RUN groupadd -r user && useradd -r -g user user USER user $ - - PowerPoint PPT Presentation

run groupadd r user useradd r g user user user user
SMART_READER_LITE
LIVE PREVIEW

RUN groupadd -r user && useradd -r -g user user USER user $ - - PowerPoint PPT Presentation

May 30, 2023 20 likes •782 views

RUN groupadd -r user && useradd -r -g user user USER user $ docker run --read-only debian touch x touch: cannot touch 'x': Read-only file system $ docker run -v $(pwd)/secrets:/secrets:ro \ debian touch /secrets/x touch: cannot touch

slide-1
SLIDE 1
slide-2
SLIDE 2
slide-3
SLIDE 3
slide-4
SLIDE 4
slide-5
SLIDE 5
slide-6
SLIDE 6
slide-7
SLIDE 7
slide-8
SLIDE 8
slide-9
SLIDE 9
slide-10
SLIDE 10
slide-11
SLIDE 11
slide-12
SLIDE 12
slide-13
SLIDE 13
slide-14
SLIDE 14
slide-15
SLIDE 15
slide-16
SLIDE 16
slide-17
SLIDE 17
slide-18
SLIDE 18
slide-19
SLIDE 19
slide-20
SLIDE 20
slide-21
SLIDE 21
slide-22
SLIDE 22
slide-23
SLIDE 23
slide-24
SLIDE 24
slide-25
SLIDE 25
slide-26
SLIDE 26
slide-27
SLIDE 27
slide-28
SLIDE 28
slide-29
SLIDE 29
slide-30
SLIDE 30
slide-31
SLIDE 31
slide-32
SLIDE 32
slide-33
SLIDE 33
slide-34
SLIDE 34
slide-35
SLIDE 35
slide-36
SLIDE 36
slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39
slide-40
SLIDE 40
slide-41
SLIDE 41
slide-42
SLIDE 42
slide-43
SLIDE 43
slide-44
SLIDE 44
slide-45
SLIDE 45
slide-46
SLIDE 46
slide-47
SLIDE 47
slide-48
SLIDE 48

RUN groupadd -r user && useradd -r -g user user USER user

slide-49
SLIDE 49

$ docker run --read-only debian touch x touch: cannot touch 'x': Read-only file system

slide-50
SLIDE 50

$ docker run -v $(pwd)/secrets:/secrets:ro \ debian touch /secrets/x touch: cannot touch '/secrets/x': Read-only file system

slide-51
SLIDE 51

$ docker run --cap-drop SETUID --cap-drop SETGID myimage $ docker run --cap-drop ALL --cap-add ...

slide-52
SLIDE 52

$ docker run -d myimage $ docker run -d -c 512 myimage $ docker run -d -c 512 myimage

slide-53
SLIDE 53

$ docker run -m 512m myimage

slide-54
SLIDE 54
slide-55
SLIDE 55

$ docker run debian \ find / -perm +6000 -type f -exec ls -ld {} \; 2> /dev/null

  • rwsr-xr-x 1 root root 10248 Apr 15 00:02 /usr/lib/pt_chown
  • rwxr-sr-x 1 root shadow 62272 Nov 20 2014 /usr/bin/chage
  • rwsr-xr-x 1 root root 75376 Nov 20 2014 /usr/bin/gpasswd
  • rwsr-xr-x 1 root root 53616 Nov 20 2014 /usr/bin/chfn

...

slide-56
SLIDE 56

FROM debian:wheezy RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true

slide-57
SLIDE 57

$ docker build -t defanged-debian . ... Successfully built 526744cf1bc1 $ docker run --rm defanged-debian \ find / -perm +6000 -type f -exec ls -ld {} \; \ 2> /dev/null | wc -l $

slide-58
SLIDE 58

$ docker daemon --icc=false

slide-59
SLIDE 59
slide-60
SLIDE 60
slide-61
SLIDE 61
slide-62
SLIDE 62

$ docker daemon --icc=false --iptables

slide-63
SLIDE 63
slide-64
SLIDE 64
slide-65
SLIDE 65
slide-66
SLIDE 66

$ docker run -e API_TOKEN=MY_SECRET myimage

slide-67
SLIDE 67

$ docker run -e API_TOKEN=MY_SECRET myimage

slide-68
SLIDE 68

$ docker run -e API_TOKEN=MY_SECRET myimage

slide-69
SLIDE 69

$ docker run -e API_TOKEN=MY_SECRET myimage

slide-70
SLIDE 70

$ docker run -e API_TOKEN=MY_SECRET myimage

slide-71
SLIDE 71

$ docker run -v /secretdir/keyfile:/keyfile:ro myimage $ docker run --volumes-from my-secret-container myimage

slide-72
SLIDE 72

$ docker run -v /secretdir/keyfile:/keyfile:ro myimage $ docker run --volumes-from my-secret-container myimage

slide-73
SLIDE 73
slide-74
SLIDE 74
slide-75
SLIDE 75
slide-76
SLIDE 76