Attacking and securing Docker containers

Docker Architecture

If you are reading this article I suppose you know how Docker works under the hood, however let’s quickly recap the major concepts:

Docker Client

This is the part that is usually more used by users, the client is the CLI to the Docker daemon and it helps to manage containers, images and registries.

It also can be used to manage networks and volumes used by containers.

Some of the commands you can use in Docker client:

#RUN A NGINX CONTAINER WITH PORT 80 BINDING HOST-CONTAINER
docker run -d -p 80:80 nginx
#PULL UBUNTU 22.04 DOCKER IMAGE
docker pull ubuntu:22.04
#SHOWS DOCKER IMAGES IN YOUR DOCKER SYSTEM
docker images
#HELPER FOR DOCKER NETWORKS
docker network
#HELPER FOR DOCKER VOLUMES
docker volume

Docker Daemon

The Docker daemon is actually the core of the docker environment, it runs containers, pull images and manage all the networks and volume.

You can use the Docker daemon through a client, or if you want to make things hard you can connect directly to the Docker socket. It listens for API requests.

Docker Registry

The Docker registry is where the Docker images are stored.

By default Docker checks for images in Docker Hub, but if configured the images will be pulled from the set registry. Moreover a registry could be public or private with authentication.

Threats to Docker environment

Docker socket

Docker socket /var/run/docker.sock is the UNIX socket that Docker is listening to, and its owned by root user. This is the primary entry point for the Docker API.

Root cause:

docker run -d -v /var/run/docker.sock:/var/run/docker.sock <image_name>:<image_tag>

An attacker can issue requests to Docker daemon (running as root on Docker host) in order to:

• start a privileged container and breakout of that;