed
[PASS] 4.9  - Ensure that COPY is used instead of ADD in Dockerfiles
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure only verified packages are installed

[INFO] 5 - Container Runtime
[INFO]   * No containers running, skipping Section 5

[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Ensure that image sprawl is avoided
[INFO]      * There are currently: 5 images
[INFO] 6.2  - Ensure that container sprawl is avoided
[INFO]      * There are currently a total of 7 containers, with 1 of them currently running

[INFO] 7 - Docker Swarm Configuration
[WARN] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure that the minimum number of manager nodes have been created in a swarm
[WARN] 7.3  - Ensure that swarm services are bound to a specific host interface
[WARN] 7.4  - Ensure that all Docker swarm overlay networks are encrypted
[WARN]      * Unencrypted overlay network: ingress (swarm)
[INFO] 7.5  - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster
[WARN] 7.6  - Ensure that swarm manager is run in auto-lock mode
[NOTE] 7.7  - Ensure that the swarm manager auto-lock key is rotated periodically
[INFO] 7.8  - Ensure that node certificates are rotated as appropriate
[INFO] 7.9  - Ensure that CA certificates are rotated as appropriate
[INFO] 7.10  - Ensure that management plane traffic is separated from data plane traffic

[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 76
[INFO] Score: -2

RPi3 with Yocto...

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Tue Apr 21 10:47:50 UTC 2020

[INFO] 1 - Host Configuration

[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened
[INFO] 1.1.2  - Ensure Docker is up to date
[INFO]        * Using 19.03.8, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:995
[WARN] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[INFO] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO]        * File not found
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[WARN] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO]         * File not found

[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[PASS] 2.13  - Ensure live restore is Enabled (Incompatible with swarm mode)
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[INFO] 2.15  - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16  - Ensure that experimental features are not implemented in production
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges

[INFO] 3 - Docker daemon configuration files
[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2  - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]       * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]       * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]       * No TLS Key found
[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO]       * File not found
[INFO] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.20  - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.21  - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found
[INFO] 3.22  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found

[INFO] 4 - Container Images and Build File
[INFO] 4.1  - Ensure a user for the container has been created
[INFO]      * No containers running
[NOTE] 4.2  - Ensure that containers use only trusted base images
[NOTE] 4.3  - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [nuvladev/agent:agent-api]
[WARN]      * No Healthcheck found: [nuvladev/peripheral-manager-usb:remove-nuvla-apis]
[WARN]      * No Healthcheck found: [sixsq/tensorflow-object-detector:latest]
[WARN]      * No Healthcheck found: [sixsq/tensorflor-object-detector:arm sixsq/tensorflor-object-detector:latest sixsq/tensorflow-object-detector:arm]
[WARN]      * No Healthcheck found: [sixsq/tensorflor-object-detector:arm sixsq/tensorflor-object-detector:latest sixsq/tensorflow-object-detector:arm]
[WARN]      * No Healthcheck found: [sixsq/tensorflor-object-detector:arm sixsq/tensorflor-object-detector:latest sixsq/tensorflow-object-detector:arm]
[WARN]      * No Healthcheck found: [sixsq/openvino-2020-r1:arm]
[WARN]      * No Healthcheck found: [python:3.6]
[WARN]      * No Healthcheck found: [python:3]
[WARN]      * No Healthcheck found: [nginx:latest]
[WARN]      * No Healthcheck found: [python:3-alpine]
[WARN]      * No Healthcheck found: [docker:latest]
[WARN]      * No Healthcheck found: [alpine:3.11 alpine:latest]
[WARN]      * No Healthcheck found: [alpine:3.11 alpine:latest]
[WARN]      * No Healthcheck found: [ubuntu:18.04 ubuntu:latest]
[WARN]      * No Healthcheck found: [ubuntu:18.04 ubuntu:latest]
[WARN]      * No Healthcheck found: [nuvlabox/system-manager:1.0.1]
[WARN]      * No Healthcheck found: [nuvlabox/management-api:0.1.0]
[WARN]      * No Healthcheck found: [nuvlabox/peripheral-manager-usb:1.0.3]
[WARN]      * No Healthcheck found: [ubuntu:16.04]
[WARN]      * No Healthcheck found: [nuvlabox/agent:1.3.2]
[WARN]      * No Healthcheck found: [nuvlabox/vpn-client:0.0.4]
[WARN]      * No Healthcheck found: [nuvlabox/network-manager:0.0.4]
[WARN]      * No Healthcheck found: [eclipse-mosquitto:1.6.8]
[WARN]      * No Healthcheck found: [hello-world:latest]
[WARN]      * No Healthcheck found: [traefik:2.1.1]
[WARN]      * No Healthcheck found: [nuvlabox/compute-api:0.2.5]
[WARN]      * No Healthcheck found: [elswork/tensorflow-diy:latest]
[WARN]      * No Healthcheck found: [sixsq/opencv-python:latest]
[WARN]      * No Healthcheck found: [raspbian/stretch:latest]
[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[INFO]      * Update instruction found: [nuvladev/agent:agent-api]
[INFO]      * Update instruction found: [sixsq/tensorflow-object-detector:latest]
[INFO]      * Update instruction found: [sixsq/tensorflor-object-detector:arm sixsq/tensorflor-object-detector:latest sixsq/tensorflow-object-detector:arm]
[INFO]      * Update instruction found: [sixsq/tensorflor-object-detector:arm sixsq/tensorflor-object-detector:latest sixsq/tensorflow-object-detector:arm]
[INFO]      * Update instruction found: [sixsq/tensorflor-object-detector:arm sixsq/tensorflor-object-detector:latest sixsq/tensorflow-object-detector:arm]
[INFO]      * Update instruction found: [python:3.6]
[INFO]      * Update instruction found: [python:3]
[INFO]      * Update instruction found: [nuvlabox/agent:1.3.2]
[INFO]      * Update instruction found: [sixsq/opencv-python:latest]
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed
[INFO] 4.9  - Ensure that COPY is used instead of ADD in Dockerfiles
[INFO]      * ADD in image history: [sixsq/tensorflow-object-detector:latest]
[INFO]      * ADD in image history: [sixsq/tensorflor-object-detector:arm sixsq/tensorflor-object-detector:latest sixsq/tensorflow-object-detector:arm]
[INFO]      * ADD in image history: [sixsq/tensorflor-object-detector:arm sixsq/tensorflor-object-detector:latest sixsq/tensorflow-object-detector:arm]
[INFO]      * ADD in image history: [sixsq/tensorflor-object-detector:arm sixsq/tensorflor-object-detector:latest sixsq/tensorflow-object-detector:arm]
[INFO]      * ADD in image history: [eclipse-mosquitto:1.6.8]
[INFO]      * ADD in image history: [sixsq/opencv-python:latest]
[INFO]      * ADD in image history: [raspbian/stretch:latest]
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure only verified packages are installed

[INFO] 5 - Container Runtime
[INFO]   * No containers running, skipping Section 5

[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Ensure that image sprawl is avoided
[INFO]      * There are currently: 36 images
[INFO]      * Only 10 out of 36 are in use
[INFO] 6.2  - Ensure that container sprawl is avoided
[INFO]      * There are currently a total of 10 containers, with 1 of them currently running

[INFO] 7 - Docker Swarm Configuration
[WARN] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure that the minimum number of manager nodes have been created in a swarm
[WARN] 7.3  - Ensure that swarm services are bound to a specific host interface
[WARN] 7.4  - Ensure that all Docker swarm overlay networks are encrypted
[WARN]      * Unencrypted overlay network: ingress (swarm)
[INFO] 7.5  - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster
[WARN] 7.6  - Ensure that swarm manager is run in auto-lock mode
[NOTE] 7.7  - Ensure that the swarm manager auto-lock key is rotated periodically
[INFO] 7.8  - Ensure that node certificates are rotated as appropriate
[INFO] 7.9  - Ensure that CA certificates are rotated as appropriate
[INFO] 7.10  - Ensure that management plane traffic is separated from data plane traffic

[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 76
[INFO] Score: -2

RPi 3 with Raspbian Buster

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Tue Apr 21 13:01:39 UTC 2020

[INFO] 1 - Host Configuration

[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened
[INFO] 1.1.2  - Ensure Docker is up to date
[INFO]        * Using 19.03.8, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:995
[WARN] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[WARN] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[WARN] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO]         * File not found

[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[PASS] 2.13  - Ensure live restore is Enabled (Incompatible with swarm mode)
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[PASS] 2.15  - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16  - Ensure that experimental features are not implemented in production
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges

[INFO] 3 - Docker daemon configuration files
[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2  - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]       * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]       * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]       * No TLS Key found
[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO] 3.20  - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.21  - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.22  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive

[INFO] 4 - Container Images and Build File
[INFO] 4.1  - Ensure a user for the container has been created
[INFO]      * No containers running
[NOTE] 4.2  - Ensure that containers use only trusted base images
[NOTE] 4.3  - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [alpine:3.11]
[WARN]      * No Healthcheck found: [hello-world:latest]
[PASS] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed
[PASS] 4.9  - Ensure that COPY is used instead of ADD in Dockerfiles
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure only verified packages are installed

[INFO] 5 - Container Runtime
[INFO]   * No containers running, skipping Section 5

[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Ensure that image sprawl is avoided
[INFO]      * There are currently: 3 images
[INFO] 6.2  - Ensure that container sprawl is avoided
[INFO]      * There are currently a total of 3 containers, with 1 of them currently running

[INFO] 7 - Docker Swarm Configuration
[WARN] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure that the minimum number of manager nodes have been created in a swarm
[WARN] 7.3  - Ensure that swarm services are bound to a specific host interface
[WARN] 7.4  - Ensure that all Docker swarm overlay networks are encrypted
[WARN]      * Unencrypted overlay network: ingress (swarm)
[INFO] 7.5  - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster
[WARN] 7.6  - Ensure that swarm manager is run in auto-lock mode
[NOTE] 7.7  - Ensure that the swarm manager auto-lock key is rotated periodically
[INFO] 7.8  - Ensure that node certificates are rotated as appropriate
[INFO] 7.9  - Ensure that CA certificates are rotated as appropriate
[INFO] 7.10  - Ensure that management plane traffic is separated from data plane traffic

[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 76
[INFO] Score: 0
cjdcordeiro commented 4 years ago

Docker service start delay

RPi 3 with Yocto

========== docker-service-start-delay ==========

RESULT: 
System booted at: 2020-04-21 10:12:36
Docker started at: 2020-04-21 10:13:11

==> Docker service start delay: 35 seconds

RPi 4 with Yocto

========== docker-service-start-delay ==========

RESULT: 
System booted at: 2020-04-20 12:56:03
Docker started at: 2020-04-20 12:58:16

==> Docker service start delay: 133 seconds

RPi4 with Raspbian Buster

========== docker-service-start-delay ==========

RESULT: 
System booted at: 2020-04-20 09:59:44
Docker started at: 2020-04-20 09:59:24

==> Docker service start delay: -20 seconds

RPi 3 with Raspbian Buster

========== docker-service-start-delay ==========

RESULT: 
System booted at: 2020-04-21 14:03:35
Docker started at: 2020-04-21 14:03:48

==> Docker service start delay: 13 seconds
cjdcordeiro commented 4 years ago

Sysbench

RPi 4 with Raspbian Buster

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 4

Doing CPU performance benchmark

Threads started!
Done.

Maximum prime number checked in CPU test: 20000

Test execution summary:
    total time:                          66.2039s
    total number of events:              10000
    total time taken by event execution: 264.7646
    per-request statistics:
         min:                                 24.94ms
         avg:                                 26.48ms
         max:                                 90.78ms
         approx.  95 percentile:              37.55ms

Threads fairness:
    events (avg/stddev):           2500.0000/3.08
    execution time (avg/stddev):   66.1911/0.01

---

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 1

Doing memory operations speed test
Memory block size: 1024K

Memory transfer size: 2048M

Memory operations type: write
Memory scope type: global
Threads started!
Done.

Operations performed: 2048 ( 3111.90 ops/sec)

2048.00 MB transferred (3111.90 MB/sec)

Test execution summary:
    total time:                          0.6581s
    total number of events:              2048
    total time taken by event execution: 0.6562
    per-request statistics:
         min:                                  0.27ms
         avg:                                  0.32ms
         max:                                  0.84ms
         approx.  95 percentile:               0.64ms

Threads fairness:
    events (avg/stddev):           2048.0000/0.00
    execution time (avg/stddev):   0.6562/0.00

---

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 1

Doing thread subsystem performance test
Thread yields per test: 1000 Locks used: 1
Threads started!
Done.

Test execution summary:
    total time:                          13.6830s
    total number of events:              10000
    total time taken by event execution: 13.6716
    per-request statistics:
         min:                                  1.33ms
         avg:                                  1.37ms
         max:                                  3.78ms
         approx.  95 percentile:               1.40ms

Threads fairness:
    events (avg/stddev):           10000.0000/0.00
    execution time (avg/stddev):   13.6716/0.00

RPi 4 with Yocto

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 4

Doing CPU performance benchmark

Threads started!
Done.

Maximum prime number checked in CPU test: 20000

Test execution summary:
    total time:                          157.5765s
    total number of events:              10000
    total time taken by event execution: 630.2197
    per-request statistics:
         min:                                 62.43ms
         avg:                                 63.02ms
         max:                                117.97ms
         approx.  95 percentile:              64.00ms

Threads fairness:
    events (avg/stddev):           2500.0000/3.24
    execution time (avg/stddev):   157.5549/0.01

---

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 1

Doing memory operations speed test
Memory block size: 1024K

Memory transfer size: 2048M

Memory operations type: write
Memory scope type: global
Threads started!
Done.

Operations performed: 2048 ( 2165.80 ops/sec)

2048.00 MB transferred (2165.80 MB/sec)

Test execution summary:
    total time:                          0.9456s
    total number of events:              2048
    total time taken by event execution: 0.9420
    per-request statistics:
         min:                                  0.44ms
         avg:                                  0.46ms
         max:                                  1.29ms
         approx.  95 percentile:               0.47ms

Threads fairness:
    events (avg/stddev):           2048.0000/0.00
    execution time (avg/stddev):   0.9420/0.00

---

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 1

Doing thread subsystem performance test
Thread yields per test: 1000 Locks used: 1
Threads started!
Time limit exceeded, exiting...
Done.

Test execution summary:
    total time:                          20.0039s
    total number of events:              5408
    total time taken by event execution: 19.9867
    per-request statistics:
         min:                                  3.54ms
         avg:                                  3.70ms
         max:                                  9.83ms
         approx.  95 percentile:               3.84ms

Threads fairness:
    events (avg/stddev):           5408.0000/0.00
    execution time (avg/stddev):   19.9867/0.00

RP3 with Yocto

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 4

Doing CPU performance benchmark

Threads started!
Done.

Maximum prime number checked in CPU test: 20000

Test execution summary:
    total time:                          233.4822s
    total number of events:              10000
    total time taken by event execution: 933.7283
    per-request statistics:
         min:                                 76.07ms
         avg:                                 93.37ms
         max:                                248.33ms
         approx.  95 percentile:             157.34ms

Threads fairness:
    events (avg/stddev):           2500.0000/7.84
    execution time (avg/stddev):   233.4321/0.02

---

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 1

Doing memory operations speed test
Memory block size: 1024K

Memory transfer size: 2048M

Memory operations type: write
Memory scope type: global
Threads started!
Done.

Operations performed: 2048 (  975.46 ops/sec)

2048.00 MB transferred (975.46 MB/sec)

Test execution summary:
    total time:                          2.0995s
    total number of events:              2048
    total time taken by event execution: 2.0960
    per-request statistics:
         min:                                  0.94ms
         avg:                                  1.02ms
         max:                                  2.77ms
         approx.  95 percentile:               1.12ms

Threads fairness:
    events (avg/stddev):           2048.0000/0.00
    execution time (avg/stddev):   2.0960/0.00

---

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 1

Doing thread subsystem performance test
Thread yields per test: 1000 Locks used: 1
Threads started!
Time limit exceeded, exiting...
Done.

Test execution summary:
    total time:                          20.0037s
    total number of events:              6050
    total time taken by event execution: 19.9932
    per-request statistics:
         min:                                  3.13ms
         avg:                                  3.30ms
         max:                                  5.26ms
         approx.  95 percentile:               3.88ms

Threads fairness:
    events (avg/stddev):           6050.0000/0.00
    execution time (avg/stddev):   19.9932/0.00

RPi 3 with Raspbian Buster

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 4

Doing CPU performance benchmark

Threads started!
Done.

Maximum prime number checked in CPU test: 20000

Test execution summary:
    total time:                          138.9727s
    total number of events:              10000
    total time taken by event execution: 555.8518
    per-request statistics:
         min:                                 32.59ms
         avg:                                 55.59ms
         max:                                157.63ms
         approx.  95 percentile:              77.31ms

Threads fairness:
    events (avg/stddev):           2500.0000/10.12
    execution time (avg/stddev):   138.9630/0.01

---

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 1

Doing memory operations speed test
Memory block size: 1024K

Memory transfer size: 2048M

Memory operations type: write
Memory scope type: global
Threads started!
Done.

Operations performed: 2048 ( 1089.52 ops/sec)

2048.00 MB transferred (1089.52 MB/sec)

Test execution summary:
    total time:                          1.8797s
    total number of events:              2048
    total time taken by event execution: 1.8769
    per-request statistics:
         min:                                  0.89ms
         avg:                                  0.92ms
         max:                                  2.05ms
         approx.  95 percentile:               0.95ms

Threads fairness:
    events (avg/stddev):           2048.0000/0.00
    execution time (avg/stddev):   1.8769/0.00

---

sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 1

Doing thread subsystem performance test
Thread yields per test: 1000 Locks used: 1
Threads started!
Done.

Test execution summary:
    total time:                          14.2160s
    total number of events:              10000
    total time taken by event execution: 14.2091
    per-request statistics:
         min:                                  1.40ms
         avg:                                  1.42ms
         max:                                  3.16ms
         approx.  95 percentile:               1.41ms

Threads fairness:
    events (avg/stddev):           10000.0000/0.00
    execution time (avg/stddev):   14.2091/0.00