How to solve the security problems of Docker?

1. The detailed difference between Docker container and virtual machine

• Isolation and sharing

  • ① By adding the Hypervisor layer, the virtual machine virtualizes virtual hardware such as network card, memory, and CPU, and then builds virtual machines on it. Each virtual machine has its own system kernel.
  • ②The Docker container isolates the file system, process, equipment, network and other resources through isolation, and then controls the permissions, CPU resources, etc., so that the containers do not affect each other, and the container cannot affect the host. The container shares the kernel, file system, hardware and other resources with the host.

• Performance and loss

  • ① Compared with virtual machines, container resource consumption is less. Under the same host, there are more containers that can be created than virtual machines. However, the security of virtual machines is slightly better than that of containers.
  • ②To break through the virtual machine to the host or other virtual machines, it is necessary to break through the Hypervisor layer first, which is extremely difficult. The docker container shares resources such as the kernel and file system with the host, which is more likely to have an impact on other containers and the host.

Second, the security problems of Docker

2.1 Docker's own vulnerabilities

• As an application, Docker itself has code flaws in its implementation. CVE officially records more than 20 vulnerabilities in the historical version of Docker.
• The main attack methods commonly used by hackers are code execution, privilege escalation, information leakage, and privilege bypass. The current Docker version changes very quickly, and Docker users are best to upgrade Docker to the latest version.

2.2 Docker source code problem

• Docker provides a Docker hub, which allows users to upload the created images for other users to download and quickly build the environment.
  But it also brings some security issues. For example, the following three ways:
  • ① Hackers upload malicious images. If a hacker implants malware such as Trojan horses and backdoors into the created images, the environment will be insecure from the beginning, and there will be no security in the future.
  • ②The image uses vulnerable software. Among the images that can be downloaded on Docker Hub, 75% of the images have the vulnerable software installed. Therefore, after downloading the mirror image, you
    need to check the version information of the software inside, whether the corresponding version has vulnerabilities, and update and patch it in time.
  • ③Man-in-the-middle attack tampering with the mirror image may be tampered with during transmission. The new version of Docker has provided a corresponding verification mechanism to prevent this problem.

Three, Docker architecture defects and security mechanisms

• Docker's own architecture and mechanism may cause problems. For example, in such an attack scenario, the hacker has controlled some containers on the host, or obtained a way to build a container on the public cloud, and then initiate an attack on the host or other containers. attack.

  • ① Local area network attacks between containers The containers on the
    host can form a local area network, so ARP spoofing, sniffing, broadcast storm and other attack methods against the local area network can be used. Therefore, deploying multiple containers on a host requires a reasonable network configuration and iptable rules;

  • ②DDoS attacks exhaust resources. The
    Cgroups security mechanism is to prevent such attacks. Do not allocate too many resources to a single container to avoid such problems;

  • 
    ③Vulnerable system calls An important difference between Docker and virtual machines is that Docker and the host share the same operating system kernel. Once the host kernel has vulnerabilities that can be overridden or escalated, although Docker uses ordinary users to execute, when the container is invaded, the attacker can also use the kernel vulnerabilities to jump to the host to do more.

  • ④Share root user permissions
    If you run a container with root user permissions, the root user in the container also has root permissions on the host.

Four, Docker security baseline standards

• That is to say, the solution to the security problem that appears.
  The following summarizes the Docker security baseline standard from six aspects: kernel, host, network, image, container, and others.

4.1 Kernel level

（1）及时更新内核。 
（2）User NameSpace（容器内的 root 权限在容器之外处于非高权限状态）。 
（3）Cgroups（对资源的配额和度量）。 
（4）SELiux/AppArmor/GRSEC（控制文件访问权限）。 
（5）Capability（权限划分）。 
（6）Seccomp（限定系统调用）。 
（7）禁止将容器的命名空间与宿主机进程命名空间共享。

4.2 Host level

（1）为容器创建独立分区。 
（2）仅运行必要的服务。 
（3）禁止将宿主机上敏感目录映射到容器。 
（4）对 Docker 守护进程、相关文件和目录进行审计。 
（5）设置适当的默认文件描述符数。
（文件描述符：内核（kernel）利用文件描述符（file descriptor）来访问文件。文件描述符是非负整数。
打开现存文件或新建文件时，内核会返回一个文件描述符。读写文件也需要使用文件描述符来指定待读写的文件） 
（6）用户权限为 root 的 Docker 相关文件的访问权限应该为 644 或者更低权限。 
（7）周期性检查每个主机的容器清单，并清理不必要的容器。

4.3 Network level

（1）通过 iptables 设定规则实现禁止或允许容器之间网络流量。 
（2）允许 Docker 修改 iptables。 
（3）禁止将 Docker 绑定到其他 IP/Port 或者 Unix Socket。 
（4）禁止在容器上映射特权端口。 
（5）容器上只开放所需要的端口。 
（6）禁止在容器上使用主机网络模式。
（7）若宿主机有多个网卡，将容器进入流量绑定到特定的主机网卡上。

4.4 Mirror level

（1）创建本地镜像仓库服务器。 
（2）镜像中软件都为最新版本。 
（3）使用可信镜像文件，并通过安全通道下载。
（4）重新构建镜像而非对容器和镜像打补丁。 
（5）合理管理镜像标签，及时移除不再使用的镜像。 
（6）使用镜像扫描。 
（7）使用镜像签名。

4.5 Container level

（1）容器最小化，操作系统镜像最小集。 
（2）容器以单一主进程的方式运行。 
（3）禁止 privileged 标记使用特权容器。 
（4）禁止在容器上运行 ssh 服务。 
（5）以只读的方式挂载容器的根目录系统。 
（6）明确定义属于容器的数据盘符。 
（7）通过设置 on-failure 限制容器尝试重启的次数，容器反复重启容易丢失数据。 
（8）限制在容器中可用的进程树，以防止 fork bomb。（fork炸弹，迅速增长子进程，耗尽系统进程数量）

4.6 Other settings

（1）定期对宿主机系统及容器进行安全审计。 
（2）使用最少资源和最低权限运行容器。 
（3）避免在同一宿主机上部署大量容器，维持在一个能够管理的数量。 
（4）监控 Docker 容器的使用，性能以及其他各项指标。 
（5）增加实时威胁检测和事件响应功能。 
（6）使用中心和远程日志收集服务

Five, Docker remote calls and traffic restrictions

5.1 Docker remote api access control

• Docker's remote call API interface has unauthorized access vulnerabilities, and at least external network access should be restricted. It is recommended to use Socket to access.

• To monitor the intranet ip, the docker daemon startup method is as follows:

docker -d -H unix:///var/run/docker.sock -H tcp://192.168.140.22:2375
或者
vim /usr/lib/systemd/system/docker.service

• Open local listening address and port

ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://192.168.140.22:2375

systemctl daemon-reload

systemctl restart docker

• Then, you can do IP access control on firewalld of the host.
  Note: source address is the client address

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.140.21" port protocol="tcp" port="2375" accept"

firewall-cmd --reload		//重新加载防火墙策略

• Finally, the remote call is implemented in the client operation

docker -H tcp://192.168.140.22 images	//在客户端查看服务端的docker镜像

5.2 Limiting the flow of traffic

• Use firewall filters to restrict the source IP address range of the Docker container to communicate with the outside world.

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.140.0/24" reject"

• A large number of problems are caused by vulnerabilities caused by the external release of Docker container ports. In addition to the problem of operating system account permission control, it is also a hidden danger in the process management of Docker Daemon.
  • At present, the commonly used Docker versions support Docker Daemon to manage the host iptables, and once the process is started and the port mapping of -p host_port:guest_port is added, Docker Daemon will directly increase the corresponding FORWARD Chain and -j ACCEPT, and the default DROP rule is in The INPUT chain does not restrict docker, which leaves a serious security risk. Therefore it is recommended:

1. 不在有外网ip的机器上使用Docker服务

2. 使用k8s等docker编排系统管理Docker容器

3. 宿主上Docker daemon启动命令加一个--iptables=false，然后把常用iptables写进文件里，再用iptables-restore去刷。

Six, container minimization and image security

6.1 Container minimization

• If only necessary services are run in the container, services such as SSH cannot be easily opened to connect to the container.
  The following methods are usually used to enter the container:

docker exec -it 容器ID bash

6.2 Image security

• Docker image security scan, use certificate authentication on the mirror warehouse client to check the downloaded image.
  By scanning the mirror synchronously with the CVE database, users will be notified to deal with once a vulnerability is found, or the mirror can be directly prevented from continuing to build.
• note:

  • ① If the company is using its own mirror source, you can skip this step;
    otherwise, at least the md5 and other characteristic values ​​of baseimage need to be verified, and the baseimage is confirmed to be consistent before further construction based on baseimage.

  • ②Under normal circumstances, ensure that you only obtain images from trusted libraries, and it is not recommended to use the –insecure-registry=[] parameter. It is
    recommended to use the harbor private warehouse.