Tuesday, June 21, 2016

Getting started with Docker RC 1.12

Docker RC 1.12 is available and introduces some new features that will make things more easy ... but sometimes need some explanation :-) 

This set of commands will create a SWARM setup that is (according the documentation) fully secured using virtualbox
 
To create the vm's
docker-machine create -d virtualbox test112
docker-machine create -d virtualbox test112n1
docker-machine create -d virtualbox test112n2
Starting the vm's
docker-machine start test112
docker-machine start test112n1
docker-machine start test112n2

Setting of Swarm on the master node
eval $(docker-machine env test112)
docker swarm init --listen-addr $(docker-machine ip test112):2377

Setting of Swarm on worker node1
eval $(docker-machine env test112n1)
docker swarm init --listen-addr $(docker-machine ip test112):2377

Setting of Swarm on worker node2
eval $(docker-machine env test112n2)
docker swarm init --listen-addr $(docker-machine ip test112):2377
You can verify your setup
eval $(docker-machine env test112)
docker node ls

mymachine$ docker node ls
ID                           NAME       MEMBERSHIP  STATUS  AVAILABILITY  MANAGER STATUS
5bvk0htdkyv9ksddzsy3wgnn6    test112n2  Accepted    Ready   Active       
6dq3g4jtiak27pd56mpk06stx    test112n1  Accepted    Ready   Active       
e234397csi7wlt5dbj2ksu9qp *  test112    Accepted    Ready   Active        Leader


You can now create an overlay network
docker network create --driver=overlay my-net

And now your start the service ...
docker service create --replicas 1 --network  my-net --name nginx nginx 
... and now you can scale !
docker service scale nginx=5

If you plan to try-out the new load-balancing feature, use -p flag
docker service create --replicas 5 --network  my-net --name -p 8888:80 nginx2 nginx

Note that in this case your services will be automatically distributed over all 3 nodes. On every node, port 8888, will be mapped to all the tasks(of the service to use the lingo :-)). (by default on Mac this is 192.168.99.100, 192.168.99.101, etc)
 
Because we use an overlay network, requests that are send to node1 on 192.168.99.100:8888 for example can also be distributed via the container overlay to all other nodes. You can check this by using the docker logs containerid

Another thing I noticed is that you cannot connect a container to a swarm scoped overlay directly.

So this will NOT work: docker run -it --net=my-net xxradar/hackon

Although, you can run docker run -it xxradar/hackon and link the container to the network like docker network connect my-net containerid


Have fun exploring !!

 
 
Posted by at No comments:

Monday, June 13, 2016

  Analyzing container network traffic ... using other containers !


Containers can use the network stack in a few different ways:

- none
- docker bridge (or user defined networks and overlays)
- host (shares the network stack of the docker host)
- container networks (ex. docker run --net container:id ...)

Building a container and run good old tools like tcpdump or ngrep, or for the old-school hackers, dsniff, urlsnarf, etc... would not yield much interesting information, because you link the container to the default bridge network.

On the other, you can link you container to the host network --net=host or even to --net=container:id. In this case you can basically sniff the traffic from the entire host, or a specific container !


To build a container that runs dsniff is pretty simple. Take this Dockerfile:

FROM debian
RUN apt-get update && apt-get install -y dsniff
CMD dsniff -i eth0 -m

and build it like
docker build -t xxradar/dsniffcon .

You can now link the container to --net=host
docker run -it --net=host xxradar/dsniffcon 

root@host:~/dsniffcon# docker run -it --net=host xxradar/dsniffcon
dsniff: listening on eth0
-----------------
06/13/16 19:58:40 tcp 12.97.16.194.9143 -> www.foo.com.80 (http)
GET / HTTP/1.1
Host: www.foo.com
Authorization: Basic dGVzdDp0ZXN0cHc= [test:testpw] 


or to specific container (ex. a nginx container)

root@host::~/dsniffcon# docker run -it --net=container:a51ba... xxradar/dsniffcon
dsniff: listening on eth0
-----------------
06/13/16 20:00:56 tcp 12.97.16.194.5288 -> a51414ba0ff9.80 (http)
GET / HTTP/1.1Host: www.foo.com
Authorization: Basic dGVzdDp0ZXN0cHc= [test:testpw]
 
 
 

Posted by at No comments:
Labels: ,

Monday, June 6, 2016

Decoding TLS DOCKER API with WireShark @Dockersec

Open Wireshark
  --> preferences
   --> protocols
     --> ssl
Edit RSA keys list
  --> IP address IP address of your docker API or Docker Swarm API
  --> Port  typically port 2376 or 3376 for Swarm
  --> Protocol http
  --> Key File  /Users/username/.docker/machine/machines/docker-host/server-key.pem
      (you might need to copy the key to an accessible location)
Start Wireshark
Capture on vboxnet5 if you are using Virtualbox

 Run a docker command !!
ex. docker ps





Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)