Docker (software)

from Wikipedia, the free encyclopedia
docker

Docker (container engine) logo.svg
Basic data

developer Docker, Inc.
Current  version 03/19/12
( June 25, 2020 )
operating system Linux , Microsoft Windows , macOS
programming language Go
category Virtualization
License Apache license, version 2.0, proprietary license
www.docker.com

Docker is free software for isolating applications with the help of container virtualization .

Docker simplifies the deployment of applications because containers that contain all the necessary packages can be easily transported and installed as files. Containers ensure the separation and management of the resources used on a computer. According to the developers, this includes: code, runtime module, system tools, system libraries - everything that can be installed on a computer.

Basics

Dockers can use various interfaces to access virtualization functions of the Linux kernel.

Docker is based on Linux techniques such as cgroups and namespaces to create containers. While the LXC interface of the Linux kernel was initially used, the Docker developers have now developed their own programming interface called libcontainer , which is also available to other projects. Docker uses the AuFS overlay file system as the storage backend , but from version 0.8 the software also supports btrfs .

In principle, Docker is geared towards virtualization with Linux . Docker can also be used via Hyper-V (standard) or VirtualBox on Windows and HyperKit or VirtualBox on macOS . Since the separation of resources is not completely secure with Docker-based techniques such as namespaces and cgroups alone, the Red Hat company has implemented support for the security-relevant kernel extension SELinux , which additionally secures the containers at the level of the host system.

Terms

image
a memory dump of a container. The image itself consists of several layers that are write-protected and therefore cannot be changed. An image is portable, can be saved in repositories and shared with other users. Several containers can always be started from one image.
Container
the active instance of an image is called a container. So the container is currently running and busy. As soon as the container is not running a program or is finished with its job, the container is automatically terminated.
Layer
a layer is part of an image and contains a command or file that was added to the image. The entire history of the image can be traced using the layers.
Dockerfile
a text file that uses various commands to describe an image. These are processed during execution and a single layer is created for each command.
Repository
A repository is a set of images of the same name with different tags, mostly versions.
Registry
A registry, such as Docker Hub or Artifactory , is used to manage repositories.
libcontainer
an interface to the basic functions of Docker.
libswarm
an interface to control Docker containers.
libchan
enables simple ("light weighted") communication between process parts and processes.

history

Docker was released by dotCloud in March 2013. The initial commit on the Git repository, however, dates back to January 19, 2013 and comprised 1146 lines of code .

On October 29, 2013, dotCloud announced that it would be renaming itself Docker Inc. At the beginning of August 2014, Docker then sold its platform-as-a-service service dotCloud to the Berlin company cloudControl.

In the course of 2014, Docker gained so much fame and popularity that it became part of Red Hat Enterprise Linux 7.0. It was also added to the software repertoire by openSUSE . In July 2014, Microsoft , Red Hat, IBM, Docker, Mesosphere , Core OS and Saltstack joined the Kubernetes project initiated by Google . The aim of the cooperation was to be able to provide Docker containers to all private, public and hybrid cloud environments with Kubernetes. Starting with version 1.0, Docker uses the two official port numbers assigned by the IANA , 2375 for HTTP and 2376 for HTTPS communication.

The company behind Docker received a total of $ 15 million in investments from several donors in January 2014. In April 2015, investments totaling 95 million US dollars followed. In total, the investments in the company, originally founded under the name dotCloud, amount to a good 120 million US dollars.

Redhat Enterprise Linux 8, which was released in 2019, no longer includes Docker because Redhat and other distributors such as B. Suse decided to replace Docker with podman due to problems with Docker Inc.

Docker Enterprise was sold to Mirantis in 2019 for around $ 35 million. The company subsequently announced that support for Docker Swarm will be discontinued after two years.

Functions

In addition to the basic functionality of creating containers with virtual operating systems, Docker offers other tools to simplify work with containers.

Docker Hub

Docker Hub is an online service that contains a registry for Docker images and repositories . The registry is divided into a public and a private part. In the public part, every user can upload their own images and thus make them available to other users. In addition, there are now official images, e.g. B. from Linux distributors. In the private part of Docker Hub, users can upload their Docker images and thus easily e.g. B. distribute in-house without these being publicly discoverable.

The registry software was published by Docker Inc. as open source software, so that you can now use the advantages of this without having to load your own images onto the Docker servers.

By means of Docker-provided APIs to Images can also automatically repository of GitHub or bitbucket create.

Abuse of Docker images

In the summer of 2018 it became known that strangers had succeeded in providing Docker containers with a back door that enabled them to mine the cryptocurrency Monero . The 17 infected packages were all uploaded by user docker123321 and downloaded a total of 5 million times. In total, 58,000 euros were mined by the users.

The first reports of infected images were already in July 2017, but there was no reaction from the Docker Hub and the images were only removed when the security company Kromtech published a report.

In the summer of 2020, another case became known in which strangers uploaded infected packages. These have been downloaded 2 million times and about $ 36,000 of the Monero cryptocurrency has been mined.

Data leak

As announced on April 27, 2019, strangers are said to have had access to an internal Dockerhub database containing confidential information. Around 190,000 accounts are affected. In addition to usernames and hashed passwords, the data concerned also included Github and Bitbucket tokens for autobuilds, which had been withdrawn from affected users.

Version management

Docker offers built-in version management . This allows you to save the current status of the container in an image, load it onto the Docker Hub, display the differences between the current status of the container and the original image, as well as the very rough history of an image. An image itself is broken down into layers called layers. Each layer describes a difference to the previous layer and shows which programs or data have been added or removed in the image. The individual layers are write-protected and cannot be manipulated. The container itself writes in a writeable layer and enables several containers to be based on one image and only the writeable layer differs.

Even if the syntax of this version management is based on Git and is also compared with Git , it differs greatly from its model.

Security aspects

Docker containers are created by a daemon , which in the past had to have root privileges, but from version 19.03 can also be unprivileged under certain circumstances. If the daemon is running with root rights, you often use your own user group to allow unprivileged users to create new Docker containers. A possible pitfall is that all unprivileged users who are members of such a user group indirectly have full root rights on the host system.

In contrast to a virtual machine , the container and host share a common operating system kernel . On the one hand, this significantly improves performance, but on the other hand, it also increases the risk that successful attacks against the kernel will also compromise the host.

If configured correctly, even root rights within a Docker container are not suitable for attacking the host. In particular, a new user namespace should be created and the root user of the container mapped to an unprivileged user of the host.

See also

Web links

Individual evidence

  1. Release 03/19/12 . June 25, 2020 (accessed June 26, 2020).
  2. docs.docker.com . (accessed on August 19, 2016).
  3. docs.docker.com . (accessed on August 19, 2016).
  4. docs.docker.com . (accessed on August 19, 2016).
  5. thenewstack.io . (accessed on August 19, 2016).
  6. github.com .
  7. LICENSE . (English, accessed March 26, 2017).
  8. What is Docker? Retrieved February 28, 2017 (English).
  9. Docker 0.8
  10. Microsoft Hyper-V. Retrieved January 30, 2017 (English).
  11. A toolkit for embedding hypervisor capabilities into your application: moby / hyperkit. Moby, November 8, 2019, accessed November 8, 2019 .
  12. Docker supports SELinux
  13. Michael Unke: Devops trend: Docker containers. Linux Magazin, September 1, 2014, accessed February 6, 2018 .
  14. About Us | Docker. (No longer available online.) Docker Inc., archived from the original on July 18, 2014 ; accessed on September 6, 2014 .
  15. Initial commit. aluzzardi, accessed August 24, 2016 .
  16. dotCloud, Inc. is becoming Docker, Inc. dotCloud Inc., accessed on September 6, 2014 (English).
  17. Julia Schmidt: Platform as a Service: cloudControl takes over dotCloud business from Docker. Heise Zeitschriften Verlag GmbH & Co. KG, August 5, 2014, accessed on September 6, 2014 .
  18. Red Hat Enterprise Linux 7 released
  19. Docker container for Open Suse 13.1 available
  20. Kubernetes for Docker
  21. Docker at IANA
  22. Docker Closes $ 15 M Series B Funding
  23. $ 95 million new for Docker
  24. Red Hat Enterprise Linux 8 released: More flexibility with software versions. Heise Zeitschriften Verlag GmbH & Co. KG, July 7, 2019, accessed on November 12, 2019 .
  25. heise online: Container: Docker sells enterprise business and gets a new CEO. Retrieved February 13, 2020 .
  26. docs.docker.com
  27. registry.hub.docker.com
  28. docs.docker.com
  29. Downloaded 5 million times: Malicious Docker containers mine Monero. June 15, 2018, accessed April 27, 2019 .
  30. [dockmylife / memorytest] Report malicious image # 1121. August 7, 2017, accessed April 27, 2019 .
  31. Cryptojacking invades cloud. How modern containerization trend is exploited by attackers. June 12, 2018, accessed April 27, 2019 .
  32. Ashutosh Chitwadgi, Rahul Rajewar: Attackers Cryptojacking Docker Images to Mine for Monero. In: paloaltonetworks. June 25, 2020, accessed June 28, 2020 .
  33. Docker Hub hacked: 190,000 user accounts affected. April 27, 2019, accessed April 27, 2019 .
  34. ^ What is Docker and when to use it. CenturyLink Innovations Lab, accessed February 28, 2017 .
  35. ^ About images, containers, and storage drivers. Docker Docs, accessed January 8, 2018 .
  36. root-free Docker Container , accessed on February 3, 2020.
  37. Administration of Docker , accessed on February 3, 2020.
  38. Docker security recommendations , accessed on April 16, 2017 (English).
  39. Docker Security , accessed May 1, 2017.
  40. Runtimes And the Curse of the Privileged Container , accessed on February 3, 2020.