Download - Docker penetration
![Page 1: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/1.jpg)
Дмитрий Столяров
v4
Проникновение в Docker с примерами
![Page 2: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/2.jpg)
Привет!# whoamidmitry.stolyarov# hostname -dflant.ru# cat /etc/motdПроникновение в Dockerс примерами
![Page 3: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/3.jpg)
24×7×365 L1/L2/L3/L4 DevOps SLA
![Page 4: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/4.jpg)
Опыт
![Page 5: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/5.jpg)
ОпытOpenSolaris Zones
![Page 6: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/6.jpg)
Опыт
Gentoo и Linux-VServer 2006
OpenSolaris Zones
![Page 7: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/7.jpg)
Опыт
Gentoo и Linux-VServer 2006
OpenSolaris Zones
procfs v1 by flant 2008
![Page 8: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/8.jpg)
Опыт
Gentoo и Linux-VServer 2006
OpenSolaris Zones
procfs v1 by flant 2008
LXC
![Page 9: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/9.jpg)
Опыт
Gentoo и Linux-VServer 2006
OpenSolaris Zones
procfs v1 by flant 2008
jailer by flant 2009
LXC
![Page 10: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/10.jpg)
Опыт
Gentoo и Linux-VServer 2006
OpenSolaris Zones
procfs v1 by flant 2008
jailer by flant 2009
LXC
Docker 2013, осень
![Page 11: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/11.jpg)
Опыт
Gentoo и Linux-VServer 2006
OpenSolaris Zones
procfs v1 by flant 2008
jailer by flant 2009
LXC
Docker 2013, осень
Docker 2014, 6 июня
![Page 12: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/12.jpg)
Зачем проникать в Docker?
![Page 13: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/13.jpg)
Continuous Delivery
Зачем проникать в Docker?
![Page 14: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/14.jpg)
Тестовые окружения
Continuous Delivery
Зачем проникать в Docker?
![Page 15: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/15.jpg)
Тестовые окружения
Continuous Delivery
Контейнеры
Зачем проникать в Docker?
![Page 16: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/16.jpg)
Тестовые окружения
Continuous Delivery
Контейнеры
Зачем проникать в Docker?
}>90%
![Page 17: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/17.jpg)
Тестовые окружения
Continuous Delivery
Контейнеры
}>90% Не нужен доступ
Зачем проникать в Docker?
![Page 18: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/18.jpg)
Тестовые окружения
Continuous Delivery
Контейнеры Нужен доступ
}>90% Не нужен доступ
Зачем проникать в Docker?
![Page 19: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/19.jpg)
![Page 20: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/20.jpg)
![Page 21: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/21.jpg)
OpenSSH OpenSSH
![Page 22: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/22.jpg)
OpenSSH OpenSSH
:22 :22
![Page 23: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/23.jpg)
OpenSSH OpenSSH
:22 :22
:23
![Page 24: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/24.jpg)
OpenSSH OpenSSH
:22 :22
:23 :24
![Page 25: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/25.jpg)
OpenSSH OpenSSH
:22 :22
reverse proxy
:22
![Page 26: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/26.jpg)
Петя
OpenSSH
:22
Вася
![Page 27: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/27.jpg)
Что такое Docker?
![Page 28: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/28.jpg)
Что такое Docker?
capabilities
![Page 29: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/29.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
![Page 30: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/30.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces
![Page 31: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/31.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
![Page 32: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/32.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups
![Page 33: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/33.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
![Page 34: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/34.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
![Page 35: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/35.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
aufs (~ 2006)
![Page 36: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/36.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
aufs (~ 2006)
overlay (3.18, Dec 2014)
![Page 37: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/37.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
aufs (~ 2006)
overlay (3.18, Dec 2014)
kern
el
![Page 38: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/38.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
aufs (~ 2006)
overlay (3.18, Dec 2014)
Docker (~2014)
kern
el
![Page 39: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/39.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
aufs (~ 2006)
overlay (3.18, Dec 2014)
Docker (~2014)
kern
el
![Page 40: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/40.jpg)
unshare( );
![Page 41: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/41.jpg)
unshare(CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWPID | CLONE_NEWUTS);
![Page 42: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/42.jpg)
unshare(CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWPID | CLONE_NEWUTS);
if(fork()) { wait(NULL); return 0;}
![Page 43: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/43.jpg)
unshare(CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWPID | CLONE_NEWUTS);
if(fork()) { wait(NULL); return 0;}
umount("/proc");mount("proc", "/proc", "proc", 0, 0);
![Page 44: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/44.jpg)
unshare(CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWPID | CLONE_NEWUTS);
if(fork()) { wait(NULL); return 0;}
umount("/proc");mount("proc", "/proc", "proc", 0, 0);
execl("/bin/bash", "/bin/bash", NULL);
![Page 45: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/45.jpg)
#define _GNU_SOURCE#include <sched.h>#include <unistd.h>#include <sys/mount.h>#include <sys/wait.h>
int main() { unshare(CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWPID | CLONE_NEWUTS);
if(fork()) { wait(NULL); return 0; }
umount("/proc"); mount("proc", "/proc", "proc", 0, 0);
execl("/bin/bash", "/bin/bash", NULL);}
![Page 46: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/46.jpg)
# gcc unshare.c -o unshare
![Page 47: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/47.jpg)
# gcc unshare.c -o unshare
# ./unshare
![Page 48: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/48.jpg)
# gcc unshare.c -o unshare
# ./unshare
# ps axPID TTY STAT TIME COMMAND 1 pts/0 S 0:00 /bin/bash 12 pts/0 R+ 0:00 ps ax
![Page 49: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/49.jpg)
# gcc unshare.c -o unshare
# ./unshare
# ps axPID TTY STAT TIME COMMAND 1 pts/0 S 0:00 /bin/bash 12 pts/0 R+ 0:00 ps ax
# netstat -natu… nothing#
![Page 50: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/50.jpg)
pid
![Page 51: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/51.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);
![Page 52: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/52.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid); open(pathbuf, O_RDONLY)
![Page 53: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/53.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);
![Page 54: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/54.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);setns(open(pathbuf, O_RDONLY), 0);
![Page 55: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/55.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);setns(open(pathbuf, O_RDONLY), 0);
![Page 56: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/56.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid);setns(open(pathbuf, O_RDONLY), 0);
![Page 57: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/57.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);setns(open(pathbuf, O_RDONLY), 0);
![Page 58: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/58.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);............snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);setns(open(pathbuf, O_RDONLY), 0);
![Page 59: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/59.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);............snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);setns(open(pathbuf, O_RDONLY), 0);
if(fork()) { wait(NULL); return 0;}
![Page 60: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/60.jpg)
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);............snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);setns(open(pathbuf, O_RDONLY), 0);
if(fork()) { wait(NULL); return 0;}
execl("/bin/bash", "/bin/bash", NULL);
![Page 61: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/61.jpg)
#define _GNU_SOURCE#include <sched.h>#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <sys/wait.h>#include <fcntl.h>
int main(int argc, char **argv) { int pid = atoi(argv[1]); char pathbuf[100];
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid); setns(open(pathbuf, O_RDONLY), 0); snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid); setns(open(pathbuf, O_RDONLY), 0); snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid); setns(open(pathbuf, O_RDONLY), 0); snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid); setns(open(pathbuf, O_RDONLY), 0); snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid); setns(open(pathbuf, O_RDONLY), 0);
if(fork()) { wait(NULL); return 0; }
execl("/bin/bash", "/bin/bash", NULL);}
![Page 62: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/62.jpg)
# gcc setns.c -o setns
![Page 63: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/63.jpg)
# gcc setns.c -o setns
# pstree -p $(pidof unshare)unshare(5136)───bash(5137)
![Page 64: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/64.jpg)
# gcc setns.c -o setns
# pstree -p $(pidof unshare)unshare(5136)───bash(5137)
# ./setns 5137
![Page 65: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/65.jpg)
# gcc setns.c -o setns
# pstree -p $(pidof unshare)unshare(5136)───bash(5137)
# ./setns 5137
# ps ax PID TTY STAT TIME COMMAND 1 pts/0 S+ 0:00 /bin/bash 42 pts/2 S 0:00 /bin/bash 52 pts/2 R+ 0:00 ps ax
![Page 66: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/66.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
aufs (~ 2006)
overlay (3.18, Dec 2014)
Docker (~2014)
kern
el ✔
![Page 67: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/67.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
aufs (~ 2006)
overlay (3.18, Dec 2014)
Docker (~2014)
kern
el ✔
![Page 68: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/68.jpg)
# mkdir /sys/fs/cgroup/memory/mygroup
![Page 69: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/69.jpg)
# mkdir /sys/fs/cgroup/memory/mygroup
# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks
![Page 70: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/70.jpg)
# mkdir /sys/fs/cgroup/memory/mygroup
# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks
# cat /proc/$$/cgroup | grep memory6:memory:/mygroup
![Page 71: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/71.jpg)
# mkdir /sys/fs/cgroup/memory/mygroup
# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks
# cat /proc/$$/cgroup | grep memory6:memory:/mygroup
# bash
![Page 72: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/72.jpg)
# mkdir /sys/fs/cgroup/memory/mygroup
# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks
# cat /proc/$$/cgroup | grep memory6:memory:/mygroup
# bash# cat /sys/fs/cgroup/memory/mygroup/tasks216545624572
![Page 73: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/73.jpg)
# mkdir /sys/fs/cgroup/memory/mygroup
# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks
# cat /proc/$$/cgroup | grep memory6:memory:/mygroup
# bash# cat /sys/fs/cgroup/memory/mygroup/tasks216545624572
# echo $$ > /sys/fs/cgroup/memory/tasks# rmdir /sys/fs/cgroup/memory/mygroup
![Page 74: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/74.jpg)
# mkdir /sys/fs/cgroup/memory/mygroup
# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks
# cat /proc/$$/cgroup | grep memory6:memory:/mygroup
# bash# cat /sys/fs/cgroup/memory/mygroup/tasks216545624572
# echo $$ > /sys/fs/cgroup/memory/tasks# rmdir /sys/fs/cgroup/memory/mygroup
![Page 75: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/75.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
aufs (~ 2006)
overlay (3.18, Dec 2014)
Docker (~2014)
kern
el ✔ ✔
![Page 76: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/76.jpg)
Docker это rocket science?
![Page 77: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/77.jpg)
Примочка непонятного действия?
![Page 78: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/78.jpg)
Docker медленный для production?
![Page 79: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/79.jpg)
Docker НЕ безопасный для production?
![Page 80: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/80.jpg)
Что такое Docker?
capabilities (2.2 / 1999)
namespaces (2.6.19 / Nov 2006)
cgroups (2.6.24 / Jan 2008)
veth (~ Sep 2007)
aufs (~ 2006)
overlay (3.18, Dec 2014)
Docker (~2014)
kern
el
![Page 81: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/81.jpg)
Everything should be made as simple as possible, but not simpler.
Albert Einstein
![Page 82: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/82.jpg)
Что нужно чтобы войти в Docker?
![Page 83: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/83.jpg)
Что нужно чтобы войти в Docker?
Узнать pid и id контейнера
![Page 84: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/84.jpg)
Что нужно чтобы войти в Docker?
Узнать pid и id контейнера# docker inspect -f '{{.State.Pid}} {{.Id}}' container_name
![Page 85: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/85.jpg)
Что нужно чтобы войти в Docker?
Добавить в cgroup`ы
Узнать pid и id контейнера
![Page 86: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/86.jpg)
Что нужно чтобы войти в Docker?
Добавить в cgroup`ы
Узнать pid и id контейнера
for f in $(ls /sys/fs/cgroup/*/docker/$CONTAINER_ID/tasks) do echo $$ > $fdone
![Page 87: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/87.jpg)
Что нужно чтобы войти в Docker?
Добавить в cgroup`ы
Узнать pid и id контейнера
Сменить namepsace`ы
![Page 88: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/88.jpg)
Что нужно чтобы войти в Docker?
Добавить в cgroup`ы
Узнать pid и id контейнера
Сменить namepsace`ы
Снять лишние capabilities
![Page 89: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/89.jpg)
Петя
OpenSSH
:22
Вася
![Page 90: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/90.jpg)
Петя
OpenSSH
:22
Вася
![Page 91: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/91.jpg)
Петя
OpenSSH
:22
Вася
PAM
![Page 92: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/92.jpg)
Петя
OpenSSH
:22
Вася
pam_docker
![Page 93: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/93.jpg)
Петя
OpenSSH
:22
Вася
pam_docker
ProFTPd
:21
![Page 94: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/94.jpg)
Петя
OpenSSH
:22
Вася
pam_docker
ProFTPd
:21
su / sudo
![Page 95: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/95.jpg)
Петя
OpenSSH
:22
Вася
pam_docker
ProFTPd
:21
su / sudo
cron
![Page 96: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/96.jpg)
php_fpm: master
![Page 97: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/97.jpg)
php_fpm: master
W W W
![Page 98: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/98.jpg)
php_fpm: master
W W W W W W
![Page 99: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/99.jpg)
php_fpm: master
W W W W W W
![Page 100: Docker penetration](https://reader030.vdocuments.site/reader030/viewer/2022021421/586f91341a28ab54768b7b6b/html5/thumbnails/100.jpg)
Наши docker-проекты github.com/flant/docker_penetration_experiment
github.com/flant/pam_docker
github.com/flant/php_fpm_docker
Дмитрий Столяров [email protected]
linkedin.com/in/distol
github.com/distol
Всем спасибо!
Тимофей Кириллов github.com/distorhead