container security
TRANSCRIPT
RUNgroupadd-ruser&&useradd-r-guseruserUSERuser
FROMdebianRUNapt-getupdate&&apt-getinstall-ycurlRUNcurlhttp://sourcecode.com/file.tgz-o/file.tgzRUNtarxzf/file.tgz&&makeRUNrm/file.tgz
FROMdebianRUNapt-getupdate&&apt-getinstall-ycurlRUNcurlhttp://sourcecode.com/file.tgz-o/file.tgz&&tarxzf/file.tgz&&make&&rm/file.tgz
#CopygithubsshkeyCOPYgithub_rsa/root/.ssh/id_rsa...#RemovesshkeyRUNrm/root/.ssh/id_rsa
$dockerrun--read-onlydebiantouchxtouch:cannottouch'x':Read-onlyfilesystem
$dockerrun-v$(pwd)/secrets:/secrets:ro\debiantouch/secrets/xtouch:cannottouch'/secrets/x':Read-onlyfilesystem
$dockerrun--cap-dropSETUID--cap-dropSETGIDmyimage$dockerrun--cap-dropALL--cap-add...
$dockerrun-dmyimage$dockerrun-d-c512myimage$dockerrun-d-c512myimage
$dockerrun-m512mmyimage
$dockerrundebian\find/-perm+6000-typef-execls-ld{}\;2>/dev/null-rwsr-xr-x1rootroot10248Apr1500:02/usr/lib/pt_chown-rwxr-sr-x1rootshadow62272Nov202014/usr/bin/chage-rwsr-xr-x1rootroot75376Nov202014/usr/bin/gpasswd-rwsr-xr-x1rootroot53616Nov202014/usr/bin/chfn...
FROMdebian:wheezyRUNfind/-perm+6000-typef-execchmoda-s{}\;\||true
$dockerbuild-tdefanged-debian....Successfullybuilt526744cf1bc1$dockerrun--rmdefanged-debian\find/-perm+6000-typef-execls-ld{}\;\2>/dev/null|wc-l0$
$dockerdaemon--icc=false
$sestatus|grepmodeCurrentmode:enforcing$mkdirdata$echo"hello">data/file$dockerrun-v$(pwd)/data:/datadebiancat/data/filecat:/data/file:Permissiondenied
$ls--scontextdataunconfined_u:object_r:user_home_t:s0file$chcon-Rtsvirt_sandbox_file_tdata$dockerrun-v$(pwd)/data:/datadebiancat/data/filehello
$dockerrun-eAPI_TOKEN=MY_SECRETmyimage
$dockerrun-eAPI_TOKEN=MY_SECRETmyimage
$dockerrun-eAPI_TOKEN=MY_SECRETmyimage
$dockerrun-eAPI_TOKEN=MY_SECRETmyimage
$dockerrun-eAPI_TOKEN=MY_SECRETmyimage
$dockerrun-v/secretdir/keyfile:/keyfile:romyimage$dockerrun--volumes-frommy-secret-containermyimage
$dockerrun-v/secretdir/keyfile:/keyfile:romyimage$dockerrun--volumes-frommy-secret-containermyimage