Full featured containers run without privilege and Docker 1.0

Showing 1-9 of 9 messages
Full featured containers run without privilege and Docker 1.0 Michael Neale 11/13/13 6:28 PM
Linked from an earlier blog post about container security issues - is this article http://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/

It mentions that work is afoot in lxc to run full containers as non-root (with a demo and patchset).

Given the power of this feature - is there any alignment between production Docker (1 and up) and this feature? 
(and also if anyone knows about progress with lxc in this area, please to chime in !). 

Cheers.



Re: [docker] Full featured containers run without privilege and Docker 1.0 Solomon Hykes 11/13/13 7:05 PM
Hi Michael, user namespaces are very promising but not currently considered safe enough for production. When they are, we will certainly use them in docker!
This is not a blocker for docker becoming production-ready. They are 2 independent developments.
--
@solomonstre
@docker
Re: [docker] Full featured containers run without privilege and Docker 1.0 Michael Neale 11/13/13 7:27 PM
thanks for the tip. 

yes I did get the impression it was pretty early days. I wonder if other solutions in the meantime will help with running "less trusted code" in containers (and building containers) - or is there hope(!) that namespaces will come along at some point and be the solution for this? 
Re: [docker] Full featured containers run without privilege and Docker 1.0 Jérôme Petazzoni 11/17/13 9:21 PM
Hi Michael,

Namespaces will definitely improve; but meanwhile, capabilities locking + non-root + grsec + seccomp are a pretty safe combo.
Re: [docker] Full featured containers run without privilege and Docker 1.0 Michael Neale 11/18/13 1:33 AM
Hi Jérôme - the 
Interesting - I think for a suitable image - it can be made quite safe (specifying USER, for one) - my question is more about the build step - given running a build is running as root (installing packages in the container, and more) - how safe can that bit be made ? (it isn't a large surface, but if you are building other peoples Dockerfiles then it is still an attack surface - is it not?). 

Some good things to read up on there - the last I saw was a blog that talked about namespaces primarily and future direction - is there more background reading on how people secure both the building and running of docker containers (that I have not been able to find!) ? 

I imagine there are services out there building user provided images and building user provided Dockerfiles - I wonder what people consider suitable in terms of security/isolation? (the answer probably isn't binary)
Re: [docker] Full featured containers run without privilege and Docker 1.0 Michael Neale 11/21/13 4:45 AM
Hi Jerome - are there any samples/docs on seccomp with lxc, all I can find so far is: 


which has a trivial "allow everything" whitelist (or so it is implied) - any pointers? 
Re: [docker] Full featured containers run without privilege and Docker 1.0 Jérôme Petazzoni 11/26/13 4:17 PM
Hi Michael,

About "how to make the build process more secure": there are multiple ways to do that.

- You can tell to your users "I won't build your containers! build them yourself and push them to a registry!" which is pretty extreme, but removes the risk :-)

- You can run a second copy of Docker in a "sub-VM" (e.g. in qemu), and build there. There will be a big performance hit (since it's qemu, after all) but it will be pretty safe.

- You can force the beginning of the Dockerfile to be:
FROM <someimage>
USER nobody
WORKDIR /tmp
<more Dockerfile directives>
... and forbid other USER directives in the file. Of course it will be very restrictive, since people won't be able to use their favorite package manager (since they run as "nobody" instead of "root"!).

About seccomp, you might want to have a look at this: https://github.com/dotcloud/docker/pull/2887

HTH,


Re: [docker] Full featured containers run without privilege and Docker 1.0 Michael Neale 11/27/13 9:16 PM
Hi Jérôme - so USER in the Dockerfile means that the RUN steps from that point run as that user? 

(ie nobody, in your example?)
Re: [docker] Full featured containers run without privilege and Docker 1.0 Brian Morearty 11/27/13 10:44 PM
Hi Jérôme - so USER in the Dockerfile means that the RUN steps from that point run as that user? 

That's right, Michael. 

Order matters for USER and RUN. The USER command only affects subsequent RUN commands.

But USER also affects all CMD and ENTRYPOINT commands, no matter where they appear in the Dockerfile.

Brian Morearty
Hands on with Docker. http://handsonwith.com/
Docker's training partner