What To Inspect When You Are Inspecting!

Docker containers have become so ubiquitous sometimes respected security professionals tweet ridiculous  things like:

…but it is 2016 and you should never run code on your machine if you don’t know what it does.  These are mini-virtual machines and not magically secure little shipping containers*.  At a minimum you should do these basic things to get some idea of what you are putting on your machine before you run it.

Pull the container first:
docker pull jgamblin/tiny-tor 

Screen Shot 2016-06-08 at 5.23.35 PM

Use  Docker Inspect to look at the container’s metadata:
docker inspect jgamblin/tiny-tor 

Screen Shot 2016-06-08 at 5.24.15 PMYou will want to carefully read through that output and take time to look at these fields:

  • Image The image this container is running.
  • NetworkSettings The network settings for the container,
  • LogPath The system path to this container’s log file.
  • Name The user defined name for the container.
  • Volumes Defines the volume mapping between the host system and the container.
  • HostConfig Key configurations for how the container will interact with the host system. These could take CPU and memory limits, networking values, or device driver paths.
  • Config The runtime configuration options set when the docker run command was executed.

 

Use Docker History to see how the image was built:
docker history jgamblin/tiny-tor

Screen Shot 2016-06-08 at 7.45.48 PM
Protip:  CenturylinkLabs released a tool to create a Dockerfile from a container.

Run the container without network access and look around a bit:
docker run -t -i --net=none jgamblin/tiny-tor /bin/sh

Screen Shot 2016-06-09 at 6.07.31 AM

After you have done the following steps and feel comfortable you can then:
docker run -t -i -p 9050:9050 jgamblin/tiny-tor

Screen Shot 2016-06-08 at 7.55.42 PM
If you do these basic things you can feel a little better about what you are running on your system.
* What a magically secure little shipping container might look like:
10-foot-side-view

Site Footer