ArticlePDF Available

Análisis de contenedores Docker y sus implicaciones de seguridad

June 2021

Authors:

Universidad Politécnica de Madrid

Docker se ha convertido en el nuevo estándar de despliegue de aplicaciones y en la nueva herramienta compañera del desarrollador. En este documento se va a estudiar cómo funciona Docker, cómo está compuesto, qué mecanismos usa para trabajar de forma eficiente y los conceptos relacionados al mismo: contenedores, imágenes, interfaces virtuales, volúmenes y gestores de almacenamiento. Por otra parte, el gran crecimiento conlleva unas responsabilidades de seguridad que no siempre se pueden abarcar. Se verá cómo Docker hace uso de mecanismos de seguridad del kernel de Linux para aislar los procesos con namespaces, crear interfaces de red virtuales con iptables y restringir el acceso a recursos con los control groups.

Arquitectura del entorno de ejecución de Docker [9].

…

Componentes de Kubernetes [36].

…

Información sobre el servicio recién desplegado de Kubernetes.

…

Arquitectura de Docker Swarm [42].

…

Figures - uploaded by Javier Alonso Silva

Content may be subject to copyright.

Content uploaded by Javier Alonso Silva

Content may be subject to copyright.

Análisis de contenedores Docker

     

  

    

   



    

Resumen

             

            

            

          

    

           

              

         namespaces     

          control groups



Índice     

Índice

1. Introducción 1

  

 Real–life usages  

 Docker rules  

2. Docker 13

                                   

                                  

                             

       

                              

                           

                            

3. Seguridad en Docker 49

                                    

      

        rewall  

  

Referencias 57



1 Introducción     

1. Introducción

              

                 

            

                

    

               

  

            

              

                

             

               

           





1 Introducción     

              

           

              

              

             

              

                

   

              

               

             

              

hardware          soware    

             

                

            

hardware          

            

             

            dependency hell 

             soware 

     

  soware             

    exploits     

 soware           

              

hardware       soware    bugs 

      



1 Introducción     

 soware           

          soware    

             

  soware           

            

         soware   

    

            

             

       

1.1. ¿é es Docker?

            

               

          soware 

             

        container   

              

       

Contenedores

      soware       

              

             

            

    runtime      

             

   Docker Engine         



              

                  

            

           



1 Introducción     

             

              

           

   

            

     

                

            

 hardware

              

            

    

               

          



1 Introducción     

             

               

             

               

           

     hardware       

   

             

     containerd      

               

  

               

           

           Open Container

Initiative



1 Introducción     

      containerd       

Docker Engine

           de facto  

        

         

              

             

              

           

              



1 Introducción     

      stack        

            dependency hell 

           

           

Distribution            

      

Orchestration           

             

               

             

         

Volumes            

             

            

  

Containerd              



Docker Build (BuildKit)        

         

Networkingstack            

             

       bridgeNAT host   

           

           

            

           

            

       

1.2. Real–life usages

               

    

Sandboxing

               

             sandbox 

          



1 Introducción     

             

              

             

              

              

               

              

 hardware           

            

Portabilidad

            

 soware             

             

             

    

                

             

           

 

                

             

  on-premise          

cloud             

      cloud      

Arquitectura de composición

           

              logs  

              

             

             1. . . n

               

           

            

            

            

Escalado y orquestación

          

       



1 Introducción     

           

             

        

           

              

             

             

             

               

            

           



              

            

                

   overlay       

          

              

           

 

              

            

              

        

      cloud      

              



1 Introducción     

            

              

            

            

              



1.3. Docker rules

               

        modus operandi    

               

 

             

              

  

             

             

                  

                

             

   $500 000 $1 000 000      

               

 

               

             

               

        

    

      

         

         

          

              

                

             

                  

  



1 Introducción     

              

                Google

Cloud Platform             

               

           

        cloud 

          

                 

               

              

   

                

                

             

 

          

           

 



1 Introducción     

                 

            

             

                 

            

              

              

          

             





2 Docker     

               

             

                 

            

            

              

               

             

               

              

                

     

2. Docker

            

               

                 

                

     

            

             

       

          

               

                

        

2.1. Estructura de un Docker

           

            

               

  

         

              daemon



2 Docker     

           build  run  

distribute   

               

                

         sockets     

                

La arquitectura Docker

             

      

            docker host

   registry             

            

        

         Docker daemon   

              

            

          

         logs    

             

                 

             

             

      

            



2 Docker     

               

             

plugins   

Imágenes

            

               

 

              

            

                

            

   

            

              

              

               

              

             

          



2 Docker     

Contenedores

             

            

               

    

             

              

        

            

                 

               

              

         

Almacenamiento

            

               

              

          

             

              

       

            

              

 

             

              

              

            

           

               

   bind mounts           

  



2 Docker     

            



— Volúmenes

        

             

               

             

    bind mounts        

          

           

            

              

       

            

volume drivers      

          

             

            

      

           



             



            bind

mounts

          



2 Docker     

              

 

          

—Bind mounts

            

            

             

                

         

               

                 

    

             

             

              



            

            

       logs 

 bind mounts          



2 Docker     

       bind mounts   

— ¿Cuándo usar volúmenes o bind mounts?

              

     



2 Docker     

datos entre

contenedores

Gestionar

ajustes

Estructura

del FS

Copias de

seguridad

Datos en la

nube

Alto

rendimiento

Versiones del

código fuente

Volúmenes 3 7 3 3 3 3 



Bind mounts 7 3 7 7 3 

 

  

 



3 

 

 



                  



2 Docker     

Interfaces de red

            

            

                   

                

             

 

               

           

  

              

         rewall      

               

overhead           

      rewall       

               

       hardware     

     

       

               

             

             

   

             

        rewall       



          

           

 

             

            

            

    

Network plugins            

   

Interfaz a bajo nivel

             

      



2 Docker     

              

           

               

             

       Linux kernel namespaces  

              

        control groups    

      

             

2.2. Creación de un contenedor

              

            

           

              

                  



           

               

    

          

            

       

           

            

             

               

        



2 Docker     

           

             

           

             



              

          

        

              

    

              

  

             

           

           

         

             

                

            

                 

             

               

       

            

 

   



     

        

    

   



       

           

    

  

    

    



        

             

   

     



        



2 Docker     

  

    

  

  

         

            

               

    

              

              

                

          

           

             

     

           

          

             

             

    

             

           

           

             

              

        

2.3. Comunicación entre contenedores

       

           socket

          

            

     

           

               

           

              

                



2 Docker     

            

 polling             

           

           

            

              

       

            

  bridge             

              

              

    

          

               

    

Conexión

             

             

    overlay         

 

              

     hostname      

  

      bridge        

             

                 

              

   

        

                

        



2 Docker     

              

            

,→ 

              

          

     

             

            

       

            

 

             

                 user-

dened bridge network 

               

                 

       



2 Docker     

              

  

                

         



         

             

               

,→           



                

             

          

,→       



2 Docker     

            

               

             

               

       

                 

              

                 

                

,→      

               

            

Redes overlay

         overlay   

       Swarm      

               

              

  

              

    

     Swarm           

   

    

                 

    

              

        

      overlay          

        



2 Docker     

     

              

                

               

      

,→

               

     

        

,→ 

              overlay

            

             

2.4. Despliegue de aplicaciones multi–contenedores. 

               

           

 stack           

             backend   

               

             



2 Docker     

            

        

              

         

             

¿é es Docker Compose?

             

              

               

 

           

             

          

            

         

    





 







 

 

 

  

 

  

 

  

          

              

 

            

            

              

            

        



2 Docker     

              

               

               

  

             

          

            

    

               

                

  bind mounts       

              

  

            

         

           

      

            

 

    

       

        stream view

      

              

         

             

              

                host  

           

    

           

             

              

              

  

              

               

     



2 Docker     

            

               

           

             

               

Comandos Docker Compose

             

      

         

        online    

           



       

        

           

            

        

            

Caso real

         stack     

             

  

            

              

              







              

           









 

 

 



2 Docker     

 



  

 

  

 

 

  

       stack 

               

  3                

                

                 

             

           

           

         





 

 

 

 

 



 

  

  

  

 

  

 

  

    

               

                

              alpine 

             

              

             

                 



                 

  





 

 



2 Docker     

 

 







  

  

 

  

    

              

              

   bind mounts       

              

               

 















         

    









 

 

 

 



  

 

  

 

 

  



 

 

  

  

  

  

  

 

  

  



2 Docker     

  

  

 

  

 

  



 

 

  

  

  

  

 

 

 

  

  

 

  



 

 

 



 

 

 

           

             

2.5. “Orquestación” de contenedores

              

           

            

    

             

             

             

            

              

            

              

             

             

                

           

              

               



2 Docker     

              



¿Por qué es importante la orquestación de contenedores?

           

             

              

          hosts  

         

              

            

                

                

               

           

              

     

  

  

  

  

         

      

     

            

     

          

               

                 

          

            

         

           

           

   

       



2 Docker     

2.5.1. Herramientas de orquestación

Kubernetes

     

           

             

      Cloud Native Computing Foundation    

             

               

  downtime             

                 

          

   framework        

             

          

            

                

          

               

       

            

rollouts rollbacks            

           

             

            

        

              

            

         

             

               

             





2 Docker     

           

          

             



             

               

 Platform as a Service            

            

   

               

         

            

                



             

middlewaresframeworks           

            

       

             

            

   

¿Cómo funciona Kubernetes?

               

           

       

        pods       

           control plane      

*           control plane   

              

              

 



2 Docker     

     

El control plane de Kubernetes

  control plane         

           

         

           

          

      

             

     

   pods          

               

           

sowarehardware         

       

       

            

        pods  

    endpoints    endpoints    

 

             

       

             cloud  

 



2 Docker     

Componentes de los nodos

               

                

       pod     

            

            

     

               

              

              



Container runtime            

    

Ejemplo aplicación en Kubernetes

              

           

               

                 

Nota: se asume que se tiene instalada la herramienta de gestión de Kubernetes  y un

servicio de Kubernetes local, como .

             

           

 





 







 

 

 

 

 

  

 

 

  

  

 

  

  

         



2 Docker     

                

              

         

                 

           

                   

         

           

   

             

       

   

   

       

          

     

,→

   



2 Docker     

         

              

              

            

           

      

          

Docker Swarm

      

            

             

   



2 Docker     

             

             

             

              

              

                

             

          

           

soware        

              

           

             

   

             

  stack           

              

      backend

            

          

     

            

            

        host        

             

  

   host    overlay     

               

           

             

            

     

            

     

           

  

          

               



2 Docker     

¿Cómo funciona Docker Swarm?

             

              

                 

   

   swarm    hosts        

              

              host 

        

              

            

               

         

             

            

         

             

              

              

               

              

            

       



2 Docker     

      

                

             

           control plane   

               

              

            

Los nodos en Swarm

               

             

              

               

              

             

     



2 Docker     

              

              

              

               

 

Los servicios y las tareas

               

             

      

              

            

                

    

Balanceo de carga

              

                

             



           

             

             

              

Ejemplo de aplicación en Docker Swarm

               

            

               

            ⁇







 











  

  

  

 



2 Docker     

  

 

  

  

 

  

 

  

 

  

  

 

 

  

 

 

  

          runners

                 

          

       

              

         

          

           

 

            

               

        

             

     

         



2 Docker     

2.6. Líneas futuras de desarrollo e innovación

              

             

 

                 

               

             

               

    

              

                 

               

  

       deprecation      

            

      Container Runtime Interface      

                 

         

              

             

              

       



3 Seguridad en Docker     

3. Seguridad en Docker

                

               

             

 

              

              

            

    

                  

               

          rewall    

          

3.1. Análisis de la pila Docker

              

             cgroups

   namespaces   

            

             

            

             

               

              

             

       

               

   

          namespaces cgroups

          

             

  

          

Linux kernel namespaces

             

             



3 Seguridad en Docker     

         namespaces cgroups  



               

   namespace            

        

                 

         sockets    

            

           

               

     pings      

              

               

       switch

    namespaces          

                 

              

 

              

             

             

             

               

        ad-hoc     

        

        security namespaces  

             

      0,7     

             user

namespaces            

              

       capabilites      

              

           namespace     

             

   

             

               

              

  

     user namespaces        namespace

                  

                



3 Seguridad en Docker     

       namespace    namespace   

       

            

               

             

   

       namespace         0

            namespace

           

         namespace   

           

      

            

           

  <1024          

 

           

               



3 Seguridad en Docker     

           

          

            

          

   logs       

   hardware          

   

               

       

           

               

            

           

          

               

                

             

              

Linux control groups

            

              

               

           

            

              

 cgroups          

             

           

Ataque al servicio de Docker

                

              

           

              

               

               

         bind mounts   



3 Seguridad en Docker     

                

        

                

              

               

              

             

                rewalls 

           endpoints

            

   

             

                 

                 

             

            

Docker Content Trust

             

            

                  

      

            

   tag key      

   timestamp key        

              root key

 



3 Seguridad en Docker     

             

Mayor protección de Docker

               

        

           

           

               

               

           

             

              

              

           

              

  

            

              



3 Seguridad en Docker     

             



3.2. Diferencias fundamentales con 

             

              

              

               

             

              sandboxes

           

             

                

      

               

            

            

              

               

              

        namespaces  

               

hostname            



              

               

              

    

3.3. Seguridad en las comunicaciones de red – rewall

    rewall        

 rewall          

              

      hardware   

              

                

        

            

             

             

        



3 Seguridad en Docker     

              

       

        

,→   

             

               

    

     

,→  

            rewall

              

            

3.4. Conclusiones

             

              

      

               

     rewall        

            



              

                

              

   spoong   ooding         

                 

    rewall          



            

              

                

              

  

             

              

                

               

   



Referencias     

Referencias

         

  

           

  

           

  

               

                  



  

 Dependency hell  Wikipedia       

  

           

  

            

  

      

          

  

             

         

  

             

  

          

        

  

              

  

           

   

  

            

       

  

             

  

             

  



Referencias     

 UnionFS  Wikipedia, la enciclopedia libre          

      



           

  

            

  

           

  

 Docker (soware)  Wikipedia       

                 



           

  

           

  

            

 

  

          

                 

  

            

 



            

  

            

  

         

      

  

          



  

         

  

      

  

          

  

         

  



Referencias     

             

  

              



  

      

 Docker/Classicswarm          

  

 Docker/Swarmkit        

  

            

  

          

  

            

  

             

      

 

 Cgroups  Wikipedia       

  

 Linux namespaces  Wikipedia       

  

           

  

 OpenVZ  Wikipedia       

  

               

        27th USENIX Security

Symposium (USENIX Security 18)       

              



        

  

             

        

  

          



  

            

  



Referencias     

      

 PaX  Wikipedia, la enciclopedia libre         

  

            

  

              

   



LICENSE

Data

July 2021

Javier Alonso Silva

Download

ResearchGate has not been able to resolve any citations for this publication.

«What is Docker? The spark for the container revolution

3-06

S Yegulalp

S. Yegulalp. «What is Docker? The spark for the container revolution,» InfoWorld. (), dirección: https : / / www. infoworld. com / article / 3204171 / what -is -dockerthe-spark-for-the-container-revolution.html (visitado 03-06-2021).

«Docker Networking -Explore How Containers Communicate With Each Other,» Medium. (10 de sep

S Kulshrestha

S. Kulshrestha. «Docker Networking -Explore How Containers Communicate With Each Other,» Medium. (10 de sep. de 2020), dirección: https://medium.com/edureka/ docker-networking-1a7d65e89013 (visitado 03-06-2021).

«How To Communicate Between Docker Containers,» Tutorial Works

T Donohue

T. Donohue. «How To Communicate Between Docker Containers,» Tutorial Works. (6 de nov. de 2020), dirección: https : / / www. tutorialworks. com / containernetworking/ (visitado 10-06-2021).

14-20

T Bui

T. Bui. «Analysis of Docker Security.» arXiv: 1501.02967 [cs]. (13 de ene. de 2015), dirección: http://arxiv.org/abs/1501.02967 (visitado 14-06-2021).

Análisis de contenedores Docker y sus implicaciones de seguridad

Abstract and Figures

Supplementary resource (1)

Recommended publications

Práctica virtual de propiedades coligativas: aumento ebulloscópico

Los ambientes virtuales de aprendizaje (AVA) y la formación en estadística

La Directiva 2006/123/CE: ¿hacia una pérdida de legitimación en la videovigilancia?

Imágenes e imaginarios en el espacio público virtual: apuntes para una agenda de investigación