Проникновение в Docker с примерами

Дмитрий Столяров
v4
Проникновение в Docker
с примерами

Привет!
# whoami
dmitry.stolyarov
# hostname -d
flant.ru
# cat /etc/motd
Проникновение в Docker
с примерами

24×7×365 L1/L2/L3/L4 DevOps SLA

Опыт
Gentoo и Linux-VServer 2006
OpenSolaris Zones

Опыт
OpenSolaris Zones
procfs v1 by flant 2008

Опыт
OpenSolaris Zones
LXC

Опыт
OpenSolaris Zones
jailer by flant 2009
LXC

Опыт
OpenSolaris Zones
LXC
Docker 2013, осень

Опыт
OpenSolaris Zones
LXC
Docker 2013, осень
Docker 2014, 6 июня

Зачем проникать в Docker?

Continuous Delivery

Тестовые окружения
Continuous Delivery

Continuous Delivery
Контейнеры

Continuous Delivery
}>90%

Continuous Delivery
}>90% Не нужен доступ

Continuous Delivery
Контейнеры Нужен доступ
}>90% Не нужен доступ

OpenSSH OpenSSH
:22 :22
:23 :24

OpenSSH OpenSSH
:22 :22
reverse proxy
:22

Что такое Docker?
capabilities

capabilities
(2.2 / 1999)

capabilities
(2.2 / 1999)
namespaces

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
kernel

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
Docker (~2014)
kernel

unshare(CLONE_NEWIPC | CLONE_NEWNS |
CLONE_NEWNET | CLONE_NEWPID |
CLONE_NEWUTS);

CLONE_NEWUTS);
if(fork()) {
wait(NULL);
return 0;
}

CLONE_NEWUTS);
if(fork()) {
wait(NULL);
return 0;
}
umount("/proc");
mount("proc", "/proc", "proc", 0, 0);

CLONE_NEWUTS);
if(fork()) {
wait(NULL);
return 0;
}
umount("/proc");
execl("/bin/bash", "/bin/bash", NULL);

#define _GNU_SOURCE
#include <sched.h>
#include <unistd.h>
#include <sys/mount.h>
#include <sys/wait.h>
int main() {
unshare(CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWPID |
CLONE_NEWUTS);
if(fork()) {
wait(NULL);
return 0;
}
umount("/proc");
}

# gcc unshare.c -o unshare
# ./unshare

# ./unshare
# ps ax
PID TTY STAT TIME COMMAND
1 pts/0 S 0:00 /bin/bash
12 pts/0 R+ 0:00 ps ax

# ./unshare
# ps ax
12 pts/0 R+ 0:00 ps ax
# netstat -natu
… nothing
#

snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);

open(pathbuf, O_RDONLY)

setns(open(pathbuf, O_RDONLY), 0);

snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);

snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);

snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid);

snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid);
snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);

............

............
if(fork()) {
wait(NULL);
return 0;
}

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <fcntl.h>
int main(int argc, char **argv) {
int pid = atoi(argv[1]);
char pathbuf[100];
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid); setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid); setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid); setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid); setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid); setns(open(pathbuf, O_RDONLY), 0);
if(fork()) {
wait(NULL);
return 0;
}
}

# gcc setns.c -o setns
# pstree -p $(pidof unshare)
unshare(5136)───bash(5137)

# ./setns 5137

# ./setns 5137
# ps ax
1 pts/0 S+ 0:00 /bin/bash
52 pts/2 R+ 0:00 ps ax

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
Docker (~2014)
kernel
✔

# mkdir /sys/fs/cgroup/memory/mygroup

# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks

# cat /proc/$$/cgroup | grep memory
6:memory:/mygroup

6:memory:/mygroup
# bash

6:memory:/mygroup
# bash
# cat /sys/fs/cgroup/memory/mygroup/tasks
2165
4562
4572

6:memory:/mygroup
# bash
# cat /sys/fs/cgroup/memory/mygroup/tasks
2165
4562
4572
# echo $$ > /sys/fs/cgroup/memory/tasks
# rmdir /sys/fs/cgroup/memory/mygroup

capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
Docker (~2014)
kernel
✔ ✔

Примочка непонятного действия?

Docker медленный для production?

Docker НЕ безопасный для production?

Everything should be made
as simple as possible,
but not simpler.
Albert Einstein

Что нужно чтобы войти в Docker?

Узнать pid и id контейнера

# docker inspect -f '{{.State.Pid}} {{.Id}}' container_name

Добавить в cgroup`ы

for f in $(ls /sys/fs/cgroup/*/docker/$CONTAINER_ID/tasks)
do echo $$ > $f
done

Сменить namepsace`ы

Сменить namepsace`ы
Снять лишние capabilities

Петя
OpenSSH
:22
Вася
PAM

Петя
OpenSSH
:22
Вася
pam_docker

Петя
OpenSSH
:22
Вася
pam_docker
ProFTPd
:21

Петя
OpenSSH
:22
Вася
pam_docker
ProFTPd
:21
su / sudo

Петя
OpenSSH
:22
Вася
pam_docker
ProFTPd
:21
su / sudo
cron

Наши docker-проекты
github.com/flant/docker_penetration_experiment
github.com/flant/pam_docker
github.com/flant/php_fpm_docker
Дмитрий Столяров
dmitry.stolyarov@flant.ru
linkedin.com/in/distol
github.com/distol
Всем спасибо!
Тимофей Кириллов
github.com/distorhead

Проникновение в Docker с примерами

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Проникновение в Docker с примерами

Similaire à Проникновение в Docker с примерами (20)

Проникновение в Docker с примерами