Docker penetration

Дмитрий Столяров

v4

Проникновение в Docker с примерами

Привет!# whoamidmitry.stolyarov# hostname -dflant.ru# cat /etc/motdПроникновение в Dockerс примерами

http://flant.ru

http://flant.ru

24×7×365 L1/L2/L3/L4 DevOps SLA

Опыт

ОпытOpenSolaris Zones

Опыт

Gentoo и Linux-VServer 2006

OpenSolaris Zones

Опыт


OpenSolaris Zones

procfs v1 by flant 2008

Опыт


OpenSolaris Zones


LXC

Опыт


OpenSolaris Zones


jailer by flant 2009

LXC

Опыт


OpenSolaris Zones



LXC

Docker 2013, осень

Опыт


OpenSolaris Zones



LXC

Docker 2013, осень

Docker 2014, 6 июня

Зачем проникать в Docker?

Continuous Delivery


Тестовые окружения

Continuous Delivery



Continuous Delivery

Контейнеры



Continuous Delivery



}>90%


Continuous Delivery


}>90% Не нужен доступ



Continuous Delivery

Контейнеры Нужен доступ

}>90% Не нужен доступ


OpenSSH OpenSSH

OpenSSH OpenSSH

:22 :22

OpenSSH OpenSSH

:22 :22

:23

OpenSSH OpenSSH

:22 :22

:23 :24

OpenSSH OpenSSH

:22 :22

reverse proxy

:22

Петя

OpenSSH

:22

Вася

Что такое Docker?


capabilities


capabilities (2.2 / 1999)



namespaces



namespaces (2.6.19 / Nov 2006)




cgroups




cgroups (2.6.24 / Jan 2008)




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)

aufs (~ 2006)




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)

aufs (~ 2006)

overlay (3.18, Dec 2014)




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)

aufs (~ 2006)


kern

el




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)

aufs (~ 2006)


Docker (~2014)

kern

el




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)

aufs (~ 2006)


Docker (~2014)

kern

el

unshare( );

unshare(CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWPID | CLONE_NEWUTS);


if(fork()) { wait(NULL); return 0;}



umount("/proc");mount("proc", "/proc", "proc", 0, 0);



umount("/proc");mount("proc", "/proc", "proc", 0, 0);

execl("/bin/bash", "/bin/bash", NULL);

#define _GNU_SOURCE#include <sched.h>#include <unistd.h>#include <sys/mount.h>#include <sys/wait.h>

int main() { unshare(CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWPID | CLONE_NEWUTS);

if(fork()) { wait(NULL); return 0; }

umount("/proc"); mount("proc", "/proc", "proc", 0, 0);

execl("/bin/bash", "/bin/bash", NULL);}

# gcc unshare.c -o unshare


# ./unshare


# ./unshare

# ps axPID TTY STAT TIME COMMAND 1 pts/0 S 0:00 /bin/bash 12 pts/0 R+ 0:00 ps ax


# ./unshare

# ps axPID TTY STAT TIME COMMAND 1 pts/0 S 0:00 /bin/bash 12 pts/0 R+ 0:00 ps ax

# netstat -natu… nothing#

pid

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid); open(pathbuf, O_RDONLY)

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);setns(open(pathbuf, O_RDONLY), 0);

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);setns(open(pathbuf, O_RDONLY), 0);

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid);setns(open(pathbuf, O_RDONLY), 0);

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid);setns(open(pathbuf, O_RDONLY), 0);snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);setns(open(pathbuf, O_RDONLY), 0);

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);setns(open(pathbuf, O_RDONLY), 0);............snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);setns(open(pathbuf, O_RDONLY), 0);





execl("/bin/bash", "/bin/bash", NULL);

#define _GNU_SOURCE#include <sched.h>#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <sys/wait.h>#include <fcntl.h>

int main(int argc, char **argv) { int pid = atoi(argv[1]); char pathbuf[100];

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid); setns(open(pathbuf, O_RDONLY), 0); snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid); setns(open(pathbuf, O_RDONLY), 0); snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid); setns(open(pathbuf, O_RDONLY), 0); snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid); setns(open(pathbuf, O_RDONLY), 0); snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid); setns(open(pathbuf, O_RDONLY), 0);

if(fork()) { wait(NULL); return 0; }

execl("/bin/bash", "/bin/bash", NULL);}

# gcc setns.c -o setns


# pstree -p $(pidof unshare)unshare(5136)───bash(5137)



# ./setns 5137



# ./setns 5137

# ps ax PID TTY STAT TIME COMMAND 1 pts/0 S+ 0:00 /bin/bash 42 pts/2 S 0:00 /bin/bash 52 pts/2 R+ 0:00 ps ax




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)

aufs (~ 2006)


Docker (~2014)

kern

el ✔




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)

aufs (~ 2006)


Docker (~2014)

kern

el ✔

# mkdir /sys/fs/cgroup/memory/mygroup


# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks



# cat /proc/$$/cgroup | grep memory6:memory:/mygroup




# bash




# bash# cat /sys/fs/cgroup/memory/mygroup/tasks216545624572





# echo $$ > /sys/fs/cgroup/memory/tasks# rmdir /sys/fs/cgroup/memory/mygroup





# echo $$ > /sys/fs/cgroup/memory/tasks# rmdir /sys/fs/cgroup/memory/mygroup




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)

aufs (~ 2006)


Docker (~2014)

kern

el ✔ ✔

Docker это rocket science?

Примочка непонятного действия?

Docker медленный для production?

Docker НЕ безопасный для production?




cgroups (2.6.24 / Jan 2008)

veth (~ Sep 2007)

aufs (~ 2006)


Docker (~2014)

kern

el

Everything should be made as simple as possible, but not simpler.

Albert Einstein

Что нужно чтобы войти в Docker?


Узнать pid и id контейнера


Узнать pid и id контейнера# docker inspect -f '{{.State.Pid}} {{.Id}}' container_name


Добавить в cgroup`ы





for f in $(ls /sys/fs/cgroup/*/docker/$CONTAINER_ID/tasks) do echo $$ > $fdone




Сменить namepsace`ы




Сменить namepsace`ы

Снять лишние capabilities

Петя

OpenSSH

:22

Вася

Петя

OpenSSH

:22

Вася

Петя

OpenSSH

:22

Вася

PAM

Петя

OpenSSH

:22

Вася

pam_docker

Петя

OpenSSH

:22

Вася

pam_docker

ProFTPd

:21

Петя

OpenSSH

:22

Вася

pam_docker

ProFTPd

:21

su / sudo

Петя

OpenSSH

:22

Вася

pam_docker

ProFTPd

:21

su / sudo

cron

php_fpm: master

php_fpm: master

W W W

php_fpm: master

W W W W W W

php_fpm: master

W W W W W W

Наши docker-проекты github.com/flant/docker_penetration_experiment

github.com/flant/pam_docker

github.com/flant/php_fpm_docker

Дмитрий Столяров [email protected]

linkedin.com/in/distol

github.com/distol

Всем спасибо!

Тимофей Кириллов github.com/distorhead

http://github.com/flant/docker_penetration_experiment

http://github.com/flant/pam_docker

http://github.com/flant/php_fpm_docker

mailto:[email protected]

http://linkedin.com/in/distol

http://github.com/distol

http://github.com/distorhead

Technology

Docker penetration