-
Notifications
You must be signed in to change notification settings - Fork 0
Secure Docker environment
shinsuke-mat edited this page Jul 28, 2020
·
1 revision
2020/07/28 memo
kdemo公開のためにDocker環境をセキュア化
[kdemo]$ cat /etc/*-release
CentOS Linux release 7.7.1908 (Core)
現状は1.13 [kdemo]$ sudo docker -v Docker version 1.13.1, build cccb291/1.13.1
[kdemo]$ sudo yum upgrade docker
[kdemo]$ sudo docker -v
Docker version 1.13.1, build 64e9980/1.13.1
13で最新らしい.
dockerイメージpull時の改ざんを防ぐ仕組み.
http://pocketstudio.jp/log3/2015/08/14/content-trust-docker-1-8-ja/ $ export DOCKER_CONTENT_TRUST=1
まず確認作業.ほぼデフォルト設定で外にアクセスできるか. 当然できてしまう.踏み台になり得る.
$ sudo docker exec -it kdemo /bin/sh
/kdemo # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=114 time=1.718 ms
64 bytes from 8.8.8.8: seq=1 ttl=114 time=1.573 ms
...
/kdemo # wget www.google.com
Connecting to www.google.com (216.58.197.4:80)
saving to 'index.html'
目標:外向きのicmpとtcpを全て止めたい.
まずethとルーティング確認
[kdemo]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
...
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 50:65:f3:41:7e:6a brd ff:ff:ff:ff:ff:ff
inet 133.1.236.35/27 brd 133.1.236.63 scope global noprefixroute enp5s0
...
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 50:65:f3:41:7e:69 brd ff:ff:ff:ff:ff:ff
inet 192.168.146.250/24 brd 192.168.146.255 scope global noprefixroute eno1
...
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:e4:07:cc:7e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:e4ff:fe07:cc7e/64 scope link
valid_lft forever preferred_lft forever
[kdemo]$
[kdemo]$ ip route
default via 133.1.236.62 dev enp5s0 proto static metric 101
133.1.236.32/27 dev enp5s0 proto kernel scope link src 133.1.236.35 metric 101
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.146.0/24 dev eno1 proto kernel scope link src 192.168.146.250 metric 100
ethはdocker0,172.17.0.0/16へのアクセスが全てdocker0に向かってる.
次,iptables確認
[kdemo]$ sudo iptables -v -L
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7499 31M DOCKER-ISOLATION all -- any any anywhere anywhere
4071 27M DOCKER all -- any docker0 anywhere anywhere
...
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
471 60200 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:hbci
Chain DOCKER-ISOLATION (1 references)
pkts bytes target prot opt in out source destination
7492 31M RETURN all -- any any anywhere anywhere
DOCKER chainがたぶんルーティング系.
DOCKER-ISOLATION というchainで止めれば良さそう.
(略,試行錯誤)
[kdemo]$ sudo iptables -I DOCKER-ISOLATION -p tcp -m tcp --dport 80 -j DROP
[kdemo]$ sudo iptables -I DOCKER-ISOLATION -p icmp -j DROP
[kdemo]$ sudo iptables -v -L DOCKER-ISOLATION
[sudo] password for lab:
Chain DOCKER-ISOLATION (1 references)
pkts bytes target prot opt in out source destination
2 168 DROP icmp -- any any anywhere anywhere
5 300 DROP tcp -- any any anywhere anywhere tcp dpt:http
7553 31M RETURN all -- any any anywhere anywhere
これでよさそう. ブラウザからは普通にアクセスできるし,(よく分からんけど)websocketも普通に動く. 一方,コンテナ内部から外に向かう全ての通信が禁止されてる.ok
[kdemo]$ sudo docker exec -it kdemo /bin/sh
/kdemo # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
/kdemo #
/kdemo # wget www.google.com
Connecting to www.google.com (216.58.197.4:80)
^C
現状不要なので無視