{"id":757,"date":"2019-09-29T02:36:17","date_gmt":"2019-09-29T02:36:17","guid":{"rendered":"https:\/\/www.devsecops.ltd\/?p=757"},"modified":"2024-05-24T15:49:23","modified_gmt":"2024-05-24T15:49:23","slug":"lesson-1-understand-docker-from-a-security-perspective","status":"publish","type":"post","link":"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/","title":{"rendered":"Lesson 1: Understand Docker from a security perspective"},"content":{"rendered":"<blockquote><p>If you know the enemy and know yourself, you need not fear the result of a hundred battles \u2015 Sun Tzu<\/p><\/blockquote>\n<p><span style=\"font-size: 15px;\">A few years ago, I was doing a pentest and after spending 3 days, I couldn&#8217;t find even a single security issue.<\/span><\/p>\n<p>As this has never happened before, you can guess my frustration.<\/p>\n<p>Turnouts, I wasn\u2019t doing two things.<\/p>\n<p>One, I wasn&#8217;t following Sun Tzu&#8217;s wisdom.<\/p>\n<p>&#8220;If you know the enemy and know yourself, you need not fear the result of a hundred battles&#8221;<\/p>\n<p>I had knowledge but no wisdom. Wisdom is learning about the target before you attack it.<\/p>\n<p>I spent the next two days learning about the app (as a user) and tried pentesting the app again.<\/p>\n<p>Guess how many security issues did I find? a lot!<\/p>\n<p>So before you learn how to attack containers, you need to understand a few things about containers.<\/p>\n<ol>\n<li>What is a container (Docker)?<\/li>\n<li>Why do we use it?<\/li>\n<li>Who uses it, where and when?<\/li>\n<li>How can Docker make my life easier?<\/li>\n<\/ol>\n<p>So let&#8217;s dig in.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_67_1 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#What_is_Docker\" title=\"What is Docker?\">What is Docker?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#So_what_exactly_is_Docker\" title=\"So what exactly is Docker?\">So what exactly is Docker?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Why_should_you_learn_Docker\" title=\"Why should you learn Docker?\">Why should you learn Docker?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#ContainerDocker_Advantages\" title=\"Container\/Docker Advantages\">Container\/Docker Advantages<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Solves_dependency_collision\" title=\"Solves dependency collision.\">Solves dependency collision.<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Cross-platform\" title=\"Cross-platform\">Cross-platform<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Scalability\" title=\"Scalability\">Scalability<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Proper_Resource_Utilization\" title=\"Proper Resource Utilization\">Proper Resource Utilization<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Provides_good_security\" title=\"Provides good security\">Provides good security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Container_vs_VMs\" title=\"Container vs VMs\">Container vs VMs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#DockerContainer_Disadvantages\" title=\"Docker\/Container Disadvantages\">Docker\/Container Disadvantages<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Poor_GUI_Support\" title=\"Poor GUI Support\">Poor GUI Support<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Poor_Windows_Support\" title=\"Poor Windows Support\">Poor Windows Support<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Lack_of_mature_Security_tools\" title=\"Lack of mature Security tools\">Lack of mature Security tools<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Lack_of_bare_metal_support\" title=\"Lack of bare metal support\">Lack of bare metal support<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Docker_Architecture_and_its_components\" title=\"Docker Architecture and its components\">Docker Architecture and its components<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Whats_in_it_for_me\" title=\"What\u2019s in it for me?\">What\u2019s in it for me?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Dockers_Role_in_DevOps\" title=\"Docker\u2019s Role in DevOps\">Docker\u2019s Role in DevOps<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Dockers_Role_in_Security_Industry\" title=\"Docker\u2019s Role in Security Industry\">Docker\u2019s Role in Security Industry<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#This_weeks_tasks\" title=\"This week\u2019s tasks\">This week\u2019s tasks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Lab_Setup_for_the_Docker_Security_Course\" title=\"Lab Setup for the Docker Security Course\">Lab Setup for the Docker Security Course<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Software_and_Hardware_requirements\" title=\"Software and Hardware requirements\">Software and Hardware requirements<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Hardware\" title=\"Hardware\">Hardware<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Software\" title=\"Software\">Software<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Reference_and_Further_Reading\" title=\"Reference and Further Reading\">Reference and Further Reading<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#Conclusion\" title=\"Conclusion\">Conclusion<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"What_is_Docker\"><\/span><strong>What is Docker?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you are into IT or technology in general, you might have heard about Docker.<\/p>\n<p><strong>According to Wikipedia<\/strong><br \/>\nDocker is a set of platform-as-a-service (PaaS) products that use OS-level virtualization to deliver software in packages called containers.<\/p>\n<p>Sounds like watching a foreign movie with no subtitles right? Let me explain in simple terms.<\/p>\n<p><strong>Note<\/strong>: We will use the words container and docker interchangeably going forward.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"So_what_exactly_is_Docker\"><\/span>So what exactly is Docker?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker is a containerization tool that helps you in creating, packaging and deploying applications.<\/p>\n<p>Simply put \u201dinstead of just shipping your application, you also ship the environment required to run the application\u201d.<\/p>\n<p>So fewer moving parts, fewer chances of disasters.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Why_should_you_learn_Docker\"><\/span>Why should you learn Docker?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>So you may ask why should I Learn docker?<\/p>\n<p>Let&#8217;s say, you are developing an application using python where you have to ensure that your application not only runs on your machine but works on the production system as well. But this application might work or might not, why?<\/p>\n<p>Because the production system might have different versions of python installed on it or different versions of the python libraries\/modules.<\/p>\n<p>This is where Docker comes into play.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"ContainerDocker_Advantages\"><\/span><strong>Container\/Docker Advantages<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h2><span class=\"ez-toc-section\" id=\"Solves_dependency_collision\"><\/span>Solves dependency collision.<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker solves this problem. With docker, we can containerize the application with the required environment (os, libraries) and ship the application. Since it&#8217;s containerized into a single package, it won\u2019t cause dependency collision issues.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cross-platform\"><\/span>Cross-platform<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Since the same container image can be run on any Linux, Mac and Windows machine, Docker provides cross-platform compatibility and helps in easy deployment.<\/p>\n<p>Write once, run anywhere!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-830 alignnone size-full\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/we-are-docker-users.png\" alt=\"\" width=\"606\" height=\"445\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/we-are-docker-users.png 606w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/we-are-docker-users-300x220.png 300w\" sizes=\"(max-width: 606px) 100vw, 606px\" \/><\/p>\n<p>Now you may say, I\u2019m not a developer (but I\u2019m into operations) so why should I learn docker?<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Scalability\"><\/span>Scalability<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>With docker, you can pretty easily scale your infrastructure as per your needs. If you are experiencing more load on your servers, you can increase the number of Docker containers. Similarly, if you are seeing less traffic, you might reduce the number of running containers.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Proper_Resource_Utilization\"><\/span>Proper Resource Utilization<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Unlike VMs there is no need to allocate extra resources (like RAM, CPU, and Disk) for OS. Containers use the host\u2019s kernel features (like namespaces, Cgroups, etc.) to run the container.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Provides_good_security\"><\/span>Provides good security<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker provides good security defaults and reduces deployment complexity, which helps in reducing the attack surface of Docker. We will discuss more security aspects as we move forward in this course.<\/p>\n<p>Docker has many other advantages which is why top tech companies are using\/have started using it.<\/p>\n<p><span style=\"font-size: 15px;\">These are some of the companies which use Docker\u2019s container technology:<\/span><\/p>\n<ul>\n<li>Uber<\/li>\n<li>Visa<\/li>\n<li>PayPal<\/li>\n<li>Shopify<\/li>\n<li>Quora<\/li>\n<li>Splunk<\/li>\n<\/ul>\n<p><span style=\"font-size: x-small;\"><em>Source : https:\/\/www.docker.com\/customers<\/em><\/span><\/p>\n<p>There are many startups that are slowly adapting the docker technology because of the above-mentioned benefits.<\/p>\n<p>So if you wish to keep yourself updated with the latest technologies, it is important for you to learn docker.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Container_vs_VMs\"><\/span><strong>Container vs VMs<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 15px;\">But Imran, \u201cvirtualization already solves most of these problems, what benefits does docker bring to the table which Virtualization doesn\u2019t? and why should I move to containers ?\u201d<\/span><\/p>\n<p>Let\u2019s compare containers with virtual machines to understand the benefits of Docker.<\/p>\n<p>In virtualization, each VM has its own guest OS\/kernel. This is an advantage in itself, as the VMs are independent and isolated from the host system. However, this approach comes with a significant drawback of allocating additional memory and storage for each VM.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-821 alignnone size-full\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-vs-vms.png\" alt=\"\" width=\"553\" height=\"509\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-vs-vms.png 945w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-vs-vms-300x276.png 300w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-vs-vms-768x706.png 768w\" sizes=\"(max-width: 553px) 100vw, 553px\" \/><\/p>\n<p>For example, you need to run 100 VMs simultaneously, each with 1GB of RAM, 1 CPU core and 20 Gigs of Disk.<\/p>\n<p><strong>1 GB * 100 = 100 GB<\/strong><br \/>\n<strong>1 CPU core * 100 = 100 CPU cores<\/strong><br \/>\n<strong>20 GB disk space * 100 = 2000 GB Disk<\/strong><\/p>\n<p>This increases the cost dramatically and reduces the performance of the overall system (hello, noisy neighbors).<\/p>\n<p>Since container technology uses the host&#8217;s kernel features to run a container, there\u2019s no Guest OS involved, which makes containers lean, fast and efficient than VMs as they have fewer layers compared to VMs.<\/p>\n<p>So the saved resources can be better utilized to run more containers.<\/p>\n<p>A picture is worth a thousand letters, let&#8217;s see an image which illustrates these points.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-829 alignnone size-full\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/VM-vs-Docker.png\" alt=\"\" width=\"639\" height=\"281\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/VM-vs-Docker.png 696w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/VM-vs-Docker-300x132.png 300w\" sizes=\"(max-width: 639px) 100vw, 639px\" \/><\/p>\n<p>The first half of the image shows that the containers (tenants) share the same kernel (House) as the owner (Host OS).<\/p>\n<p>In the second half of the image, VMs (tenant) do not share the same kernel as the owner (Host OS). Every VM is allocated a dedicated kernel and hardware resources (space), which cannot be used by other tenants (VMs).<\/p>\n<p>Due to reduced overhead in the container stack, containers boot faster and are much performant than VMs.<\/p>\n<p>In short, the container technology has more advantages than the Virtualization.<\/p>\n<p>So does this make virtualization technology extinct?<\/p>\n<p>No, Virtualization is here to stay, there are many scenarios where we prefer virtualization over container technology.<\/p>\n<p>To sum it up, we have created a simple comparison table for you.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong><span style=\"font-family: inherit;\">VMs<\/span><\/strong><\/td>\n<td><strong><span style=\"font-family: inherit;\">Containers<\/span><\/strong><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: normal; font-family: inherit;\">Heavyweight<\/span><\/td>\n<td><span style=\"font-weight: normal; font-family: inherit;\">Lightweight<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: normal; font-family: inherit;\">Has its own OS<\/span><\/td>\n<td><span style=\"font-weight: normal; font-family: inherit;\">Uses host OS<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: normal; font-family: inherit;\">Takes minutes to start<\/span><\/td>\n<td><span style=\"font-weight: normal; font-family: inherit;\">Takes few milliseconds to start<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: normal; font-family: inherit;\">More secure<\/span><\/td>\n<td><span style=\"font-weight: normal; font-family: inherit;\">Less secure*<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: normal; font-family: inherit;\">Uses more resources<\/span><\/td>\n<td><span style=\"font-weight: normal; font-family: inherit;\">Uses fewer resources<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>* An attacker needs to compromise both the guest and host OS to gain access to other VMs whereas in docker, just the host OS.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"DockerContainer_Disadvantages\"><\/span><strong>Docker\/Container Disadvantages<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>People usually talk about docker advantage but no one talks about its disadvantages.<\/p>\n<p>Like every other technology, Docker also has some disadvantages.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Poor_GUI_Support\"><\/span>Poor GUI Support<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker does not support GUI applications by default. There are some workarounds and hacks to overcome this issue but they are hacks, not features.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Poor_Windows_Support\"><\/span>Poor Windows Support<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker is a first-class citizen of Linux OS. Windows support is improving in recent times but it is far from Linux support.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Lack_of_mature_Security_tools\"><\/span>Lack of mature Security tools<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Lack of Guest OS in a container is both a boon and a curse at the same time. Boon, as it makes everything faster and efficient, but also a curse as exploiting a docker container might lead to system-wide compromise. Also, security monitoring tools for Docker are not as mature as non-container environments.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Lack_of_bare_metal_support\"><\/span>Lack of bare metal support<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker needs host OS to work. It doesn&#8217;t run on the bare metal server like Type 1 Hypervisor.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Docker_Architecture_and_its_components\"><\/span><strong>Docker Architecture and its components<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let us now understand docker architecture and its components.<\/p>\n<p>Docker\u2019s architecture is pretty simple and it has two main components<\/p>\n<ol>\n<li>Docker Client (CLI)<\/li>\n<li>Docker Server (Daemon)<\/li>\n<\/ol>\n<p><strong>Docker Client (CLI)<\/strong> &#8211; The Docker client talks to the Docker Daemon and asks it to do some job on its behalf. For example, a client (CLI) can request details regarding running containers, the daemon responds with the states of the running containers.<\/p>\n<p><strong>Docker Server (daemon)<\/strong> &#8211; The Docker Daemon, is a background process that manages the docker images, containers, and volumes as shown in the below image.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-817 alignnone size-full\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-architecture-simple.png\" alt=\"\" width=\"707\" height=\"336\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-architecture-simple.png 850w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-architecture-simple-300x143.png 300w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-architecture-simple-768x365.png 768w\" sizes=\"(max-width: 707px) 100vw, 707px\" \/><\/p>\n<p><span style=\"font-size: x-small;\"><em>Source: https:\/\/www.researchgate.net\/profile\/Yahya_Al-Dhuraibi\/publication\/308050257\/figure\/fig1\/AS:433709594746881@1480415833510\/High-level-overview-of-Docker-architecture.png<\/em><\/span><\/p>\n<p>Actually we lied, docker (&gt; 1.11) is not so simple anymore.<\/p>\n<p>Docker engine consists of many components (docker CLI, dockerd, containerd, and runC)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-818 alignnone size-large\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/Docker-components-1024x576.png\" alt=\"\" width=\"752\" height=\"423\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/Docker-components-1024x576.png 1024w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/Docker-components-300x169.png 300w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/Docker-components-768x432.png 768w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/Docker-components-1080x608.png 1080w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/Docker-components.png 1130w\" sizes=\"(max-width: 752px) 100vw, 752px\" \/><\/p>\n<p>isn&#8217;t it awesome? besides the technological trivia that will impress your friends at a party.<\/p>\n<p>This division helps you switch, a part of the stack with any other alternative and removes the dependency on one vendor (bye-bye vendor lock-in). For example, runC runtime can be replaced with CRI-O while still using dockerd and containerd from Docker.<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Whats_in_it_for_me\"><\/span><strong>What\u2019s in it for me?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h2><span class=\"ez-toc-section\" id=\"Dockers_Role_in_DevOps\"><\/span>Docker\u2019s Role in DevOps<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Docker is heavily used in Agile, Continuous Integration and Continuous Delivery (CI\/CD), Microservices and DevOps.<\/p>\n<p>After developers finish testing the application, they package it into a container and then the Ops team will simply deploy the container.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Dockers_Role_in_Security_Industry\"><\/span>Docker\u2019s Role in Security Industry<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Most organizations (if not all) are moving to container technology to help them achieve speed, scalability, and agility.<\/p>\n<p>Obviously, the security industry needs to secure these environments, so there is an increasing demand for security professionals who understand Docker and DevOps, etc.,<\/p>\n<p>Docker is heavily used to deploy security tooling in DevSecOps. We at <a href=\"https:\/\/www.devsecops.ltd\">Practical DevSecOps<\/a> rely on docker to deploy various SCA, SAST, DAST, and monitoring tools for our clients.<\/p>\n<p>Docker can also help you get few hundred to few thousand shells as part of post-exploitation \ud83d\ude42<\/p>\n<h1><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"This_weeks_tasks\"><\/span><strong>This week\u2019s tasks<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Each week, I\u2019m going to share a lesson about Docker and then give you 1-2 hands-on tasks.<\/p>\n<p>If you commit to doing the work, you will get the results you want.<\/p>\n<p>This week we are going to do two tasks.<\/p>\n<ol>\n<li>I only covered \u201cKnow thy enemy\u201d but knowing yourself is the second most important thing, which I wasn\u2019t doing. The more you set your intention, the more likely you are to get it. Share what inspired you to learn Docker and what you would like to get out of this course by <a href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#respond\">commenting here<\/a> and you can also <a href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#respond\">interact with your fellow professionals here<\/a>.<\/li>\n<li>Set up the lab environment in your machine.<\/li>\n<\/ol>\n<h2><span class=\"ez-toc-section\" id=\"Lab_Setup_for_the_Docker_Security_Course\"><\/span>Lab Setup for the Docker Security Course<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Didn\u2019t we say, this course is going to be hands-on and practical? let\u2019s go ahead and set up a lab for this course.<\/p>\n<blockquote><p><span style=\"color: #e02b20;\"><strong>If you are our paid customer and taking any of our courses like CDE\/CDP\/CCSE\/CCNSE, please use the browser based lab portal to do all the exercises and do not use the below Virtual Machine.<\/strong><span style=\"font-size: 15px;\">\u00a0<\/span><\/span><\/p><\/blockquote>\n<p>Before proceeding, please ensure hardware and software prerequisites are met.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Software_and_Hardware_requirements\"><\/span><strong>Software and Hardware requirements<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><span class=\"ez-toc-section\" id=\"Hardware\"><\/span><strong>Hardware<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Laptop\/System with at least <strong>4GB of RAM, 15 GB free hard disk space<\/strong> and should be able to run a Virtual machine.<\/li>\n<li><strong>Administrator access<\/strong> to install software like Virtualbox, Extensions, etc., and to change BIOS settings.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"Software\"><\/span><strong>Software<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ol>\n<li>Virtualbox, you can <a href=\"https:\/\/www.virtualbox.org\/wiki\/Downloads\">download VirtualBox from here<\/a>.<\/li>\n<li><a href=\"https:\/\/drive.google.com\/drive\/folders\/1psfiYIA_N9wF4IP95rOvfHBryrfA_D4C?usp=sharing\">Docker Security Course OVA file<\/a><\/li>\n<\/ol>\n<p><strong>Extra<\/strong>: If you are new to VirtualBox and want to know more about installation and usage you can refer following links.<\/p>\n<ul>\n<li><a href=\"https:\/\/www.virtualbox.org\/wiki\/Linux_Downloads\">Linux<\/a>.<\/li>\n<li><a href=\"https:\/\/medium.com\/@mannycodes\/installing-ubuntu-18-04-on-mac-os-with-virtualbox-ac3b39678602\">macOS<\/a> and <a href=\"https:\/\/www.makeuseof.com\/tag\/how-to-use-virtualbox\/\">Windows<\/a>.<\/li>\n<\/ul>\n<p><strong>Note<\/strong>: Please restart your machine after the Virtualbox installation.<\/p>\n<p>Now that we have installed Virtualbox and downloaded course OVA file. Let\u2019s configure the course virtual machine by following the below steps.<\/p>\n<p><strong>Step 1<\/strong>: Open Virtual Box<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-826 alignnone size-large\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-virtualbox-1024x547.png\" alt=\"\" width=\"723\" height=\"386\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-virtualbox-1024x547.png 1024w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-virtualbox-300x160.png 300w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-virtualbox-768x410.png 768w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-virtualbox-1080x577.png 1080w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-virtualbox.png 1294w\" sizes=\"(max-width: 723px) 100vw, 723px\" \/><\/p>\n<p><strong>Step 2<\/strong>: Click on file &gt; Import appliance<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-822 alignnone size-full\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/import-appliance.png\" alt=\"\" width=\"373\" height=\"283\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/import-appliance.png 373w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/import-appliance-300x228.png 300w\" sizes=\"(max-width: 373px) 100vw, 373px\" \/><\/p>\n<p>This will open a pop-up.<\/p>\n<p><strong>Step 3<\/strong>: Click on the file browser icon on the right side<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-825 alignnone size-large\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-explorer-1024x576.png\" alt=\"\" width=\"722\" height=\"406\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-explorer-1024x576.png 1024w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-explorer-300x169.png 300w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-explorer-768x432.png 768w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-explorer-1080x607.png 1080w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/open-explorer.png 1366w\" sizes=\"(max-width: 722px) 100vw, 722px\" \/><\/p>\n<p><strong>Step 4<\/strong>: Select the downloaded ova file (which you have downloaded from the software requirement section above) and click open<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-828 alignnone size-large\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-ova-file-1024x576.png\" alt=\"\" width=\"731\" height=\"411\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-ova-file-1024x576.png 1024w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-ova-file-300x169.png 300w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-ova-file-768x432.png 768w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-ova-file-1080x607.png 1080w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-ova-file.png 1366w\" sizes=\"(max-width: 731px) 100vw, 731px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 5<\/strong>: Next click on the import button.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-815 alignnone size-full\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/appliance-settings.png\" alt=\"\" width=\"723\" height=\"447\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/appliance-settings.png 908w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/appliance-settings-300x185.png 300w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/appliance-settings-768x475.png 768w\" sizes=\"(max-width: 723px) 100vw, 723px\" \/><\/p>\n<p><strong>Step 6<\/strong>: Once the file is imported select the lab image and click on the start button.<img loading=\"lazy\" decoding=\"async\" class=\"wp-image-827 alignnone size-large\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-and-start-1024x584.png\" alt=\"\" width=\"726\" height=\"414\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-and-start-1024x584.png 1024w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-and-start-300x171.png 300w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-and-start-768x438.png 768w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-and-start-1080x616.png 1080w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/select-and-start.png 1299w\" sizes=\"(max-width: 726px) 100vw, 726px\" \/><\/p>\n<p><strong>Step 7<\/strong>: Once the VM finishes booting, login to the lab using the following credentials.<\/p>\n<p>Username: practical-devsecops<br \/>\nPassword: docker<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-824 alignnone size-large\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/login-practical-devsecops-1024x511.png\" alt=\"\" width=\"727\" height=\"363\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/login-practical-devsecops-1024x511.png 1024w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/login-practical-devsecops-300x150.png 300w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/login-practical-devsecops-768x383.png 768w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/login-practical-devsecops.png 1030w\" sizes=\"(max-width: 727px) 100vw, 727px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 8<\/strong>: Verify the installation of the required software and packages by running the following commands one after the other.<\/p>\n<p><span style=\"font-size: 15px;\">Open a Terminal (aka command prompt) by clicking on the Menu \u2192 System Tools \u2192 LXTerminal<\/span><\/p>\n<p>To verify the installation of the docker, we can use the following command.<\/p>\n<blockquote><p>$ docker version<\/p><\/blockquote>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-820 alignnone size-full\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-version-output.png\" alt=\"\" width=\"658\" height=\"502\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-version-output.png 658w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-version-output-300x229.png 300w\" sizes=\"(max-width: 658px) 100vw, 658px\" \/><\/p>\n<p>As a software industry tradition, we will start with a customary \u201cHello-world\u201d image.<\/p>\n<p>Open up the Terminal and type the following command.<\/p>\n<blockquote><p>$ docker run hello-world<\/p><\/blockquote>\n<p>Once the command finishes, you will see the output as shown below.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-819 alignnone size-full\" src=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-hello-world.png\" alt=\"\" width=\"629\" height=\"381\" srcset=\"https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-hello-world.png 629w, https:\/\/www.devsecops.ltd\/wp-content\/uploads\/2019\/09\/docker-hello-world-300x182.png 300w\" sizes=\"(max-width: 629px) 100vw, 629px\" \/><\/p>\n<p>That\u2019s it for this week\u2019s tasks.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Reference_and_Further_Reading\"><\/span><strong>Reference and Further Reading<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li>Docker getting started page <a href=\"https:\/\/docs.docker.com\/get-started\/\">https:\/\/docs.docker.com\/get-started\/<\/a><\/li>\n<li>Docker announces modular docker-engine design with dockerd, containerd and runC <a href=\"https:\/\/blog.docker.com\/2016\/04\/docker-engine-1-11-runc\/\">https:\/\/blog.docker.com\/2016\/04\/docker-engine-1-11-runc\/<\/a><\/li>\n<li>History of container technology <a href=\"https:\/\/opensource.com\/article\/18\/1\/history-low-level-container-runtimes\">https:\/\/opensource.com\/article\/18\/1\/history-low-level-container-runtimes<\/a><\/li>\n<\/ul>\n<h1><\/h1>\n<h3><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><strong>Conclusion<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Today, you saw how powerful containers are and how you can leverage them to go to market faster. Using container technology, businesses can go to market faster, gain more customers, generate more revenue, provide employment to more people and create wealth for their nations.<\/p>\n<p>We have also configured the lab environment for our future docker security lessons.<\/p>\n<p>Next week, we will learn the technical nitty, gritty details of Docker like Docker Layers, Images, Containers, Registry and much more.<\/p>\n<p>Please stay tuned for our next lessons.<\/p>\n<p>Looking forward to seeing you next week, have a great week ahead.<\/p>\n<p>Best,<br \/>\n<strong>Imran and the Team <\/strong><br \/>\nIshaq, Joshua, Mohamed, Irfan.<\/p>\n<p><strong>P.S.<\/strong> Remember, <a href=\"https:\/\/www.devsecops.ltd\/lesson-1-understand-docker-from-a-security-perspective\/#respond\" target=\"_blank\" rel=\"noopener noreferrer\">leave a comment here<\/a>, we are curious to know what you would like to get out of this course.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lesson one of Practical DevSecOps\u2019s Free Docker Security Course.<\/p>\n","protected":false},"author":2,"featured_media":2027,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[16],"tags":[15],"_links":{"self":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/757"}],"collection":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/comments?post=757"}],"version-history":[{"count":2,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/757\/revisions"}],"predecessor-version":[{"id":242812,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/757\/revisions\/242812"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/media\/2027"}],"wp:attachment":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/media?parent=757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/categories?post=757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/tags?post=757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}