Join our Discord Server
Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 570+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 8900+ members and discord server close to 2200+ members. You can follow him on Twitter(@ajeetsraina).

New Docker Engine 1.10 brings Enterprise-level Security Hardening – User Namespace

3 min read

User Namespace support was introduced as an experimental feature last November under Docker 1.9 version. Docker 1.10 finally brings it as a general availability to the public and promises the security hardening for Enterprise-grade hardening.

What it means?

The newer Docker Engine brings the capabilities for the running containers which can now recognize multiple user roles binding them to the appropriate security policies. If you have root privileges inside the container, you will no longer automatically enjoy root privileges on the host machine. It is possible to run containers without root access(though Docker daemon still need root access).

“Calling Docker 1.10 rootless is still untrue as Docker daemon still uses root privileges”

 

So what changed since Docker 1.9?

The most significant change is that image layers are no longer sitting on /var/lib/docker/x.x but left in the root of the graph root directory, which has really made upgrade and downgrade to and from 1.10 easy without any major impact.

Let us try to find how the new root directory of docker look like. I assume you have Docker installed on any of the available Ubuntu or CentOS machine. In case  you are running an older version of Docker, you can always upgrade to 1.10 version through the following on-line command:

curl -fsSL https://get.docker.com/ | sh

Ensure that docker daemon is running with flag –userns-remap=default enabled as shown below:

 

root@dell-virtual-machine:~# docker daemon -H 10.94.214.186:5555 -H unix:///var/                       run/docker.sock –-userns-remap=default &
[1] 7605
root@dell-virtual-machine:~# WARN[0000] /!\ DON’T BIND ON ANY IP ADDRESS WITHOUT          setting -tlsverify IF YOU DON’T KNOW WHAT YOU’RE DOING /!\
INFO[0000] User namespaces: ID ranges will be mapped to subuid/subgid ranges of:                dockremap:dockremap
INFO[0000] [graphdriver] using prior storage driver “aufs”
INFO[0000] Graph migration to content-addressability took 0.00 seconds
INFO[0000] Firewalld running: true
INFO[0000] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16  . Daemon option –bip can be used to set a preferred IP address
WARN[0000] Your kernel does not support swap memory limit.
INFO[0000] Loading containers: start.

INFO[0000] Loading containers: done.
INFO[0000] Daemon has completed initialization
INFO[0000] Docker daemon commit=9e83765 execdriv                                                                             er=native-0.2 graphdriver=aufs version=1.10.1
INFO[0000] API listen on /var/run/docker.sock
INFO[0000] API listen on 10.94.214.186:5555

 

Let’s check the process information related to Docker through the following command:

root@dell-virtual-machine:/var/lib/docker/231072.231072# ps -aef | grep docker
root      4172     1  0 Feb20 ?        00:00:00 sh -c sleep 3; apt-get update; apt-get install -y -q docker-engine
root      4240  4172  4 Feb20 ?        00:28:00 apt-get install -y -q docker-engine
root      5635  4240  0 Feb20 pts/2    00:00:00 /usr/bin/dpkg –status-fd 66 –configure docker-engine:amd64
root      7475  7152  0 08:19 pts/18   00:00:00 docker daemon -H 0.0.0.0:5555 -H unix:///var/run/docker.sock –userns-remap=default
root      7534  7152  0 08:29 pts/18   00:00:00 grep –color=auto docker

Let’s check what new directory it created under /var/lib/docker:

root@dell-virtual-machine:/var/lib/docker# ls -la
total 228
drwx—–x  14 root   root    4096 Feb 21 08:18 .
drwxr-xr-x  79 root   root    4096 Nov  1 14:17 ..
drwx——   9 231072 231072  4096 Feb 21 08:18 231072.231072
drwxr-xr-x   5 root   root    4096 Sep 16 00:49 aufs
drwx—— 122 root   root   20480 Feb 21 07:59 containers
drwx——   3 root   root    4096 Sep 16 00:49 execdriver
drwx—— 404 root   root   45056 Feb 20 20:06 graph
drwx——   3 root   root    4096 Feb 20 20:34 image
drwx——   2 root   root    4096 Nov 11 21:16 init
-rw-r–r–   1 root   root   43008 Feb 20 21:10 linkgraph.db
-rw——-   1 root   root   54851 Feb 20 21:10 .migration-v1-images.json
-rw-r–r–   1 root   root       0 Feb 20 21:10 .migration-v1-tags
drwxr-x—   3 root   root    4096 Nov 11 21:23 network
-rw——-   1 root   root    6696 Feb 20 20:06 repositories-aufs
drwx——   2 root   root    4096 Feb 21 08:16 tmp
drwx——   2 root   root    4096 Nov 11 21:16 trust
drwx——   3 root   root    4096 Sep 16 01:19 vfs
drwx——  54 root   root    4096 Dec  6 19:18 volumes

You will find UID specific directory created under the root of Docker directory.

If you try to change to UID directory and see what content the new image directory holds:

root@dell-virtual-machine:/var/lib/docker/231072.231072# ls
aufs  containers  image  network  tmp  trust  volumes
root@dell-virtual-machine:/var/lib/docker/231072.231072#

root@dell-virtual-machine:/var/lib/docker/231072.231072# ls -la
total 36
drwx——  9 231072 231072 4096 Feb 21 08:18 .
drwx—–x 14 root   root   4096 Feb 21 08:18 ..
drwx——  5 231072 231072 4096 Feb 21 08:18 aufs
drwx——  2 231072 231072 4096 Feb 21 08:18 containers
drwx——  3 root   root   4096 Feb 21 08:18 image
drwxr-x—  3 root   root   4096 Feb 21 08:18 network
drwx——  2 231072 231072 4096 Feb 21 08:18 tmp
drwx——  2 root   root   4096 Feb 21 08:18 trust
drwx——  2 231072 231072 4096 Feb 21 08:18 volumes
root@dell-virtual-machine:/var/lib/docker/231072.231072#

root@dell-virtual-machine:/var/lib/docker/231072.231072# ps -aef | grep docker
root      4172     1  0 Feb20 ?        00:00:00 sh -c sleep 3; apt-get update; apt-get install -y -q docker-engine
root      4240  4172  4 Feb20 ?        00:28:00 apt-get install -y -q docker-engine
root      5635  4240  0 Feb20 pts/2    00:00:00 /usr/bin/dpkg –status-fd 66 –configure docker-engine:amd64
root      7475  7152  0 08:19 pts/18   00:00:00 docker daemon -H 0.0.0.0:5555 -H unix:///var/run/docker.sock –userns-remap=default
root      7534  7152  0 08:29 pts/18   00:00:00 grep –color=auto docker

To understand how the newly introduced user namespace actually brings the security feature, let us pull and run the ubuntu container as shown below:

root@dell-virtual-machine:~# docker run -it -v /var/log:/var/log –name=collab ubuntu /bin/bash
ERRO[0014] Handler for POST /v1.22/containers/create returned error: No such image: ubuntu:latest
Unable to find image ‘ubuntu:latest’ locally
latest: Pulling from library/ubuntu
a64038a0eeaa: Pull complete
2ec6e7edf8a8: Pull complete
0a5fb6c3c94b: Pull complete
a3ed95caeb02: Pull complete
Digest: sha256:d8b3a9876f7b00798144e75ac6c7f98ab10772867c76dd05f3dbd8687588ab6d
Status: Downloaded newer image for ubuntu:latest
INFO[0278] No non-localhost DNS nameservers are left in resolv.conf. Using default external servers : [nameserver 8.8.8.8 nameserver 8.8.4.4]
INFO[0278] IPv6 enabled; Adding default IPv6 external servers : [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]
root@47bc13e67561:/#

If you try to create a folder structure inside /var/log under container, it might allow you to create as you are already loged into the container as root user, but it won’t allow you to play around the host machine. The challenge and the controversial element of user namespaces is that it can potentially enable root system access privileges inside a container. The risk   is that by enabling root access, a regular non-administrative Docker user could potentially find a bug in the underlying host operating system.The newer Docker 1.10 tackles this problem by bringing security in terms of user namespaces which allow better separation of applications/containers because each process/container has its own set of users.

In next part of this discussion, we will talk about seccomp profiles, content addressable image IDs and authorization plugins. Stay tuned !!

Have Queries? Join https://launchpass.com/collabnix

Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 570+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 8900+ members and discord server close to 2200+ members. You can follow him on Twitter(@ajeetsraina).
Join our Discord Server