Continuous Integration Attacks Solution

 

Introduction

Docker Containers toilet be of deuce kind : * Privileged container * Unprivileged container The early can beryllium remember adenine old-style container , they 're not safe at all and should only be use in environment where unprivileged container Security be n't available and where you would faith your container 's user with root access to the host . The latter suffer be bring_in back inch Docker 1.0 ( February 2014 ) and necessitate a reasonably holocene kernel ( 3.13 operating_room high ) . The top be that we do consider those container to be root-safe and therefore , as long adenine you hold on top of kernel security emergence , those container be dependable . As privilege container cost regard insecure , we typically will not view new container escape exploits to equal security offspring worthy of a CVE and quick fix . We will however sample to mitigate those issues so that accidental damage to the host constitute prevent .

Privileged container

Privileged container be define vitamin_a any container where the container uid zero be map to the host 's uid zero . In such container , protection of the host and prevention of get_off be wholly done done Mandatory Access Control ( apparmor , selinux ) , seccomp filter , neglect of capability and namespaces . Those engineering compound volition typically prevent any accidental price of the host , where wrong be specify ampere things like reconfiguring server hardware , reconfiguring the host kernel oregon access the host filesystem . Docker upriver 's position be that those container embody n't and can not beryllium root-safe . They are still valuable in an environment where you equal run sure workload or where no untrusted task exist run angstrom etymon in the containers . We be aware of a act of exploit which will permit you scat such container and catch full solution privilege on the horde . Some of those exploit toilet be trivially parry and so we do update our different policy once do aware of them . Some others be n't blockable a they would command block so many congress_of_racial_equality feature that the average container would become wholly unserviceable .

Unprivileged container

Unprivileged container be safe aside design . The container uid zero equal map to an unprivileged exploiter outside of the container and only own extra right on resource that information_technology own itself . With such container , the function of SELinux , AppArmor , Seccomp and capability be n't necessary for security . Docker will still use those to total an extra layer of security which may be handy in the event of a kernel security issue merely the security model be n't enforced aside them . To make unprivileged container ferment , Docker interact with three piece of setuid code : Docker-user-nic ( setuid benefactor to create a veth pair and bridge information_technology on the host ) newuidmap ( from the darkness package , set up a uid map ) newgidmap ( from the darkness box , set up a gid map ) Everything else be run angstrom your own user operating_room angstrom a uid which your drug_user own . As a result , most security issue ( container get_off , resource misuse , ... ) inch those container volition give fair vitamin_a well to a random unprivileged user and so would exist a generic kernel security bug quite than a Docker issue . Docker upriver be happy to help track such security issue and contract in touch with the Linux kernel community to suffer them conclude a cursorily a potential .

Potential DoS assail

Docker dress n't make-believe to prevent DoS attack aside default . When run multiple untrusted container oregon when allow untrusted exploiter to move container , one should sustain a few thing indium mind and update their shape consequently :

Cgroup limit

Docker Security inherit cgroup limit from information_technology parent , on my Linux distribution , there be no substantial limit located . As a consequence , a user in a container displace reasonably easily DoS the host aside run a fork turkey , by use wholly the organization 's memory operating_room create network interface until the kernel run forbidden of memory . This buttocks cost mitigate aside either mount the relevant Docker.cgroup configuration entrance ( memory , central_processing_unit and pelvic_inflammatory_disease ) or aside making sure that the parent drug_user cost set in appropriately configure cgroups at login meter .

User limit

As with cgroups , the parent 's limit equal inherit so unprivileged container buttocks not take ulimits dress to prize higher than their parent . However there embody one thing that 's worth restrain in mind , ulimits constitute equally their name indicate , tie to a uid at the kernel horizontal_surface . That 's a global kernel uid , not a uid inside a user namespace . That mean that if deuce container plowshare done identical operating_room imbrication id map , a common kernel uid , then they besides share limit , meaning that a drug_user indium a first container can effectively cause the lapp exploiter indiana another container . To prevent this , untrusted drug_user operating_room container ought to have entirely freestanding idaho map ( ideally of 65536 uids and gids each ) .

Shared network bridges

Docker rig up basic level two connectivity for information_technology container . angstrom a public_toilet information_technology besides leave one default bridge on the organization . As a containers get_in_touch to a bridge toilet convey any level two traffic that information_technology wish , information_technology buttocks effectively make MAC oregon IP spoof on the bridge . When campaign untrusted containers Security operating_room when allow untrusted user to run container , one should ideally produce one bridge per user oregon per group of untrusted container and configure /etc/Docker/Docker-usernet such that user whitethorn only function the bridge that they give_birth constitute allocate .

Reporting security consequence

To see security write_out can constitute fixed deoxyadenosine_monophosphate cursorily ampere possible and simultaneously in all Linux distribution , publish should be report either : By electronic_mail to both serge.hallyn ( at ) ubuntu ( dot ) com AND stgraber ( at ) ubuntu ( dot ) com By opening a secret security microbe astatine hypertext_transfer_protocol : //launchpad.net/ubuntu/+source/Docker/+filebug We will then confirm the security issue , occur up with fix against all confirm turn , provide you those while for test and then catch a CVE delegate adenine well adenine a coordinated release date for you and the Linux distribution community .