New Docker Engine 1.10 brings Enterprise-level Security Hardening – User Namespace

User Namespace support was introduced as an experimental feature last November under Docker 1.9 version. Docker 1.10 finally brings it as a general availability to the public and promises the security hardening for Enterprise-grade hardening.

What it means?

The newer Docker Engine brings the capabilities for the running containers which can now recognize multiple user roles binding them to the appropriate security policies. If you have root privileges inside the container, you will no longer automatically enjoy root privileges on the host machine. It is possible to run containers without root access(though Docker daemon still need root access).

“Calling Docker 1.10 rootless is still untrue as Docker daemon still uses root privileges”

 

So what changed since Docker 1.9?

The most significant change is that image layers are no longer sitting on /var/lib/docker/x.x but left in the root of the graph root directory, which has really made upgrade and downgrade to and from 1.10 easy without any major impact.

Let us try to find how the new root directory of docker look like. I assume you have Docker installed on any of the available Ubuntu or CentOS machine. In case  you are running an older version of Docker, you can always upgrade to 1.10 version through the following on-line command:

curl -fsSL https://get.docker.com/ | sh

Ensure that docker daemon is running with flag –userns-remap=default enabled as shown below:

 

root@dell-virtual-machine:~# docker daemon -H 10.94.214.186:5555 -H unix:///var/                       run/docker.sock –-userns-remap=default &
[1] 7605
root@dell-virtual-machine:~# WARN[0000] /!\ DON’T BIND ON ANY IP ADDRESS WITHOUT          setting -tlsverify IF YOU DON’T KNOW WHAT YOU’RE DOING /!\
INFO[0000] User namespaces: ID ranges will be mapped to subuid/subgid ranges of:                dockremap:dockremap
INFO[0000] [graphdriver] using prior storage driver “aufs”
INFO[0000] Graph migration to content-addressability took 0.00 seconds
INFO[0000] Firewalld running: true
INFO[0000] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16  . Daemon option –bip can be used to set a preferred IP address
WARN[0000] Your kernel does not support swap memory limit.
INFO[0000] Loading containers: start.

INFO[0000] Loading containers: done.
INFO[0000] Daemon has completed initialization
INFO[0000] Docker daemon commit=9e83765 execdriv                                                                             er=native-0.2 graphdriver=aufs version=1.10.1
INFO[0000] API listen on /var/run/docker.sock
INFO[0000] API listen on 10.94.214.186:5555

 

Let’s check the process information related to Docker through the following command:

root@dell-virtual-machine:/var/lib/docker/231072.231072# ps -aef | grep docker
root      4172     1  0 Feb20 ?        00:00:00 sh -c sleep 3; apt-get update; apt-get install -y -q docker-engine
root      4240  4172  4 Feb20 ?        00:28:00 apt-get install -y -q docker-engine
root      5635  4240  0 Feb20 pts/2    00:00:00 /usr/bin/dpkg –status-fd 66 –configure docker-engine:amd64
root      7475  7152  0 08:19 pts/18   00:00:00 docker daemon -H 0.0.0.0:5555 -H unix:///var/run/docker.sock –userns-remap=default
root      7534  7152  0 08:29 pts/18   00:00:00 grep –color=auto docker

Let’s check what new directory it created under /var/lib/docker:

root@dell-virtual-machine:/var/lib/docker# ls -la
total 228
drwx—–x  14 root   root    4096 Feb 21 08:18 .
drwxr-xr-x  79 root   root    4096 Nov  1 14:17 ..
drwx——   9 231072 231072  4096 Feb 21 08:18 231072.231072
drwxr-xr-x   5 root   root    4096 Sep 16 00:49 aufs
drwx—— 122 root   root   20480 Feb 21 07:59 containers
drwx——   3 root   root    4096 Sep 16 00:49 execdriver
drwx—— 404 root   root   45056 Feb 20 20:06 graph
drwx——   3 root   root    4096 Feb 20 20:34 image
drwx——   2 root   root    4096 Nov 11 21:16 init
-rw-r–r–   1 root   root   43008 Feb 20 21:10 linkgraph.db
-rw——-   1 root   root   54851 Feb 20 21:10 .migration-v1-images.json
-rw-r–r–   1 root   root       0 Feb 20 21:10 .migration-v1-tags
drwxr-x—   3 root   root    4096 Nov 11 21:23 network
-rw——-   1 root   root    6696 Feb 20 20:06 repositories-aufs
drwx——   2 root   root    4096 Feb 21 08:16 tmp
drwx——   2 root   root    4096 Nov 11 21:16 trust
drwx——   3 root   root    4096 Sep 16 01:19 vfs
drwx——  54 root   root    4096 Dec  6 19:18 volumes

You will find UID specific directory created under the root of Docker directory.

If you try to change to UID directory and see what content the new image directory holds:

root@dell-virtual-machine:/var/lib/docker/231072.231072# ls
aufs  containers  image  network  tmp  trust  volumes
root@dell-virtual-machine:/var/lib/docker/231072.231072#

root@dell-virtual-machine:/var/lib/docker/231072.231072# ls -la
total 36
drwx——  9 231072 231072 4096 Feb 21 08:18 .
drwx—–x 14 root   root   4096 Feb 21 08:18 ..
drwx——  5 231072 231072 4096 Feb 21 08:18 aufs
drwx——  2 231072 231072 4096 Feb 21 08:18 containers
drwx——  3 root   root   4096 Feb 21 08:18 image
drwxr-x—  3 root   root   4096 Feb 21 08:18 network
drwx——  2 231072 231072 4096 Feb 21 08:18 tmp
drwx——  2 root   root   4096 Feb 21 08:18 trust
drwx——  2 231072 231072 4096 Feb 21 08:18 volumes
root@dell-virtual-machine:/var/lib/docker/231072.231072#

root@dell-virtual-machine:/var/lib/docker/231072.231072# ps -aef | grep docker
root      4172     1  0 Feb20 ?        00:00:00 sh -c sleep 3; apt-get update; apt-get install -y -q docker-engine
root      4240  4172  4 Feb20 ?        00:28:00 apt-get install -y -q docker-engine
root      5635  4240  0 Feb20 pts/2    00:00:00 /usr/bin/dpkg –status-fd 66 –configure docker-engine:amd64
root      7475  7152  0 08:19 pts/18   00:00:00 docker daemon -H 0.0.0.0:5555 -H unix:///var/run/docker.sock –userns-remap=default
root      7534  7152  0 08:29 pts/18   00:00:00 grep –color=auto docker

To understand how the newly introduced user namespace actually brings the security feature, let us pull and run the ubuntu container as shown below:

root@dell-virtual-machine:~# docker run -it -v /var/log:/var/log –name=collab ubuntu /bin/bash
ERRO[0014] Handler for POST /v1.22/containers/create returned error: No such image: ubuntu:latest
Unable to find image ‘ubuntu:latest’ locally
latest: Pulling from library/ubuntu
a64038a0eeaa: Pull complete
2ec6e7edf8a8: Pull complete
0a5fb6c3c94b: Pull complete
a3ed95caeb02: Pull complete
Digest: sha256:d8b3a9876f7b00798144e75ac6c7f98ab10772867c76dd05f3dbd8687588ab6d
Status: Downloaded newer image for ubuntu:latest
INFO[0278] No non-localhost DNS nameservers are left in resolv.conf. Using default external servers : [nameserver 8.8.8.8 nameserver 8.8.4.4]
INFO[0278] IPv6 enabled; Adding default IPv6 external servers : [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]
root@47bc13e67561:/#

If you try to create a folder structure inside /var/log under container, it might allow you to create as you are already loged into the container as root user, but it won’t allow you to play around the host machine. The challenge and the controversial element of user namespaces is that it can potentially enable root system access privileges inside a container. The risk   is that by enabling root access, a regular non-administrative Docker user could potentially find a bug in the underlying host operating system.The newer Docker 1.10 tackles this problem by bringing security in terms of user namespaces which allow better separation of applications/containers because each process/container has its own set of users.

In next part of this discussion, we will talk about seccomp profiles, content addressable image IDs and authorization plugins. Stay tuned !!

12 thoughts on “New Docker Engine 1.10 brings Enterprise-level Security Hardening – User Namespace

  1. This website is amazing. I will tell about it to my friends and anybody that could be interested in this subject. Great work guys!

  2. hi!,I really like your writing so much! proportion we keep in touch more about your post on AOL? I require a specialist on this house to resolve my problem. Maybe that’s you! Looking ahead to see you.

  3. Woah! I’m really digging the template/theme of this site. It’s simple, yet effective. A lot of times it’s very difficult to get that “perfect balance” between usability and visual appeal. I must say that you’ve done a fantastic job with this. Also, the blog loads super quick for me on Chrome. Superb Blog!

  4. Hey I am so thrilled I found your blog, I really found you by accident, while I was searching on Aol for something else, Regardless I am here now and would just like to say thanks for a tremendous post and a all round entertaining blog (I also love the theme/design), I don’t have time to read it all at the moment but I have book-marked it and also added your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the awesome work.

  5. Wow! This can be one particular of the most useful blogs We have ever arrive across on this subject. Actually Fantastic. I am also a specialist in this topic so I can understand your effort.

  6. Hi there, just became alert to your blog through Google, and found that it’s really informative. I am going to watch out for brussels. I’ll appreciate if you continue this in future. Lots of people will be benefited from your writing. Cheers!

  7. Hi would you mind stating which blog platform you’re using? I’m planning to start my own blog soon but I’m having a hard time selecting between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design seems different then most blogs and I’m looking for something unique. P.S Apologies for being off-topic but I had to ask!

  8. Thank you for the sensible critique. Me & my neighbor were just preparing to do a little research on this. We got a grab a book from our local library but I think I learned more clear from this post. I am very glad to see such great information being shared freely out there.

  9. Wow, marvelous blog layout! How long have you
    been blogging for? you made blogging look easy. The overall look of
    your website is excellent, as well as the content!

  10. RheaHDebbins

    It’s a shame you don’t have a donate button! I’d certainly
    donate to this particular excellent blog! I suppose for now
    i’ll accept bookmarking and adding your Feed to my Google account.

    I enjoy brand-new updates and can speak about this blog
    with my Facebook group. Chat soon!

    1. I am planning to add donate button soon. Need everyone support to keep this site interesting and useful.

Leave a Reply

Your email address will not be published. Required fields are marked *