Hacker News new | ask | show | jobs
by Lai0chee 4270 days ago
Docker "isolation" is not as strong as most hipsters think. :-)
2 comments
wastedhours 4270 days ago
Interesting, any links which expand on the issues?
link
Lai0chee 4270 days ago
Docker is based on Linux namespaces. The first thing which comes to mind is that Docker does not use user namespaces. Hence, the root within Docker is the same root as on the host side. Of course Docker papers over the issue by using apparmor and other tricks but this does not cure the issue itself.

Linux containers (LXC, libvirt-lxc, Docker) are shared kernel visualization. Every single kernel vulnerability will hit you hard.

In contrast to LXC and libvirt-lxc Docker lets you configure a lot of insane setups which are not secure. (But easy to setup) Also keep in mind resource issues. If you setup your container in a wrong way it my eat all your available file descriptors, all memory, etc... (Because it is shared kernel)

Let's face it, the whole technology was not designed for sandboxing, more for easy deployment of applications.

That said, I really love container and use them a lot in production with libvirt-lxc. But I don't use them for sandboxing.

link
stevekemp 4270 days ago
This is the first that comes to mind:

http://blog.bofh.it/debian/id_413

link
kalmi10 4270 days ago
That's an article from 2011. This evasion does not work today.
link
stevekemp 4270 days ago
That example is old, but yes it does work, and will continue to work until docker uses user namespaces.

That said the example is not a good one because of the changes applied these days, e.g. the use of the UID on the host-side.

link
kalmi10 4270 days ago
I actually tried it on Docker 1.2.0 with the ubuntu:14.04 image.

/sys is already mounted and it is read-only, and it cannot be mounted manually:

  root@07ba8c752195:/# mkdir sys2
  root@07ba8c752195:/# mount -t sysfs sysfs /sys2
  mount: block device sysfs is write-protected, mounting read-only
  mount: cannot mount block device sysfs read-only
link
Lai0chee 4270 days ago
BTW: Just one example of a typical Linux namespace vulnerability: http://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-na...
link
stevekemp 4270 days ago
I tested this with the busybox image, and received a warning that /sys was already mounted, but the attack then proceded to work as expected.
link
nickstinemates 4270 days ago
A lot developing in this space. Will have more to talk about soon :)
link