DOCKER IS HACKED

HURR DURR

>Service running in container gets compromised
>Compromised container is able to access docker host
Compared to
>Service is compromised
>Host running service is compromised
Oh no, Docker is vulnerable to becoming only as insecure as people not running Docker in the first place. It's literally fucking nothing. Getting root in the container would already mean getting root on an actual host for a non-Docker deployment.

Maybe if you're AWS you should be concerned about it, but in my infrastructure this isn't a big deal. Keep your container images up to date and scan them for vulnerabilities, and put a WAF in front of your ingress and your containers won't get compromised in the first place, plus we literally have to turn off half of our security stack for pen testers to complete their pen tests without getting blown off the network and they still don't accomplish anything.

BSD fails usually are.

In addition to that, if someone were to compromise a container, I'd be more concerned about them just using that container's connection to database resources to try to access sensitive information than I would be about them trying to access the Docker host itself. If your container gets compromised in the first place you've already fucked up. You should not be treating containers as your security blanket.

Who will turn out to be right? The guy who said it's not a big deal or the guy who made it to be the end of the world when likely no major breaches will be caused by this issue?

Sure, no big deal.

>allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host

zdnet.com/article/doomsday-docker-security-hole-uncovered/

>malicious container
Why is the container malicious in the first place? Oh right, you have to let it get comprised.

Lol, I don't use docker

Attached: 1543955964761.gif (222x216, 1.3M)

This really falls into PITA territory, not disaster territory. It requires a certain amount of trust to exploit, but when it's in it's a real problem.

Real question is, why the fuck would you be installing any images that might contain dickhead code that could exploit this?

Basically requires physical access. WOW.

the thing is that internet-facing services running on host generally run under a separate user, so compromising it doesn't compromise the entire host. on the other hand, people don't bother so much to setup a non-root user for their service in a container, although it is often advised to do so.

This literally only effects dumb fucking faggots who are stupid enough to run untrusted images on a host they're not treating as untrusted in the first place. Relying on Docker as your security mechanism rather than just as a fast way to orchestrate servers is retarded and anybody who suffers from this as a result deserves it.

>using docker

>n the other hand, people don't bother so much to setup a non-root user for their service in a container, although it is often advised to do so.
That's their fucking fault for treating docker as a magic fucking security blanket. If you're not treating Docker images the same way you treat a real server host, you deserve to get hacked

>get a hacker container
>install it
>get hacked
How could this happen to me.

who knows

Attached: 5f3.jpg (680x695, 34K)

Burnout 3 - Takedown, now that's a powerful piece of software. It burns the shit out of your PS2 and is THE most CPU and GPU intensive game on PCSX2's library, you need a minimum of a 4th generation i5 to play this game at full speed, and a that's at native resolution, if you want to play at 1080p, you're gonna need a Radeon HD 7970 or a GTX 1050 Ti, assuming you want to play with all the effects enabled. Whatever shitty program you think is well written will NEVER be as good as Criterion Games' PS2/Xbox masterpiece, I'd even go as far as to say Burnout 3 - Takedown is a more impressive piece of software than the Linux kernel.

Attached: burnout três.jpg (314x445, 33K)

Serves them right for falling for the container meme.

> every container related service everywhere is totally compromised as of RIGHT NOW
I'd think SELinux and AppArmor and so on might mitigate this one...?

Of course they were right.

A hahahaha this is probably what would pass as an informed comment from an IT zoomer.

This is a huge deal. Docker has been widely adopted by lazy incompetent zoomers who don’t understand computers. It’s super easy, they love it. But something like this was bound to happen.

You must work for Equifax.

Docker is as insecure as just installing libraries and binaries and shit to the places where they should go on the bare host.

Essentially this means docker has no purpose.

Wew lad I never played it but I don’t do consoles newer than PS2 so I’ll check it out.

Multiple Linux distros sandbox/jail/impose other MAC on runc and docker by default.

BSD also has one option, but there are far more options on Linux overall.

Not really, no. Unless runc is compromised and any possible access control controlling what runc can do as well.

Even then Docker would still have the purpose of allowing you to run n instances / n configurations of software easily and with a fairly uniform format. if one container solution doesn't work, you compose a variant or take another container solution.

This would only be partly equivalent if every OS was NixOs or something, and they are not that either.

hacking other people's stuff is illegal and rude.
very disappointing.

>already patched
just update your systems, no need to panic.

This container fad will pass soon.

Nobody gives a fuck about docker

Joke's on them and on all you fucking zoomers who can't into basic systems administration. Anyone who dares call him himself a decent systems manager will install the packages himself and never rely on shitty "container" software written by nu-males(she) in Javascript with tranny codes of conduct distributed via Github and with Discord live support. Docker is shit and so are all other "Dependency container" software.

Attached: 1545521574015.jpg (500x400, 84K)

how the fuck would you have physical access to a virtual machine user

What kind of fucking moron would run containers in production and give them root privileges and/or not run SELinux? Yes it might be a pain in the ass to get the permissions and policy correct depending on the service it's running, but it doesn't take a genius to understand how running containers using root users could more easily lead to security issues. "With great power comes great responsibility."

cant you access other containers too if you can access the host

>not using nix/nixops

>not just using jails and chroot

this. most users wont have as autistic setups as the one described in

>not running a 100% FOSS software stack on your server
>relying on containers for security
>not running audited programs
>relying on meme software

>The absolute state of sysadmins in 2019

This is just sad

/thread

I’m convinced these trends are started by intelligence agencies who just want easier spying.

Duh, and idiot onions-guzzlers have no issue with it:"I've got nothing to hide".

Kubernets is google's bastard child

Every time I tell people that docker and it's ilk are not sandbox technologies and should not be used in that way I just got shrugs.

Serves em right. In reality things will just go on like usual, but man I'd really like to see this shitshow burn to the ground.

doesnt matter if its foss if no one can understand the sources and no one does if its a big program.

>using unaudited programs
>using clusterfucky code

Install OpenBSD.

The purpose of Docker has literally nothing to do with security and everything to do with rapid orchestration. If you don't understand that, you're retarded. I use docker because I want to deploy/rollback changes to our services in seconds, not because I'm some kind of fucking tard who thinks Docker is a sandbox.

almost everyone does

Ssshhhhhhhh learn to code.

Almost everyone is an idiot, so, what's the point? That's just idiotically following the herd.

people like things that are easy to use. some obscure terminal program that needs so much arguments that it fills the whole screen isnt that when you can do the same thing with one click on a gui.

> See this at work yesterday
> Mitigated by SELinux

And its fucking nothing.

You should have been working under the assumption container escape was inevitable anyway.

Attached: 1542087862311.jpg (777x759, 271K)

I like this pasta.

Good. Maybe those fucking containerlets stop spamming their half-assed meme "VM" everywhere.

This desu senpai

This attack is only possible with privileged containers since it requires root
privilege on the host to overwrite the runC binary. Unprivileged containers
with a non-identity ID mapping do not have the permission to write to the host
binary and therefore are unaffected by this attack.

That is why

underrated

>This attack is only possible with privileged containers since it requires root privilege on the host to overwrite the runC binary

Here's an idea, don't run your fucking services with root privileges.

Attached: oAuL6E8yMAOkJW9Ziw-mRtN96QQb19ePTOMGQkz9Yko.jpg (570x767, 75K)

>Docker hacked
>supreme bloat gets hacked

Attached: OUTrHUf.jpg (251x251, 7K)

Of course they were. If you use docker or lxd for security isolation, you deserve what's coming to you. Docker is guaranteed to be full of holes. This will not be the only vuln.

1. Defense in depth (thank god for SELinux)
2. Many, many "cloud" providers run untrusted code in docker containers right along side your shit. This is why I rent a dedicated server. Fucking cloudshit. Who knows what aids their servers are running. Maybe they're properly isolating, maybe not!

Google is the NSA's cocksleeve.

>Dependencies are hard, let's go shopping!
Docker is okay for that. It's no panacea, but it's okay.

>mitigated by SELinux
more like
>exploit not fixed, but transfered to NSA instead

>>relying on containers for security
I don't give a shit I just need to run a lot of selenium agents for different deployment environments.

Wait how did this green dinosaur get a knife?

>selenium agents for different deployment environments.
?
the fuck are you talking about

>thank god for SELinux
>something so confusing even the NSA has a hard time using it

Sure...

>Many, many "cloud" providers run untrusted code in docker containers right along side your shit. This is why I rent a dedicated server. Fucking cloudshit. Who knows what aids their servers are running. Maybe they're properly isolating, maybe not!

You obviously know nothing about Cloud. AWS runs most of their servers in dedicated EC2 instances on top of a spin of KVM hypervisor. ECS is optional.

theregister.co.uk/2017/11/07/aws_writes_new_kvm_based_hypervisor_to_make_its_cloud_go_faster/

Attached: DcXyPRhWkAAASKc.jpg (859x1200, 157K)

these wannabe sysadmins here are funny. they all pretend that everything is so secure and well configured but reality is that you can easily bypass most of the restrictions that the systems on many company computers. they block things like the command line but let anyone execute bats and similar dumb things. probably most retarded is blocking access to C:\ and disabling useful menus and key board shortcuts.

>these wannabe sysadmins here are funny
>hurr durr look at me pretending to know what I'm talking about

quiet, kid

no u. you would know if you ever used one of those systems but you are just a larping neet that shitposts on Jow Forums

>you are just a larping neet that shitposts on Jow Forums
nice assumptions faglord

kys

>quiet, kid
>kys

Attached: y0fbok5xhs211.jpg (528x434, 29K)

tho you could also be working in some meaningless startup. you dont just go and make a sane setup in a real company.

Anyone who used cucker and didn't see this leading to a security nightmare is a moron.

Docker is a meme anyway.
It's static linking for numales.

use rkt

>He doesn't know how to use SELinux
Not going to make it

>You obviously know nothing about Cloud
I know plenty. EC2 is safe-ish (KVM increases attack surface, even though it's old and durable), but expensive. With cheap hosts, who the fuck knows. This goes for general VPSs too. Dedicated is still the safest with the best bang/buck when utilization is reasonably high and huge unpredictable spikes aren't likely, which is the case 99% of the time.

Docker is stupid anyway. Why not just use a virtual machine if you need separation? Or just use create multiple service instances?

Containers are a lot more lightweight and faster than VMs.

>implying you know how to use SELinux

>I know plenty. EC2 is safe-ish (KVM increases attack surface, even though it's old and durable), but expensive. With cheap hosts, who the fuck knows. This goes for general VPSs too. Dedicated is still the safest with the best bang/buck when utilization is reasonably high and huge unpredictable spikes aren't likely, which is the case 99% of the time.

>scale up philosophy with zero load distribution plans or scale-out for handling spikes
>implying you can't run dedicated in the Cloud

Sure, I guess all of these compliance certifications and use by DoD means absolutely nothing.

aws.amazon.com/compliance/programs/

For compliance reasons they also allow you to rent dedicated hosts.

aws.amazon.com/ec2/dedicated-hosts/pricing/

>Dedicated Hosts can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses.

You'll be automated in a few years.

Attached: 1534514194121.png (778x1018, 591K)

>complying with putting back doors into a system is a good thing

Attached: ur_a_niger.gif (320x240, 2.36M)

because every upstream is super special and they need their own everything

but it worked on windows!

Valid retort.

Dependency separation

Attached: 1490489675245.jpg (719x719, 71K)

kek for effort

this generation is too narrow focus. no one gives a shit about anything but their little bubble. irony is they claim everyone else is antisocial and need reeducation training.

fuck docker, fuck tranny's and fuck niggers.

and fuck you all cause you are faggots

I guess it is time to Make Enforce 1 Again

hell yes brother

Attached: 1530331347300.jpg (633x640, 87K)

>go is saf-

rip my nigga terry davis

Erm, if I have access to a container (say on AWS) and only that container, an escape vulnerability is a pretty big deal as it now means I have access to every other container running on that server

This is a big deal, but will likely get patched very quickly.