Rootless Docker Engine

Sep 15, 2020

Back around 1-2 years ago, Container World had some security issue about privileges escalation and hundred of vulnerable host had Expolited . Common Vulnerabilities and Exposures (CVE) like CVE-2016-9962 and CVE-2019-5736 it’s about issue on privileges escalation. Because usually cases Docker Engine or Docker Daemon used group on root level user.

One of trick to reduce or to avoid the potential vulnerabilities is using Rootless Mode especially when you running on stag or production mode (potentially exposed). Meaning of Rootless is you does not require root privileges and same like doing docker run --userns-remap mode but its just rootless on level container but not in Daemon / Docker Engine.

Prerequisites

On this blog notes is using and tested on Ubuntu 20.04 with should install newuidmap and newgidmap from uidmap package.

Sailing Rootless Engine

First section is getting installation script

$ curl -fsSL https://get.docker.com/rootless | sh

For running installation script, make sure you are not using root level user. For this I done with sudo user (which mean more upper level than root).

# Docker binaries are installed in /home/rootless/bin
# WARN: dockerd is not in your current PATH or pointing to /home/rootless/bin/dockerd
# Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/home/rootless/bin:$PATH
export DOCKER_HOST=unix:///run/user/1000/docker.sock

#
# To control docker service run:
# systemctl --user (start|stop|restart) docker
#

As like last output stdout, to ensure keeping docker rootless always run on your host, add the environment variables to your current shell like , bash or zshell (zsh) whatever and also activate the service with systemctl like above.

After to make it always running, you can check or test it with some basic docker function command.

$ docker version
Client: Docker Engine - Community
Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.10
...
Server: Docker Engine - Community
 Engine:
  Version:          19.03.12
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.10
...

$ docker run --rm -ti alpine echo hello world!
hello world!

Some Testing

When I test some POC for CVE 2019-5736 seems it’s already fixed. But you can try Docker - Container Escape to know the different.

# Host

$ docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash

# Container

$ mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
mount: /tmp/cgrp: permission denied

When you try it on rootless docker, you will get a permission denied. But if you try on docker daemon root as usually people install, it will execute ps aux to get information all processes owned by a user on your host as shown below.

Notes

The default rootless have port limitation privileged ports <1024. To enable it, check it here
To enable ping usage on container level, check it here
You can try another rootless daemon like Podman

…

Thanks!