Tuesday, September 20, 2016

Update Getting started with Docker Version 1.12.1

Update on  Getting started with Docker  Version 1.12.1


Few things changed after previous post. Certainly the way you deploy docker swarm mode as well few things on the networking side of things.

 I therefore share this example script to quickly get started with a new setup and play around.

#!/bin/bash
docker-machine ls



#create 1st manager node

docker-machine create -d virtualbox manager1
eval $(docker-machine env manager1)
docker swarm init --advertise-addr $(docker-machine ip manager1)
docker swarm join-token -q manager > manager-token.txt
docker swarm join-token -q worker > worker-token.txt
 
#create 2nd and 3th manager nodes


for N in 2 3; do
docker-machine create -d virtualbox manager$N
eval $(docker-machine env manager$N)
docker swarm join --token $(cat manager-token.txt) $(docker-machine ip manager1)
done

#create 4 to 7 worker nodes

for N in `seq 1 4`; do
docker-machine create -d virtualbox worker$N
eval $(docker-machine env worker$N)
docker swarm join --token $(cat worker-token.txt) $(docker-machine ip manager1)
done

eval $(docker-machine env manager1)
docker service create --name nginx -p 80:80 --replicas 20 nginx
docker service create --name nginx2 --constraint node.role==worker \
  -p 8080:80 \
  --replicas 5  nginx


Please note that it is not possible anymore to connect "non"-service containers to the overlay networks anymore as indicated in the previous post.

A trick to test the overlay network can be to spin up a service in which you install your debugging tools or to link a container as follows for example:

 docker run -it --net=container:id_of_a_service_container xxradar/hackon


Posted by at No comments:

Tuesday, June 21, 2016

Getting started with Docker RC 1.12

Docker RC 1.12 is available and introduces some new features that will make things more easy ... but sometimes need some explanation :-) 

This set of commands will create a SWARM setup that is (according the documentation) fully secured using virtualbox
 
To create the vm's
docker-machine create -d virtualbox test112
docker-machine create -d virtualbox test112n1
docker-machine create -d virtualbox test112n2
Starting the vm's
docker-machine start test112
docker-machine start test112n1
docker-machine start test112n2

Setting of Swarm on the master node
eval $(docker-machine env test112)
docker swarm init --listen-addr $(docker-machine ip test112):2377

Setting of Swarm on worker node1
eval $(docker-machine env test112n1)
docker swarm init --listen-addr $(docker-machine ip test112):2377

Setting of Swarm on worker node2
eval $(docker-machine env test112n2)
docker swarm init --listen-addr $(docker-machine ip test112):2377
You can verify your setup
eval $(docker-machine env test112)
docker node ls

mymachine$ docker node ls
ID                           NAME       MEMBERSHIP  STATUS  AVAILABILITY  MANAGER STATUS
5bvk0htdkyv9ksddzsy3wgnn6    test112n2  Accepted    Ready   Active       
6dq3g4jtiak27pd56mpk06stx    test112n1  Accepted    Ready   Active       
e234397csi7wlt5dbj2ksu9qp *  test112    Accepted    Ready   Active        Leader


You can now create an overlay network
docker network create --driver=overlay my-net

And now your start the service ...
docker service create --replicas 1 --network  my-net --name nginx nginx 
... and now you can scale !
docker service scale nginx=5

If you plan to try-out the new load-balancing feature, use -p flag
docker service create --replicas 5 --network  my-net --name -p 8888:80 nginx2 nginx

Note that in this case your services will be automatically distributed over all 3 nodes. On every node, port 8888, will be mapped to all the tasks(of the service to use the lingo :-)). (by default on Mac this is 192.168.99.100, 192.168.99.101, etc)
 
Because we use an overlay network, requests that are send to node1 on 192.168.99.100:8888 for example can also be distributed via the container overlay to all other nodes. You can check this by using the docker logs containerid

Another thing I noticed is that you cannot connect a container to a swarm scoped overlay directly.

So this will NOT work: docker run -it --net=my-net xxradar/hackon

Although, you can run docker run -it xxradar/hackon and link the container to the network like docker network connect my-net containerid


Have fun exploring !!

 
 
Posted by at No comments:

Monday, June 13, 2016

  Analyzing container network traffic ... using other containers !


Containers can use the network stack in a few different ways:

- none
- docker bridge (or user defined networks and overlays)
- host (shares the network stack of the docker host)
- container networks (ex. docker run --net container:id ...)

Building a container and run good old tools like tcpdump or ngrep, or for the old-school hackers, dsniff, urlsnarf, etc... would not yield much interesting information, because you link the container to the default bridge network.

On the other, you can link you container to the host network --net=host or even to --net=container:id. In this case you can basically sniff the traffic from the entire host, or a specific container !


To build a container that runs dsniff is pretty simple. Take this Dockerfile:

FROM debian
RUN apt-get update && apt-get install -y dsniff
CMD dsniff -i eth0 -m

and build it like
docker build -t xxradar/dsniffcon .

You can now link the container to --net=host
docker run -it --net=host xxradar/dsniffcon 

root@host:~/dsniffcon# docker run -it --net=host xxradar/dsniffcon
dsniff: listening on eth0
-----------------
06/13/16 19:58:40 tcp 12.97.16.194.9143 -> www.foo.com.80 (http)
GET / HTTP/1.1
Host: www.foo.com
Authorization: Basic dGVzdDp0ZXN0cHc= [test:testpw] 


or to specific container (ex. a nginx container)

root@host::~/dsniffcon# docker run -it --net=container:a51ba... xxradar/dsniffcon
dsniff: listening on eth0
-----------------
06/13/16 20:00:56 tcp 12.97.16.194.5288 -> a51414ba0ff9.80 (http)
GET / HTTP/1.1Host: www.foo.com
Authorization: Basic dGVzdDp0ZXN0cHc= [test:testpw]
 
 
 

Posted by at No comments:
Labels: ,

Monday, June 6, 2016

Decoding TLS DOCKER API with WireShark @Dockersec

Open Wireshark
  --> preferences
   --> protocols
     --> ssl
Edit RSA keys list
  --> IP address IP address of your docker API or Docker Swarm API
  --> Port  typically port 2376 or 3376 for Swarm
  --> Protocol http
  --> Key File  /Users/username/.docker/machine/machines/docker-host/server-key.pem
      (you might need to copy the key to an accessible location)
Start Wireshark
Capture on vboxnet5 if you are using Virtualbox

 Run a docker command !!
ex. docker ps





Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)