{"id":1163,"date":"2016-02-02T06:52:39","date_gmt":"2016-02-02T06:52:39","guid":{"rendered":"https:\/\/trouble.org\/?p=1163"},"modified":"2016-02-02T06:52:39","modified_gmt":"2016-02-02T06:52:39","slug":"stupid-docker-tricks-239192","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=1163","title":{"rendered":"stupid docker tricks #239192"},"content":{"rendered":"

\"yo1) Limit max processes on container; unfortunately docker seems intent on me not doing docker stupid tricks, so\u00a0this is actually a bit of a pain on some systems\u2026 but if you figure out\/etc\/security\/limits.conf, or can use prlimit (or write your own<\/a>; use\u00a0RLIMIT_NPROC instead of RLIMIT_NOFILE), you can do\u00a0<\/span>“prlimit –pid 666 –nproc=3:3” to limit the processes on the system to a very small number. Say… only what you’re running inside of it.<\/p>\n

2) Start\u00a0your container with a single threaded server (running as an unpriv’d user of course!)<\/p>\n

3) Compromise #2, say with a buffer overrun, execute shell\u2026 and get “bash: fork: retry: Resource temporarily unavailable\u201d. \u00a0Can’t fork off anymore processes, denied!<\/p>\n

Obviously attackers can do a zillion things other than simply executing another process\u2026 but not being able to execute anything on the (hopefully stripped down and hopefully one without bash anyway :)) container that’s listening to the big bad Internet is pretty nifty.<\/p>\n

Docker can be a stupendous boon to security, you can do things you simply can’t do without it, not in the real world. Who cares about continuous integration? Docker is for security, dawg.<\/p>\n

dan<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

1) Limit max processes on container; unfortunately docker seems intent on me not doing docker stupid tricks, so\u00a0this is actually a bit of a pain on some systems\u2026 but if you figure out\/etc\/security\/limits.conf, or can use prlimit (or write your own; use\u00a0RLIMIT_NPROC instead of RLIMIT_NOFILE), you can do\u00a0“prlimit –pid 666 –nproc=3:3” to limit the processes […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,146,4,55],"tags":[344,334,318,343],"class_list":["post-1163","post","type-post","status-publish","format-standard","hentry","category-cats","category-hack","category-security","category-virtual","tag-docker","tag-hack","tag-security","tag-yo-dawg"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1163"}],"version-history":[{"count":2,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1163\/revisions"}],"predecessor-version":[{"id":1249,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1163\/revisions\/1249"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}