top of page

Docker for Security: Why & How

Let's say you want to run an application on your machine - say, an Apache Web Server. You install it locally, configure it as you like and run it - you now have a running web server where you can host your website(s). But there are two major risks with this approach:

  1. If you want to ship your application to another machine - like a cloud instance, you'd have to worry about the dependencies and getting the application to behave the same way as it did on your computer.

  2. If your web server somehow gets compromised by an attacker, he would be able to get access to your host machine as well because there is no isolation in the local installation of your web server.

Docker fixes these two major risks!


Docker is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers

With Docker, you can bundle and ship apps that will run in isolated containers that share your Operating System's kernel.

  • Since you are bundling the app with all the necessary configuration already made, when the app is shipped and run on a different machine with Docker, it will work the same way that it did.

  • Since all the containers spawned up with Docker are isolated, one container (or app) cannot affect the other containers or the Host Operating System. So, even though if one of the apps is compromised, the attacker would not be able to escape the container and exploit the host machine. The isolation is achieved through Linux namespaces.



Creating a Docker image

Creating a Docker image is easy. You can find thousands of pre-built images on Docker Hub. These include both the official Docker images and the ones posted by users. You can pull any of these images to your Docker engine by using the pull command like this

docker pull python # pulls the python image from Docker Hub

Or, you could create your own custom Docker image from the available base images.

For example, let me create an image of the Apache HTTP Server version 2.4.49 with my custom configuration.


First, I will create a "Dockerfile" that defines how to build my image.

FROM httpd:2.4.49
COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf

The first line defines the base image for my custom image which is httpd - The Apache HTTP Server Project. I also mention the version that I want to use after the colon(:). So this exact version will be pulled from Docker Hub and be used as the base for my image.

In the next line, I copy my custom configuration to my image.


Now, I simply build my image using the docker build command.

docker build -t apache_server .

This will create a new Docker image named "apache_server".


The last step is to actually run a container of this image. A container is the running instance of an image. We can do this by using the docker run command.

docker run -dit -p 8080:80 apache_server

I am also mapping the port 8080 on my localhost to the port 80 inside the container so that I can access the web server that is running in the container by going to http://localhost:8080

Awesome! We have now deployed a Containerized application with Docker.

Unfortunately, the version of the Apache Web server (2.4.49) running in the container is vulnerable to Path Traversal and RCE. But nothing to worry! Since the app is running in a container, it is isolated from the host machine, so the attacker will not be able to escape the container and exploit the host machine itself. That's the beauty of containerization!



Stream Docker Apps from a Browser!

What if you can directly deploy your apps as containers on the click of a button, and stream them directly from your web browser? This is where Kasm Workspaces comes in.


Kasm is a workspace streaming platform that allows you to deploy containerized applications and stream them directly from your web browser!

The community version of Kasm Workspaces is free to use, so you can set it up on your Linux machine in four simple commands and make your life a lot easier while dealing with containers. You can either install Kasm locally or on Cloud. By installing it on Cloud, you can access your apps from anywhere and any device by just using a web browser.


You can install Kasm by execution the following four commands:

cd /tmp
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.15.0.06fdc8.tar.gz
tar -xf kasm_release_1.15.0.06fdc8.tar.gz
sudo bash kasm_release/install.sh

Once installed, the randomly generated credentials will be displayed on the terminal. Copy and save them somewhere safe. Now, you can go to https://<YOUR_IP_ADDRESS> and login with your credentials.


Inside your dashboard, you can go to "Workspaces" and click "Add from registry" which will display a list of apps that are ready to be deployed to Kasm. You can install any of them by clicking on install. Alternatively, you can even create your own custom image and import it to Kasm.



Once installed, you can launch new sessions of this app.


And now, you will be able to use that app from your browser!


It is that easy to deploy docker apps with Kasm Workspaces and stream them from your web browser!

27 views0 comments

Comments


bottom of page