Recently, I began to use docker for my lab's server. The server is a Linux server with Ubuntu server 18.04 installed. Users' login authentication is using Windows Active Directory (AD). My current solution to run non-root docker is by adding users to docker group (ref).
However, I found a severe security problem. AD user A can run docker container as any other user B by docker run -u B's uid:B's gid. In the container, A can get all B's permission.
The proper way to run non-root docker may be the newly introduced 'Rootless mode', The problem is that rootless mode need newuidmap and newgidmap, but AD users are not listed in /etc/passwd and /etc/subuid etc, which means rootless mode and as well as userns-remap mode cannot be used for my situation (i.e. AD auth).
Is there any method to tackle this issue? Thanks so much.
Best.
Related
Motivation
Running DDEV for a diverse team of developers (front-end / back-end) on various operating systems (Windows, MacOS and Linux) can become time-consuming, even frustrating at times.
Hoping to simplify the initial setup, I started working on an automated VS Code Remote Container setup.
I want to run DDEV in a VS Code Remote Container.
To complicate things, the container should reside on a remote host.
This is the current state of the setup: caillou/vs-code-ddev-remote-container#9ea3066
Steps Taken
I took the following steps:
Set up VS Code to talk to a remote Docker installation over ssh. You just need to add the following to VS Code's settings.json: "docker.host": "ssh://username#host".
Install Docker and create a user with UID 1000 on said host.
Add docker-cli, docker-compose, and and ddev to the Dockerfile, c.f. Dockerfile#L18-L20.
Mount the Docker socket in the container and use the remote user with UID 1000. In the example, this user is called node: devcontainer.json
What Works
Once I launch the VS Code Remote Container extension, an image is build using the Dockerfile, and a container is run using the parameters defined in the devcontainer.json.
I can open a terminal window and run sudo docker ps. This lists the container I am in, and its siblings.
My Problem
DDEV needs to create docker containers.
DDEV can not be run as root.
On the host, the user with UID 1000 has the privilege to run Docker.
Within the container, the user with UID 1000 does not have the privilege to run Docker.
The Question
Is there a way to give an unprivileged user access to Docker within Docker?
I'm opening my Docker server to more users and I'm facing this problem: when I do docker ps with a user that is not the author of the container (e.g paul), I see all the containers and can interact with it (stop, kill, etc), and it's not what I would like.
What could be a good way to restrict containers to their original user and then not have access to all of them on the server, so when I do docker ps I see just the containers ran by paul and not jack or jess?
All my containers are started with different users, none with root.
Anyone with access to Docker is equivalent to root.
Consider that I can run something like this:
docker run -v /:/host alpine
Now I can edit any file on your host with root privileges.
Docker is fundamentally not a multi-user tool. Either you trust everybody, or you use virtualization to give everyone their own individual Docker instance, or you front Docker with some sort of API proxy that limits the things people can do.
Because it's not a multi-user tool, Docker doesn't really keep track of the user that started a container, so there's no way to filter on that information.
On my computer (Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64),
Docker version 18.03.0-ce, build 0520e24), if user A launches a container (docker run), user B may stop it (docker stop) .
How can configure Docker so that a user may only stop the containers they started?
There is no way to do this in docker. This is because docker containers by nature run as root. This means that someone could deploy a container where they have root access, give themselves access to the host environment through volume maps, and bam, they have root access on the host.
If you want to have multiple users have docker environments, and they should be segregated, you will either have to roll-your-own solution for this (that involves not giving access to the docker machine OR containers via command line), or you will need to have multiple machines (one per user) that they can be segregated to.
Here is a good article on docker root escalation: http://container-solutions.com/docker-security-admin-controls-2/ (mirror).
By exposing the Docker CLI to a user by adding the user to the docker usergroup or make him an admin user, he can create, remove and kill containers. He can even change the configuration of the Docker deamon.
If CLI access is not required, you can change this by deny access for all users except the admin user.
User management can managed by using solutions as portainer or docker ucp
I have created a docker container from ubuntu image. Other users can attach to this container by docker exec -it CONTAINER_ID bash. Is there a way to add username and password for this command? I don't want my container to be accessed by other users. I want when users execute docker exec command to attach to my container, it prompts to ask a username and password. Users can only attach to it after input a correct username and password. Just like what ssh does.
Access to the docker socket (which is used by the docker command line), should be treated as sysadmin level access to the host and all containers being run on that host.
You can configure the docker daemon to listen on a port with TLS credentials and validation of client certificates. However, once a user has access to any docker API calls, they would have access to them all, and without any login prompts.
You could try a third party plugin provided by Twistlock that implements the authz plugin for docker. This will let you limit access to the exec call to specific TLS client certificates. However it will not limit which containers they can exec into.
Probably the closest to what you want comes with Docker's EE offering, specifically UCP. It's a commercial tool, but they provide a different API entrypoint that performs its own authentication, including the option for a user/password with web based requests, and RBAC security that lets you limit access to calls like exec to specific users and specific collections of containers.
If you wanted to do this from the container side, I'm afraid that won't work. Exec is run as a Linux exec syscall directly inside the container namespace, so there's nothing inside the container you could do to prevent that sort of access. The best option is to remove any commands from your image that you don't want anyone to be able to run in the container.
I am using a CentOS 6.9 system of High performance computation platform and I wanna use docker with non-root user. Is there a method that I can build docker from source and do not need root privilege?
This shouldn't be possible as it would be a major security concern.
When docker is installed on a machine, users with docker access (not necessarily root) can start containers. In particular, they can start containers in priviliged mode, giving the container access to all host devices.
More importantly, A user with access to docker can mount directories owned exclusively by machine root. Since by default, a root user inside the container will have access to mounted root-owned directories inside the container, this will allow any Docker container started by a non-root user to access critical machine stuff.
Therefore, the sequence of having a non-root user install Docker and start containers should not be allowed as it can compromise the whole machine.
Check this explicit comment from one of the docker maintainers.
Update to the yamenk's answer:
There is now an official rootless mode for Docker: Run the Docker daemon as a non-root user
Here's an explanation of how it works from one of Docker engineers:
Experimenting with Rootless Docker