-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Execute benchmark on rootless docker #556
Comments
Note that rootless mode currently isn't officially supported, and some config tests will return that the file is missing. I use https://github.com/konstruktoid/ansible-role-docker-rootless to install rootless Docker services.
|
Took a look at your shell command. If I run the following
The benchmark works again. For some reasons it is displaying some errors that should not be there example, place /var/lib/docker on a separate partition.
Rootless appears to ignore /etc/docker/daemon.json based on the output.
But that is totally independent of the benchmark. Or is it a feature of the benchmark? |
|
Moved daemon.json to ~/.config/docker/daemon.json
The .DockerRootDir is not /var/lib/docker since I'm using rootless docker
The tool is looking for /var/lib/docker based on output and that is the partition /dev/sdb4
The daemon.json is in right path , but it gives error that should not be.
Verified docker .service status
|
So the two issues are:
Could be tested as.
|
PRs will be written. |
Locally made changes to test
It still ignores the configuration file
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored) |
Could you run |
Two outputs , first without DOCKER_HOST
Output with DOCKER_HOST
|
Are you running both a Docker as root and a rootless?
|
When you install docker, first create a user that is not root in my case node. Then created a group docker and added node to the group.
I just logged into root, eliminated the ~/.docker folder inside of root.
The fact that node is a member of the sudo group generate this?
|
what does |
|
I wonder where the
|
|
I'm just wondering where this came from. ++++ awk '{ print $1 }'
+++ grep -m1 '^node
node
node
node
root
root
root
root
root
root
root
root' /etc/passwd
++ DOCKER_USER_HOME=/root When the result is the above, does the script work?
|
If you run it by providing the host after sudo it does.
Problem I see is that it only considers the default context, the possibility of other context is not considered.
Take into consideration the tool suggest you to use the daemon as a non-root.
|
That's good at least. |
A couple of scripting errors. [INFO] 2 - Docker daemon configuration
[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
docker-bench-security.sh: 37: [[: not found
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored)
docker-bench-security.sh: 96: [[: not found
[PASS] 2.4 - Ensure Docker is allowed to make changes to iptables (Scored)
docker-bench-security.sh: 118: [[: not found
[PASS] 2.5 - Ensure insecure registries are not used (Scored)
[PASS] 2.6 - Ensure aufs storage driver is not used (Scored)
[INFO] 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO] * Docker daemon not listening on TCP
docker-bench-security.sh: 185: [[: not found
[INFO] 2.8 - Ensure the default ulimit is configured appropriately (Manual)
[INFO] * Default ulimit doesn't appear to be set
docker-bench-security.sh: 208: [[: not found |
Even if you set the options manually , script does not detect it. example
I know the override is working, testing securing the daemon with tls
The interesting part , is that if you use docker without rootless and set icc in the override.conf and the daemon.json it would complain since the line is on both sides. As you can see docker does not complain. |
Yeah, it def need some more testing. |
I'm under the impression the function helper_lib.sh was improved?
It looks for required programs, docker . It claims its not found.
|
What does you $ docker context ls | grep "*" | awk '{print $5}'
based
$ docker context ls
NAME DESCRIPTION DOCKER ENDPOINT ERROR
default * Current DOCKER_HOST based configuration unix:///var/run/docker.sock |
node@docker-host:~/test$ docker context ls | grep "*" | awk '{print $5}' |
Found problem on my side.
Normally I install normal docker, then I follow steps on https://docs.docker.com/engine/security/rootless/ to set it as rootles. Found alternative way to install rootless without installing docker first.
With this second method, it does not find docker. |
Modified docker-bench-security.sh
modified helper_lib.sh
modified
Tool expect user and group to be root, if you set it as the tool expects. Docker stops working.
The tests are looking at the wrong path for rootless.
|
yeah, since the tool hasn't been designed for rootless docker (that didn't exist back then) it will miss alot of things. how would we test a host that is running multiple rootless Docker services? |
Don't assume, lets look after the context. Example
If the context is "default *" unix:///var/run/docker.sock it would be the standard docker configuration and that is what is hard coded on the tool.
If the context is "rootless *" unix:///run/user/1001/docker.sock the tool should check based on that option. |
it works until you set DOCKER_HOST $ docker context ls
NAME DESCRIPTION DOCKER ENDPOINT ERROR
default * Current DOCKER_HOST based configuration unix:///run/user/1001/docker.sock
Warning: DOCKER_HOST environment variable overrides the active context. To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable. |
in ~/.bashrc add
run
After installing rootless
At reboot to prevent problems, create a script file.
add cron job at @reboot |
yeah i do all such things using |
Describe the bug
A clear and concise description of what the bug is.
If you set up docker in rootless mode, you can not run the test
Setup docker rootless based on
https://docs.docker.com/engine/security/rootless/
Version
Distribution [Ubuntu 24.04]
Expected behavior
A clear and concise description of what you expected to happen.
The test should run with or without rootless enabled
Output
If applicable, add output that you get from the tool or the related section of lynis.log
The text was updated successfully, but these errors were encountered: