Skip to content

Latest commit

 

History

History
95 lines (86 loc) · 2.65 KB

readme.adoc

File metadata and controls

95 lines (86 loc) · 2.65 KB

This repo is for building a Docker image for troubleshooting in container environments. The contanier run as non-root by default. Some commands like tcpdump requires the container to run as root (Kubernetes).

Below are some use cases for docker-compose and Kubernetes. Kubernetes would be similar but not totally the same.

Please be reminded about the security implications of the capabilities being granted. The testing is performed testing with Podman and K3S.

  1. For using this image without any extra capabilities (as user "debug")

    1. traceroute -U / --udp

      • -I (ICMP) is not possible because it needs NET_RAW capability

    2. mtr: -U (UDP), -T (TCP)

    3. telnet, dig, curl, wget, openssl and etc.

  2. Run this image with net_raw capability

    docker-compose:
        cap_drop:
          - all
        cap_add:
          - net_raw
    
    Kubernetes (Option 1)
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - all
          add:
            - net_raw
            - net_admin
    
    Kubernetes (Option 2, not recommended)
      securityContext:
        # unspecified or set to true
        # allowPrivilegeEscalation: true
        # Not recommended because it allows privilege escalation
        # Implies that the container may execute binaries with setcap configured
        # Then the privileges may exceed or unbounded by below setting
        capabilities:
          drop:
            - all
          add:
            - net_raw
    • Then the user "debug" can additionally runs (including the previous step):

      • ping (ICMP)

      • traceroute -I (ICMP)

  3. Run this image with these capabilities

    docker-compose:
        cap_drop:
          - all
        cap_add:
          - net_raw
          - net_admin
    
    Kubernetes (my preferred setting)
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - all
          add:
            - net_raw
            - net_admin
            - setuid
            - setgid
        # Need to run the container as root
        runAsUser: 0
    • Then the user "debug" can additionally run (including the previous steps):

      • tcpdump

      • If the conatiner is inside Kubernetes, then the user may need to run as root. Else the user cannot access the network interface (eth0). I am not sure what it is difference from podman.

  4. Note there are other alternatives for running tcpdump:

    • In the host server, use nsenter to run tcpdump inside the conatiner.

    • Check if the CNI expose an NIC on the host server, then run tcpdump on the host.

    • Using a sidecar container (Kubernetes) to run tcpdump.

  5. Other tools included in the container image