Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues running the benchmark #416

Closed
klo147 opened this issue Feb 25, 2020 · 4 comments
Closed

Issues running the benchmark #416

klo147 opened this issue Feb 25, 2020 · 4 comments

Comments

@klo147
Copy link

klo147 commented Feb 25, 2020

Hi,

I am quite new to docker and would like to use this to test for security.

Noob question. How to use this docker image?

I built a docker container and ran it, then SSH into the running image and executed the commands here to run it. Git pull => build => run and I got this error.

docker: Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused "rootfs_linux.go:58: mounting \"/var/lib/docker/containers/3eb4fa3b173ade01acf5c9aa63f36335788710adf8339ec29227ab5d70f6f66a/hostname\" to rootfs \"/var/lib/docker/overlay2/7e45a960bbcd7c7bf4ba72d8256c3da92cb6c411ae4411645b55a2552d5937e4/merged\" at \"/var/lib/docker/overlay2/7e45a960bbcd7c7bf4ba72d8256c3da92cb6c411ae4411645b55a2552d5937e4/merged/etc/hostname\" caused \"open /var/lib/docker/overlay2/7e45a960bbcd7c7bf4ba72d8256c3da92cb6c411ae4411645b55a2552d5937e4/merged/etc/hostname: read-only file system\""": unknown.

Dockerfile:
FROM alpine:3.8

RUN apk add --no-cache R R-dev R-doc curl libressl-dev curl-dev libxml2-dev gcc g++ git coreutils bash docker openrc

RUN rc-update add docker boot

ENV APP_HOME /app
WORKDIR $APP_HOME
COPY . ./

RUN R -q -e "install.packages(c('plumber'), repos = 'https://cran.r-project.org/')" &&
rm -rf /tmp/*

ENTRYPOINT ["R", "-e", "pr <- plumber::plumb(commandArgs()[4]); pr$run(host='0.0.0.0', port=8080);"]
CMD ["./app.R"]

Any help is appreciated.
@konstruktoid
Copy link
Collaborator

Hi @klo147, you don't have to ssh into the container, you just need to run it on the host you're testing.
Or git clone the project and run the shell file.

I suggest the later since the docker image, unless you build it yourself, is outdated (#405).

Shell code example:

git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh

Docker run example:

docker run -it --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \
    -v /usr/bin/docker-runc:/usr/bin/docker-runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker/docker-bench-security

@kennylo921
Copy link

Thanks for the help.

I got it to run locally.

Another question. Anyone know how to run it against a container running in Google App Engine?

I believe the bench will also test the daemon and host configs so will I be able to test GAE's daemon and host config?

@konstruktoid
Copy link
Collaborator

You're welcome.
If you're able to upload and run the container in GAE I believe it will (try) to scan and test the daemon and host as well, depending on the privileges.

@konstruktoid
Copy link
Collaborator

Closing due to inactivity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@konstruktoid @kennylo921 @klo147