Docker Security Rahul Sharma

Our Problem Sandboxing user coding assessments : Compile / Run different languages Allow to extract result Control network access(internet access) Control folder access

Linux Namespaces

 IPC  Network  Mount  PID  UTS  USER In v1 the user namespace is not enabled by default for support of older kernels where the user namespace feature is not fully implemented.

Linux Capabilities Capability Enabled CAP_NET_RAW1 CAP_NET_BIND_SERVICE1 CAP_AUDIT_WRITE1 CAP_DAC_OVERRIDE1 CAP_SETFCAP1 CAP_SETPCAP1 CAP_SETGID1 CAP_SETUID1 CAP_MKNOD1 CAP_CHOWN1 CAP_FOWNER1 CAP_FSETID1 CAP_KILL1 CAP_SYS_CHROOT1 CAP_NET_BROADCAST0 CAP_SYS_MODULE0 CAP_WAKE_ALARM0 CAP_BLOCK_SUSPE0

Linux Capabilities Capability Enabled CAP_SYS_RAWIO0 CAP_SYS_PACCT0 CAP_SYS_ADMIN0 CAP_SYS_NICE0 CAP_SYS_RESOURCE0 CAP_SYS_TIME0 CAP_SYS_TTY_CONFIG0 CAP_AUDIT_CONTROL0 CAP_MAC_OVERRIDE0 CAP_MAC_ADMIN0 CAP_NET_ADMIN0 CAP_SYSLOG0 CAP_DAC_READ_SEARCH0 CAP_LINUX_IMMUTABLE0 CAP_IPC_LOCK0 CAP_IPC_OWNER0 CAP_SYS_PTRACE0 CAP_SYS_BOOT0 CAP_LEASE0

Additional Security AppArmor SELinux GRSEC

The Approach --user --cap-drop NET_RAW --volume /candidate_code:/container_loc --cpuset --memory Add limits to docker.conf limit nproc limit nofile limit fsize

+ The Approach

Thank you !!! Blog : devlearnings.wordpress.com