Docker for Devs and Security Professionals

Photo by Luca Bravo on Unsplash

Docker, and the containers it makes possible, has revolutionized the software industry and in a few years, their popularity as a tool and platform has skyrocketed and Docker containers have become a massively popular technology. In this blog post, I will walk you through the basic components, architecture, and basic commands of docker.

1. WHAT IS DOCKER?

Docker is an open-source project based on containers for automating the deployment of applications as portable, self-sufficient containers that can run virtually anywhere on any type of server.

The Docker technology uses the Linux kernel and features of the kernel, like Cgroups and namespaces, to segregate processes so they can run independently.

This independence is the intention of containers‐the ability to run multiple processes and apps separately from one another to make better use of your infrastructure while retaining the security you would have with separate systems.

2. WHAT IS DOCKER CONTAINER?

A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries, and settings.

Container images become containers at runtime and in the case of Docker containers — images become containers when they run on Docker Engine.

Containers isolate software from its environment and ensure that it works uniformly despite differences for instance between development and staging.

3. WHY USE CONTAINERS?

Containers offer a logical packaging mechanism in which applications can be abstracted from the environment in which they run. This decoupling allows container-based applications to be deployed easily and consistently, regardless of whether the target environment is a private data center, the public cloud, or even a developer’s personal laptop. This gives developers the ability to create predictable environments that are isolated from the rest of the applications and can be run anywhere.

From an operations standpoint, apart from portability containers also give more granular control over resources giving your infrastructure improved efficiency which can result in better utilization of your computing resources.

4. HISTORY OF DOCKER

The intriguing wrinkle in this new containerized approach is that it’s not new. The idea of containers has been around since the early days of Unix with the chroot command.

Containers are far from new; Google has been using their own container technology for years. Other Linux container technologies include Solaris Zones, BSD Jails, and LXC, which have been around for many years.

• 1979: Unix V7 — the chroot system call was introduced, changing the root directory of a process and its children to a new location in the filesystem. This advance was the beginning process isolation.

• 2000: FreeBSD Jails — FreeBSD Jails allows administrators to partition a FreeBSD computer system into several independent, smaller systems — called “jails”

• 2001: Linux VServer — introduced a jail mechanism that can partitionLinux_VS History of Containers resources (file systems, network addresses, memory) on a computer system.

• 2004: Solaris Containers — system resource controls and boundary separation provided by zones

• 2005: Open VZ (Open Virtuozzo) — operating system-level virtualization technology

• 2006: Process Containers — Process Containers (launched by Google in 2006) was designed for limiting, accounting, and isolating resource usage of a collection of processes.

• 2008: LXC- LXC (Linux Containers) was the first, most complete implementation of Linux container manager using cgroups and Linux namespaces.

• 2011: Warden — Warden can isolate environments on any operating system, running as a daemon, and providing an API for container management.

• 2013: LMCTFY — Let Me Contain That For You (LMCTFY) kicked off in 2013 as an open-source version of Google’s container stack, providing Linux application containers.

• 2013: Docker — When Docker emerged in 2013, containers exploded in popularity.

5. CONTAINERS VS VMs

Virtual machines and containers differ in several ways, but the primary difference is that containers provide a way to virtualize an OS so that multiple workloads can run on a single OS instance. With VMs, the hardware is being virtualized to run multiple OS instances. Containers’ speed, agility, and portability make them yet another tool to help streamline software development.

6. DOCKER ARCHITECTURE

Docker uses a client-server architecture. Docker Engine is a client-server application with these major components:

• A server which is a type of long-running program called a daemon process (the dockerd command).

• A REST API that specifies interfaces that programs can use to talk to the daemon and instruct it what to do.

• A command-line interface (CLI) client (the docker command).

The Docker client talks to the Docker daemon, which does the heavy lifting of building, running, and distributing your Docker containers. The Docker client and daemon can run on the same system, or you can connect a Docker client to a remote Docker daemon. The Docker client and daemon communicate using a REST API, over UNIX sockets, or a network interface.

7. DOCKER TERMINOLOGY

Some terms and definitions with which you should become familiar with before delving deeper into Docker

• Container image A package with all of the dependencies and information needed to create a container.
• Container An instance of a Docker image. A container represents a runtime for a single application, process, or service.
• Dockerfile A text file that contains instructions for how to build a Docker image.
• Repository A collection of related Docker images labeled with a tag that indicates the image version.
• Registry A service that provides access to repositories.
• Docker Hub A public registry to upload images and work with them.
• Docker Trusted Registry (DTR) A Docker registry service (from Docker) that you can install on-premises so that it resides within the organization’s data center and network.
• Compose A command-line tool and YAML file format with metadata for defining and running multi-container applications.

8. DOCKER COMMANDS

Every Docker Command has a basic structure

8.1 docker search

Used to search the Docker Hub for images

• The below example displays images with a name containing ‘hello-world’ and using different search filters for tuning the output of search command

docker search hello-world
docker search --filter stars=10 hello-world
docker search --filter stars=10 --filter is-official=true hello-world

8.2 docker pull

Used to pull the images from Docker Hub. The below example pulls ‘hello-world’, ubuntu and alpine images from docker hub

docker pull hello-world
docker pull ubuntu
docker pull alpine:3.6

8.3 docker images

Used to list the docker images. The below example lists the docker images.

docker images
docker image ls

8.4 docker run

Used to spin up a docker container based on an image. The below example spins up a new container named ‘firstcontainer’ based on ‘ubuntu:latest’ docker image. Then -it instructs Docker to allocate a pseudo-TTY connected to the container’s stdin; creating an interactive bash shell in the container.

8.5 docker exec

Used to run a command in a running container • The below example spins a container and detaches the tty without exiting the shell using the escape sequence and executes a command on the detached container to create a file inside that running container.

docker run -it --name exectest ubuntu:latest /bin/bash
docker exec -e VAR=1 exectest bash
docker exec -w /root exectest pwd
docker exec exectest cat /etc/passwd

8.6 docker volume

Used to create, list, remove, and inspect volumes. The below examples show how to create a new volume and mount it to a location in a new container.

docker volume create hello
docker run -it --rm –name volumetest -v hello:/world alpine ash
docker run -it --rm --name volumetest -v $PWD:/tmp alpine /bin/ash

8.6 docker network

Used to create, connect, disconnect, list and manage networks

• The below examples show how to create a new network and attach it to a container

docker network create \
--driver=bridge \
--subnet=172.28.0.0/16 \
--ip-range=172.28.5.0/24 \
--gateway=172.28.5.254 \
Mynetwork
docker run --rm -it --name NetworkTest --network Mynetwork alpine /bin/ash

8.7 docker registry

A registry is a storage and content delivery system, holding named Docker images, available in different tagged versions.

• The below example shows how to start a registry container, push and pull images from our local registry.

docker run -d -p 5000:5000 --name registry registry:latest
docker image tag alpine:3.6 localhost:5000/myfirstimage
docker push localhost:5000/myfirstimage
docker pull localhost:5000/myfirstimage

8.8 docker build

Used to build an image from a Dockerfile • What is a Dockerfile?

A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image. The Dockerfile is essentially the template with build instructions to build the image.

The below example shows how to spin up a container from the image that we just built. We spin up the container with port 8080 mapped to port 80 on the container

8.9 docker-compose

Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration.

• The below example shows how we can use start the services (Images, networks, volumes, and networks) defined in the docker-compose.yml file and verify if the services are up and running.

docker-compose up -d
docker ps -a
docker-compose down -d

9. DRY

Dry is a terminal application to manage Docker containers and images. It aims to be an alternative to the official Docker CLI when it is needed to repeatedly execute commands on existing containers and images, and as a tool to monitor Docker containers from a terminal.

Installation
curl -sSf https://moncho.github.io/dry/dryup.sh | sudo sh
sudo chmod 755 /usr/local/bin/dry
dry

10. PORTAINER

Portainer is an open-source lightweight simple management solution for Docker. It allows you to easily manage your Docker hosts and Docker Swarm clusters via Portainer web user interface.

• The below example shows how we can pull and spin up the portainer container

docker volume create portainer_data
docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data portainer/portainer

As a continuation of this blog post, there is series 2 where I will be discussing how to scan and secure your containers from vulnerabilities using open source tools which can also be integrated into the CICD pipeline.