07 juillet 2017

Writing a Docker Authorization Plugin

Docker daemon is extensible by plugins, allowing network, volumes, authorization and (in last version) logs and metrics management to be plugged in and controlled from external services.

As I'm investigating Docker infrastructure security in the contexte of a CI/CD service, I've been looking for ways to lock down docker daemon so it only allows a subset of the Docker API. Typically, I want to disable bind mounts to ensure one can't just make crazy things like :

docker run -v /:/target alpine rm -rf /target/*

(don't try this at home)


There's various solutions to prevent bad things to happen, including enabling the user namespace, but a second protection barrier still makes sense #DefenseInDepth.



So I've been investigating authorization plugin for docker daemon.

Step 1 : Architecture

Authorization plugin are invoked by deamon for any API call, either from docker socket or http clients. User identity is based on TLS key, so one could create such a plugin with user profiles, so some super-admin with adequate TLS key could do anything, and all others would have restricted access to the API. You can chain authorization plugins, so depending your needs you can keep them simple, or just plug existing ones.

Authorization plugin only implements 2 http endpoints, one to authorize the incoming API request, and the second to authorize the resulting output. This design allows to filter some API calls or to block some data to be exposed by the daemon. It's sometime simpler to let the daemon run some read-only API calls (like inspect)  then check the result to ensure no sensible data is exposed.

To write such a plugin, you'll need to understand which API are actually used by a docker CLI command. Typically, docker run -it  actually uses a bunch of them to pull image, create and start container, attach stdin/out. A simple way is to just look a docker daemon logs when debug is enabled.

Also note authorization plugin can't make changes to the incoming request, so you can't for sample remove some parameters or add some additional ones, like forcing a label to a container to track which user created it. I'd like to do this so I can prevent a later docker exec command to enter a container someone else created. To do this from this plugin I'll need to become stateful and store some container :: owner map.

Step 2 : Code

I've implemented my plugin in Go, using go-plugin-helper skeleton. There's not much done by this lib, but I'm lazy :P

I spent some time fighting with GOPATH and (lack of) dependency management in Go language. Typically, go-plugin-helped do depend on go-connections, and I've been hurt by this change as go-connection has some tags but go-plugin-helper doesn't, so dep I'm using to manage dependencies just pulled incompatible code. I like go development but dependency hells is really a terrible issue for this ecosystem.

Plugin's code is available on github. There's nothing magic here, just a whitelist for API calls I authorize and a specific parameter check for 'docker run'  to ensure no bind mount is user, nor Privileged containers creation.

I could also have used twistlock authz plugin with a custom profile, but

  1. I'm not sure this plugin is more than just a proof of concept (twistlock offers a proprietary more advanced security service, so don't expect this project to do more than just basic filtering)
  2. One learn more by getting hands dirty. Or maybe this is some sort of NIH syndrom :P 

Step 3 : Test

You can ask my colleagues : I'm not used to write unit tests (and that's probably bad) but here I did at least for a simple one :P. But unit tests only cover local code execution, let's try to deploy this plugin on a real docker daemon and validate it actually does the job.

To avoid breaking my local docker installation (sic) I created a virtualbox test environment using docker-machine (yes, despite docker4desktop supersede it for developer experience, this project still is useful). So we now have a sandbox, let's play

Step 4 : Deploy

Authorization plugin deployment is not a smooth process. I would expect I can run something like:

  docker build -t myplugin . && docker plugin install myplugin

but ... that's not the case (yet - maybe this will be improved in a future release).

You first have to build your plugin and provide a root filesystem for it to run containerized. So the simpler solution is to build a docker image and export it's filesystem

docker build -t authobot .

(...)

mkdir rootfs
ID=$(docker run -d authobot)
docker export $ID | tar -x -C rootfs
docker kill $ID
docker rm $ID
One also have to create a JSON descriptor for the plugin. There's various options in this file, but for this simple plugin descriptor is trivial:

{
  "Description": "Authorization plugin for Docker",
  "Documentation": "https://github.com/ndeloof/authobot/blob/master/README.md",
  "Entrypoint": [
    "/bin/authobot"
  ],

  "Interface": {
    "Socket": "authobot.sock",
    "Types": [
      "docker.authz/1.0"
    ]
  }
}


We can now register this plugin on docker daemon and enable it

docker plugin create authobot .
docker plugin enable authobot

Here, the funny thing is that the plugin is enabled, but not in use. #plugin channel on Docker slack was a great assistance for me to understand the issue. Thanks a lot to Brian Goff for taking time to assist a noob :P

Authorization plugins have to be explicitly set as docker daemon options, and can't be enabled/disabled from the API. It makes sense as one could then use the API to disable authorization :-\ but makes the code/deploy/test cycle bit more slow and annoying.

So let's now actually enable the plugin :
sudo vi /var/lib/boot2docker/profile
(adjust to your docker installation if you don't use a boot2docker VM)

Add --authorization-plugin=authobot to docker daemon arguments

restart daemon :
sudo /etc/init.d/docker restart

Step 5 : Done!

My docker daemon now accepts the few API I've whitelisted, but nothing much

$ docker run -it ubuntu echo 'hello world!'
hello world!

$ docker ps
Error response from daemon: plugin authobot:latest failed with error: AuthZPlugin.AuthZReq: /v1.30/containers/json is not authorized


Step 6 : What's next?

Code is currently very minimalist, there's many thing I could improve.
Generally speaking, it only partially cover my need : I will need to track the owner of each container to prevent one try to access other's containers.

Also, as an authorization plugin doesn't allow to change the API call payload, there's few things that will be harder to implement, like per user resource quota, and few other protections I'd like to implement. This plugin anyway will at least prevent the most obvious security issues.





18 commentaires:

Andre Schroeder a dit…

Shipping was fast and the glass protector was well bundled. The protector is tiny smaller compared to my previous versions. It has much better feeling réparation iphone as well as in form as opposed to other individuals. I'm thrilled with my purchase…..

Anonyme a dit…

Mystino's Vegas Review 2021 + Latest Bonus Offers
Mystino's 10cric login Vegas is ミスティーノ a relatively new and relatively new site, made up of several veterans from the casino industry. The platform is built around the m88

Gregory J. Trujillo a dit…

That was quite helpful and productive; you have explained the whole process in a simple yet effective way. Now that I have comprehended this; all I need is Masters Dissertation Proposal Help so that they can write a dissertation on my behalf and I can get done with this authentication process.

MichelAnthony a dit…

Such an informative post. The article is really helpful. Thanks for sharing the knowledge and experience.
Site: Wilsons Adventure Bound Leather Bomber Jacket

Unknown a dit…

This is the first time that I visit here. I found so many exciting matters in this particular blog,
Site : Johnny Red Cobra Kai Jacket

Roman Davis a dit…

I am first reading this blog, but you are introducing a new plugin that can be used on business websites for volume. I am not aware of its benefits and disadvantages; therefore, I have decided not to download it. coursework writing service

Hassan Sheikh a dit…

It is a really nice article but if you need cv writing agencies in dubai? then hire those who are providing the best CV writing services at cheap rates.

edwardcullen a dit…

Looking for security services then here we are security bolton united kingdom so guys visit our site and get now at cheap rates.

Tommy543 a dit…

Each time you try to make up a good-looking annotated reference list but see that many similarities occur in it? Does your https://topswriting.com/review/papernow bibliography have the same sources as in another student’s research?

jeffreyjonathan411 a dit…

Thanks for sharing this post

EvelynAdam a dit…

The match will take place on November 23rd at Qatar’s Khalifa International Stadium. Whoever wins advances to the round of 16. If you want to know how to watch uruguay vs korea live stream from anywhere in the world, keep reading!

Rony James a dit…

You gave a clear, concise, and useful explanation of the entire procedure, which was really helpful and fruitful. Now that I've understood everything, all I need is management assignment viva service to complete this authentication procedure and produce a Viva service on my behalf.

Rony James a dit…

You gave a clear, concise, and useful explanation of the entire procedure, which was really helpful and fruitful. Now that I've understood everything, all I need is UK law essay writers to complete this authentication procedure and produce a law essay on my behalf.

phil123321 a dit…

The topic of security is very relevant and important now. Everyone wants to protect their personal data. And then to spend the rest of the day interesting, you can visit 1depositcasinonz.com and don't worry about anything

jamesbarns a dit…

The wonderful Oracle 1z0-1094-22 success rate using our innovative and exam-oriented products made thousands of ambitious IT 1z0-1094-22 exam dumps professionals our loyal customers. Your success is always our top priority and for that our experts are always bent on enhancing our products.

Cara a dit…

Writing a Docker Authorization Plugin is a valuable task for enhancing security and access control in container environments. These plugins allow you to define and enforce custom authorization policies, providing an extra layer of protection. The process typically involves defining the plugin's logic, integrating it with Docker's authorization system, testing, and deploying it. Docker Authorization Plugins are a crucial tool for organizations looking to tailor container access control to their specific requirements and security standards.
bankcruptcy lawyer near me

paul a dit…

A Docker Authorization Plugin enhances security and access control, providing flexibility for developers. However, the learning curve may be steep, depending on familiarity with Docker internals and plugin development. Clear documentation and community support can improve the experience. Overall, creating an effective authorization plugin significantly improves Docker container security and management. Aviso de Comparecencia Divorcio Nueva York

johnblaze21 a dit…

Impressive work! Your detailed guide on creating a Docker authorization plugin is invaluable for those diving into Docker infrastructure security. A step-by-step walkthrough with insights makes it accessible even for those new to the concept.
New York Divorce Laws Assets