19 janvier 2018

to DinD or not do DinD ?

A colleague of mines pointed me to this interesting article about using Docker-in-Docker ("DinD") as a valid solution for Continuous Integration use-case. 

Don't bind-mount docker.sock !

This article is pretty interesting as it explains very well the issue by exposing underlying docker socket to a container. tldr; you just give up with security and isolation. Remember this single excerpt:

" they can create Docker containers that are privileged or bind mount host paths, potentially creating havoc on the host "

This article starts with a reference to Jérôme's blog post explaining why one should not use DinD for CI, so this is interesting to understand the reasoning to adopt a solution the original author explicitly disclaimed for this usage.

Let's now have a look at the follow-up article on DinD : A case for Docker-in-Docker on Kubernetes (Part 2)

Here again, the issue exposing underlying docker infrastructure is well described. Please read-it, I'm exhausted trying to explain why '-v /var/run/docker.sock:/var/run/docker.sock' is an option you never should type.

Then the DinD solution applied to kubernetes is demonstrated, and a point I want you to notice is this one in pod's yaml definition :

securityContext: 
    privileged: true 

Privileged ?

What does this option implies ? It sounds like few people actually understand the impact. The option name should anyway ring a bell.

Let's have a look at the reference documentation:

The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller"

Such a container can then access every hardware resource exposed at lowest level within the host's /dev pseudo-filesystem, which includes all your disks, which is the most obvious security issue. Are you comfortable your build can also access /dev/mem (physical memory) ? 

Allowing all capabilities also means your container can use all system calls from cap_sys_admin capability, which as a short overview of Linux capabilities means ... there's no restriction what this process can do on system. Typically, with cap_sys_admin you can use mknod to create /dev/*  if you didn't already had access to it from container...

--privileged is sort of a sudo++. Just like if you could use this :


  ~ echo hello
Permission denied
  ~ sudo echo hello
Permission denied
  ~ echo --privileged hello
hello

So, a DinD container runs as root, without restriction on system calls it can run, and access to all devices. Sounds like a good place to run arbitrary processes and build pull-requests, isn't it ?

Maybe you consider docker resources isolation as "we want to prevent development team to shoot into it's own foot" and just ensure no build process will start an infinite fork loop or break the CI service with a memory leak. Only public cloud services need to prevent hackers to break the isolation and steal secrets, right ? If so, please take few minutes to talk with your Ops team :P


So, is DinD such a bad idea ?

Actually, one can use privileged container and enforce security, using a fine-grained AppArmor  profile to ensure only adequate resources. You also can use docker's --device to restrict the devices your DinD container actually can use, and --cap-drop to restrict allowed system calls to the strict minimum. This is actually how play-with-docker is built, but as you can guess this wasn't created within a day, and require advanced understanding of those security mechanisms. 

Is there any alternative ?

My guess is that Applatix solution is driven by lack for a simple and viable alternative. Exposing underlying docker infrastructure is just a no-go, as you then loose kubernetes management control on your side containers. Your nodes would quickly be running thousands orphaned containers. From this point of view, using DinD allows to maintain all your containers under cluster management.

How do others solve this issue ?

CircleCI for sample do allow access to a docker infrastructure to build your own image. The documentation explains a dedicated, remote, docker machine will be allocated for your build. So they just create VMs (or something comparable) to allow your build to access a dedicated docker daemon with some strong isolation. This is far from being transparent for end-user, but at least don't give up with a secured solution.

My recommendation is to have your build include the required logic for such a dedicated docker box to be setup. In terms of a Jenkinsfile pipeline, you could mimic CircleCI with a shared library to offer a setup_remote_docker() high-level function to jobs within your company. This library would allocated a short lived VM on your infrastructure to host docker commands, and inject DOCKER_HOST environment variable accordingly.

What's next ?

Another solution I've been investigating is to create a docker API proxy, which do expose the underlying docker infrastructure but filter all API calls to reject anything you're not supposed to do :
  • only proxy supported API calls (whitelist)
  • parse API payload and rebuild payload sent to underlying infrastructure. This ensure only supported options will be passed to docker daemon.
  • reject security related options like : bind mounts, privileged, cap-add, etc
  • block access to containers/volumes/networks you didn't created
  • filter API responses to only let you see legitimate resources (for sample, docker ps will only give you access to your own containers)
This proxy also transparently adds constraints to API commands: it enforces all containers you create do inherit from the same cgroup hierarchy. So if your build is constrained to 2Gb memory, you can't get more running side containers. It also adds labels, which could be used for infrastructure monitoring to track resources ownership.

so, generally speaking, this proxy adds a "namespace" feature on top of Docker API.

This is just a prototype so far, and sorry : it's not open-source...








41 commentaires:

Gecko a dit…

There are already several options:
- https://github.com/Tecnativa/docker-socket-proxy
- https://github.com/Logimethods/docker-eureka

svrtechnologies a dit…

I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic. docker kubernetes training and docker tutorial

ctalledo a dit…

Thanks Nicholas for the very good post.

For secure Docker-in-Docker, take a look at Nestybox (www.nestybox.com), which has developed a container runtime (Sysbox) that enables Docker-in-Docker securely (without privileged containers or socket connections to the host). I am the founder and CEO, and we are looking for early adopters and feedback.

stevesmith24644 a dit…

I have scrutinized your blog its engaging and imperative. I like your blog.
custom application development services
Software development company
software application development company
offshore software development company
custom software development company

mj a dit…

At a time when technology has taken over the world, a skilled Network Support Technician is the most sought-after technical professional.

office.com/setup a dit…

You can reinstall or install Microsoft Office Setup at office.com/setup
www.office.com/setup

Sophia Smith a dit…

Its really best content really and, I am often to content writing and i genuinely appreciate your website content continuously. I appreciate you writing this write-up plus the rest of the site is extremely good. Again thank you so much share your ideas many visitors. Australia assignment help -
auditing assignment -
university assignment help australia

ABHISHEK GUPTA a dit…

Thank you for making me aware of such an important issue. I appreciate your insights. Thank you for adding local interest stories to the evening news. I am grateful that we have such a strong voice in the media, someone who does not hesitate to speak her mind on the importance of the family. Readerscook

Amazon my tv a dit…

Through www.amazon.com/mytv - how you can connect your mobile phone to Amazon Prime. Through amazon.com/mytv, you can watch your favorite TV shows, series movies. You can watch prime videos anywhere on your device. Users need to create an Amazon account if they don’t have an Amazon account and enter the Amazon my TV activation code to watch Amazon prime videos on your device.

amazon.com/mytv | www.amazon.com/mytv

Abbie Wright a dit…

It's extremely pleasant and meaningful article website. it's extremely cool article content share with everyone and, Amazing experience after visiting this website each post which is really full of information and Please shared sone others subjects like SEO, Traveling, Education. I am waiting dude :) assignment writing service - physics homework help - personal statement help

david anderson a dit…

Seek the assistance of our Online Assignment Help in Canada and complete your tasks with utmost precision, without compromising on your studies. When we write your assignments, you get enough time to concentrate on your studies and focus on other academic works.

jeewangarg a dit…

It is extremely nice to see the greatest details presented in an easy and understanding manner. Get Digital Marketing Services At Affordable Price At JeewanGarg.Com (SEO Company in Delhi)

Servo a dit…

ServoStar is a top-notch exporter and manufacturer of power conditioning solutions that provides the best quality products and services to the clientele along with the lowest Servo Voltage Stabilizer Price

mokshamask a dit…

Stay safe from airborne particles, viruses, dust, pollutants, and liquid infecting your face by purchasing n95 face mask with fan price affordable Online at Moksha Mask. Our n95 masks assist lump up to 95% of airborne particles that are as minute as 0.3 microns. These masks are offer provide best shield than surgical masks as they provide a warm around your nose and mouth. Some of these masks come with elastic or rubber bands that can be secure around your head or with ear knobs that can be situated around your ears.

s a dit…

sabyasachi lehenga is an Indian fashion designer from Kolkata. Since 1999, he has sold designer merchandise using the label Sabyasachi. Mukherjee is one of the Associate Designer Members of Fashion Design Council of India and the youngest board member of the National Museum of Indian Cinema. It is a dream of every girl to walk down the aisle in your vague bridal lehenga. Shop online the best of Sabyasachi Lehenga, Sabyasachi Sarees, Sabyasachi Anarkali & Sharara Set with Panache Haute Couture. Shop now with us online and avail the best of Sabyasachi Lehenga and give a dreamy start to your second inning of life.

s a dit…


servo stabilizer
is a prominent manufacturer, providing a wide range of Servo Stabilizer Manufacturers in India and an array starting from 5 KVA to 5000 KVA for residential, industrial and medical use. Stabilizers installed after qualifying a 35 points Checklist while undergoing Intensive Quality & Reliability inspection to withstand 170/300V besides 270/470V, manufactured in the state-of-the-art manufacturing plant with the latest cutting-edge innovative technology adopted after rigorous in-house R&D done since inception

Assignment Help a dit…

Our Assignment Help presents a viable opportunity for the students struggling with their assignment writing help them achieve excellence in their work. We render one-shot satisfaction.

Rahul Saxena a dit…

Divorce and Family Law Solicitors in London .
Immigration Solicitors in London
Settlement Agreement In London
Best solicitor in London
Child contact order experts in london
Transfer of Property in London
Uk spouse visa in london

Naijadailytrend a dit…

https://cheap-phone-reviews.blogspot.com/

Quality Spare Center a dit…

Sandblasting is also known as abrasive blasting. Primarily,sandblasting is a procedure of by forcibly propelling a stream of sandblasting material against a surface. The sandblasting operation is done under high pressure to smoothen a rough surface, shape to eradicate its contaminants. There are various variants of sandblasting procedures like bead blasting, shot blasting, and Soda Blasting, however, if you are in search of the best and powerful Sandblasting Machinery contact Quality Spare Center for the best of machinery and sandblast materials.

Homer a dit…

Garmin Express is a software to manage your Garmin devices from your computer. Ideal for registering your products, but also for synchronizing their data, Garmin Express also allows you to update them
123.hp.com printer setup is used to install and download HP Printer driver software for HP printer setup.

Homer a dit…

Webroot Secureanywhere is world’s leading antivirus software which leads to your system’s sensitive data safety from uncountable cyber threats.
help.microsoft.com talk to a person will provide you with all the information you need to contact Microsoft Support.

Homer a dit…

Mcafee Activate is a legendary anti-malware package that doubles as a virus scanner. It comes in handy with a secure firewall, a password manager, real-time VPN, auto-update function, and performance optimizer for total protection.
Webroot Keycode delivers multi-vector protection for endpoints and networks and threat intelligence services to protect

helpinhomework a dit…

If you are looking for economical and reliable Homework Answers for your really tedious and time-consuming homework, get in touch with our experts at Help in Homework and be sure to make it to the topper’s list. Our experts will provide you with relevant, free from plagiarism, and timely solutions to all your academic problems. They will wilfully and meticulously complete your homework on time as per the specifications of your teacher and help you score the brilliant A grade at an unbelievably reduced cost. Our experts are proficient in their subjects and have a good experience of helping students with their academic tasks. So, have faith in our experts and earn yourself a name.

helpinhomework a dit…

If you feel you can afford an expert only when you have a good amount to spare, you are wrong. We at Help in Homework offer excellent and personalized Homework Help USA at an unbelievably low cost. We are aware that many students are already working part-time to fund their education or to be independent; so we have a very affordable cost structure. Our experts are, however, top rankers of their academic institutes and have real experience of helping students with their assignments and homework. They will assiduously complete your homework on time and ensure that it is free from plagiarism so that you easily become one of the top rankers of your class too.

helpinhomework a dit…

Forget paying hundreds for paid guest posts backlinks based on organic traffic or domain authority alone. Great Guest Posts is the best and professional link-building Platform and fits with your pocket. Find a new path to reach your niche audience in moments by browsing through our extensive catalogue of websites that accept guest posts!

bilyhank a dit…

Being a USA locale, I am always curious about to see what trending topic in pipeline to extend the project researched work ability. Our Assignment Helper USA representative is ready to do something excel in their research work at all.

MediSeller a dit…

Fabiflu Tablet is an anti-viral medicine used to treat mild to moderate COVID-19 disease under emergency conditions. Fabiflu Tablet is available in the name of fabiflu 400 mg tablet.

Assignment Help Australia a dit…

Great content sharing. I am really inspired by this post and invite you to come on our site as you are in quest of assignment help Perth service.

Assignment Help Australia a dit…

If you are facing issues while composing your academic papers because of being at home due to COVID-19 pandemic, take Online Assignment Help. Take online services and stay at home in the Australia when you are bounded to avoid physical contact.

Assignment Help Australia a dit…

What in case you have to write something around 1000 words, like a blog post or an article? How Many Pages is 1000 Words? The answer to the query relies on the medium of those 1000 words. The number of pages for a certain number of words relies on the font, margins, spacing, size, and paragraph structure. The last format of your writing piece, whether it is a published book, or printed word file a page on a website, or an article in a magazine, additionally matters. Page count is also a required component of an academic assignment or business article or something that you can monitor for a personal reason. Hire our best essay writer to write your assignment or essay brilliantly.

www.webhealthmart.com a dit…

I found this is an informative blog and also very useful and knowledgeable
Get up To 80% Off Buy Ambien 10mg Online
Get up To 80% Off Buy Xanax 1mg online

Get up To 80% Off buy ativan 2mg online

Get up To 80% Off ativan 1mg tablet buy order
Get up To 80% Off buy viagra 10mg online
Get up To 80% Off Webhealthmart

Mark Watson a dit…

Connect the range extender to your computer using an Ethernet cable. Plug the range extender into a power outlet. Disable the Wi-Fi functionality on your computer. For Belkin n600 range extender setup, you have to open a web browser and enter https://Belkin.range in the Address bar then press [Enter]. Once on the Belkin F9K1122's web-based setup page, click the Get Started button.

Joseanthony a dit…

Looking for an expert to help you with your work we are just a tick away, visit our site and get the online assignment help for your creation at the lowest cost. Our experts will do everything possible to help you.

Daniel Coper a dit…

mcafeeeactivationcard.store

01 Nov 2021, 2:18 AM

norrtoncardreader.store

Message not sent.

bitdefendefcentralstore.store

Assignment Help a dit…

Do not feel stressed as you feed your reliable knowledge in your subject field and I have got little bit idea how to address technical flaws. The proposal of Online Assignment Help is authentic to reduce your work load.

Jindal Rectifiers a dit…

Jindal Rectifiers is a well-known Manufacturer, Supplier & Exporter of Servo Voltage Stabilizer/Industrial Voltage Regulator, Transformer &  Silicon-Power Rectifiers. For More Info, Visit our Website:- https://jindalelectric.in

zarkazijar a dit…

This an amazing blog, very interesting and exciting with awesome informative contents. is post utme form for hallmark out

david anderson a dit…

Writing an assignment for every subject might sound boring. Take the Assignment Help from genuine platforms will work the best way for getting content. Visit our platform for getting more information about the academic writing facilities from the internet.

Peter Johnson a dit…

Thanks for sharing such an useful info..

Signova

ISO Certification a dit…

The ISO 9001 Lead Auditor Course material includes everything that a QMS lead auditor should know and follow while conducting a proficient audit. This course contains an introduction to ISO 9001 standard, overview to ISO 9001:2015 clauses and importance of QMS lead auditor course. It also specifies the roles and responsibilities of a lead auditor. IRCA ISO 9001 Lead Auditor Training in Philippines | 5 days | class room, online | 95% rating | certificate in 10 days | Contact:enquiry@iascertification.com. Call @ +6531591803