Hi,
First, I apologize but didn’t see a help-specific sub-section in this forum, so I post this question in the general discussion forum. Let me know if I should have posted somewhere else.
This being said, I have limited experience with *nix systems, and even more limited experience with Docker. I’ve basically tried to install 6 different docker images on my Synology NAS and only managed to get 2 working (learning A LOT along the way).
Here is my very basic question regarding security: My understanding is that a docker image is similar to a VM in that it is a fresh OS install (often ubuntu, but can be any OS) on top of which we install various applications, often to accomplish one “simple” task.
That image is created from a docker file, which is a “recipe” on how to build the image. For example, the recipe could look something like:
- Download and install Ubuntu version X with options x, y, z
- Download and install uTorrent version X
I then create a container (a running version of the image) from that image.
My concern is as follow: Most noob like myself (and probably many intermediate users) will first start by looking for existing images from the docker registry instead of writing a docker file from scratch. Chances are, many other people wanted the same thing. However, what would prevent someone from taking a fresh Ubuntu image, adding a few keyloggers and backdoors, and then publish a docker file such as`
- Download my custom Ubuntu with backdoor
- Download uTorrent
Since I only get to access uTorrent from the webUI, I don’t even have the ability so SEE what is installed on the Ubuntu (and even if I did, it could easily be hidden).
My understanding is that the key to the security lies within the docker file itself, and I need to carefully review each line to make sure that the SOURCE of each downloaded application is indeed from a “reputable”/official sources.
Taking my uTorrent example, I see that amongst the 29 uTorrent repositories, one has been pulled 15600 times, so I assume it is “better” (what would stop an attacker from using a bot to “pull” his custom image thousands of times?).
From there, the docker file states:
1- FROM ubuntu
-> I must go see what is inside the Ubuntu package (this is simple, but if it said “FROM ubuntu-super-secure” one could assume it was a legitimate base-image but it wouldn’t.
2- ADD http://download-new.utorrent.com/endpoint/utserver/os/linux-x64-debian-6-0/track/beta/
–> Similar to phishing scams where a URL is mangled to look like a legitimate bank URL (for example), I must inspect the URL to make sure it is indeed from a legit domain (utorrent.com in this case) and avoid the typical traps such as “download.utorrent.com.myowndomainwithUTORRENTinthename.ru”, for example.
3- ADD http://launchpadlibrarian.net/103002189/libssl0.9.8_0.9.8o-7ubuntu3.1_amd64.deb /tmp/
–> Here, I am suspicious because I have no idea what launchpadlibrarian is. The “libssl” in the filename puts me at ease - I suppose uTorrent needs some kind of encryption library added… but is launchpadlibrarian just a github-like repository where someone could store a custom backdoored app?? I’m really wondering.
How are people making sure that the container they install are 100% secure and legit?
Thanks for your input.