1
00:00:02,590 --> 00:00:04,690
‫All right. We know not to run as root in the container.

2
00:00:05,350 --> 00:00:08,550
‫But, outside the container, the root in the container,

3
00:00:08,560 --> 00:00:11,919
‫by the way, doesn't have a direct access

4
00:00:11,920 --> 00:00:13,301
‫to anything on the host, right. Just because you're root in

5
00:00:13,302 --> 00:00:14,830
‫a container, you're still jailed in there.

6
00:00:15,250 --> 00:00:16,250
‫But, if you want

7
00:00:18,590 --> 00:00:21,949
‫to take that next level, where if the user even has root in

8
00:00:21,950 --> 00:00:23,913
‫the container, wants to break out to the host, because

9
00:00:24,650 --> 00:00:26,399
‫there is a kernel of vulnerability like we talked about,

10
00:00:26,400 --> 00:00:29,082
‫like dirty Cow or another vulnerability in Docker

11
00:00:29,390 --> 00:00:30,390
‫or something.

12
00:00:30,800 --> 00:00:33,413
‫Then, the next step you do here is enabling user

13
00:00:33,910 --> 00:00:35,503
‫namespaces, which is not enabled by default.

14
00:00:36,670 --> 00:00:38,270
‫I have a link here that takes to a blog article that talks

15
00:00:38,271 --> 00:00:39,271
‫all about it.

16
00:00:39,970 --> 00:00:43,180
‫Basically, it's a per host setting that you set in the

17
00:00:43,190 --> 00:00:44,610
‫Docker configuration. The Docker JSON.

18
00:00:45,870 --> 00:00:48,979
‫It tells Docker that any

19
00:00:48,980 --> 00:00:50,510
‫time it creates a new container to

20
00:00:52,160 --> 00:00:54,620
‫run that container as a non root user on the host.

21
00:00:55,540 --> 00:00:57,023
‫So, basically there's a couple of programs there,

22
00:00:57,110 --> 00:00:59,802
‫containerd and runC, which are other programs that Docker

23
00:01:00,710 --> 00:01:02,200
‫uses to start your container.

24
00:01:02,560 --> 00:01:04,730
‫By default, those do run as root.

25
00:01:05,280 --> 00:01:08,080
‫A feature that Docker has is to enable user

26
00:01:08,280 --> 00:01:10,091
‫namespaces, which essentially means as

27
00:01:11,920 --> 00:01:14,919
‫Docker creates these containers, it won't spawn them off as

28
00:01:14,920 --> 00:01:18,129
‫a sub process that's running as root like Docker does.

29
00:01:18,430 --> 00:01:20,537
‫It will spawn them as a high numbered user.

30
00:01:20,634 --> 00:01:23,769
‫A sort of, not necessarily a random user, but a high level

31
00:01:23,770 --> 00:01:24,770
‫user.

32
00:01:25,130 --> 00:01:26,943
‫That means if that container ever has

33
00:01:28,310 --> 00:01:30,289
‫any security vulnerabilities where the user is able to

34
00:01:30,290 --> 00:01:33,181
‫escape the container, there's still only going to be a user

35
00:01:33,560 --> 00:01:36,409
‫on the host. Because that's they're going to be acting as

36
00:01:36,410 --> 00:01:39,379
‫the user that the process that's running that container

37
00:01:39,380 --> 00:01:40,691
‫is using. The runC essentially.

38
00:01:42,350 --> 00:01:45,380
‫The runC program is what launches that container, and

39
00:01:45,800 --> 00:01:48,829
‫it will be running as a high numbered user, not

40
00:01:48,830 --> 00:01:51,589
‫root. That user doesn't really have any privileges outside

41
00:01:51,590 --> 00:01:54,402
‫that container. So, that feature is

42
00:01:55,010 --> 00:01:57,374
‫a per host setting, not a per container setting, and

43
00:01:58,070 --> 00:02:00,192
‫not everything works under user namespaces.

44
00:02:01,400 --> 00:02:03,169
‫You're just going to have to try and practice.

45
00:02:03,200 --> 00:02:06,049
‫You're going to have to enable it on some servers,

46
00:02:06,320 --> 00:02:08,689
‫try your applications on that server, see if they work.

47
00:02:09,169 --> 00:02:11,668
‫If they don't, you're going to have to segment your

48
00:02:11,780 --> 00:02:14,496
‫architecture. Whenever I implement user namespaces

49
00:02:14,900 --> 00:02:18,289
‫in a cluster, we typically have specific worker nodes

50
00:02:18,620 --> 00:02:20,629
‫that have user namespaces enabled.

51
00:02:21,020 --> 00:02:23,510
‫That's where those programs run that can support it, that

52
00:02:23,720 --> 00:02:24,720
‫work with it.

53
00:02:25,430 --> 00:02:28,879
‫Everything else has to run on regular Docker servers

54
00:02:28,940 --> 00:02:31,759
‫somewhere else. That's kind of how we segment it out.

55
00:02:31,780 --> 00:02:34,699
‫We segment into two classes of servers.

56
00:02:35,270 --> 00:02:37,999
‫That, you know, like if you're running a DMZ, that's what I

57
00:02:38,000 --> 00:02:40,548
‫would do is I'd run, I'd enable, in the DMZ, all the

58
00:02:41,030 --> 00:02:43,129
‫user namespaces, on all the servers, and then the

59
00:02:43,130 --> 00:02:45,919
‫containers that run there would have to be, would have to

60
00:02:45,920 --> 00:02:47,048
‫support user namespaces.

61
00:02:47,600 --> 00:02:50,239
‫You can't go look at applications and find out if they

62
00:02:50,240 --> 00:02:51,240
‫support user namespaces.

63
00:02:51,770 --> 00:02:55,069
‫It's a...user namespaces is not necessarily a Docker

64
00:02:55,070 --> 00:02:57,842
‫specific feature. It essentially means your container is

65
00:02:57,881 --> 00:03:00,499
‫running in a namespace and now

66
00:03:00,860 --> 00:03:04,039
‫the application running that container is also locked

67
00:03:04,040 --> 00:03:05,040
‫down a little bit.

68
00:03:06,000 --> 00:03:07,979
‫Not everything can support that. You're going to just have

69
00:03:07,980 --> 00:03:10,559
‫to practice or maybe do some research to see if other

70
00:03:10,560 --> 00:03:12,765
‫people have been able to get it to work under

71
00:03:13,530 --> 00:03:16,225
‫there. You know, for common things like MySQL and stuff

72
00:03:16,620 --> 00:03:18,719
‫like that. But obviously, for your own programs that you're

73
00:03:18,720 --> 00:03:21,269
‫developing, you're just going to have to test them to see

74
00:03:21,270 --> 00:03:23,671
‫if they'll work. I'd say most programs and common

75
00:03:24,330 --> 00:03:26,589
‫languages that I run, they work just fine in user

76
00:03:26,760 --> 00:03:29,651
‫namespaces. The real issue with user namespaces is when you

77
00:03:29,760 --> 00:03:32,553
‫have an application that needs to write to volumes, or to

78
00:03:32,850 --> 00:03:35,006
‫bind mounts, that maybe you've got user file

79
00:03:35,970 --> 00:03:38,159
‫uploads and you're sharing those across many different

80
00:03:38,160 --> 00:03:41,660
‫containers. That's where user namespaces isn't impossible.

81
00:03:41,670 --> 00:03:44,639
‫It just gets a little tricky because the

82
00:03:44,640 --> 00:03:47,759
‫files that are now written to disk on the host

83
00:03:47,790 --> 00:03:49,503
‫are now being written as a different user.

84
00:03:49,596 --> 00:03:52,649
‫Because that process on the host that's managing

85
00:03:52,686 --> 00:03:54,509
‫the container is a different user.

86
00:03:54,750 --> 00:03:57,839
‫So, you'll see different user IDs on those files,

87
00:03:58,140 --> 00:03:59,409
‫and you're just going to have to deal with that.

88
00:03:59,430 --> 00:04:02,027
‫There's standard Linux permissions at that point, and

89
00:04:02,460 --> 00:04:04,919
‫you just have to automate and solve those problems in

90
00:04:04,920 --> 00:04:06,449
‫various Linux standard ways.

91
00:04:06,610 --> 00:04:08,909
‫It's not even really a Docker problem at that point.

92
00:04:08,910 --> 00:04:10,560
‫It's just a permissions problem on the host.