Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running docker bench with Docker daemon listen on a specific IP and port #447

Closed
ppratheesh opened this issue Oct 21, 2020 · 4 comments
Closed

Running docker bench with Docker daemon listen on a specific IP and port #447

ppratheesh opened this issue Oct 21, 2020 · 4 comments

Comments

@ppratheesh
Copy link

I have changed the default socket "unix:///var/run/docker.sock" ,which will docker listen to a tcp port and ip address .Here is my daemon.json

{

 "tls": true,
 "tlsverify": true,
 "tlscacert": "/tmp/cer/ca.pem",
 "tlscert": "/tmp/cer/server-cert.pem",
 "tlskey": "/tmp/cer/server-key.pem",
 "hosts": ["tcp://127.0.0.1:2376"]

}

But after this i am not able to run the docker bench . I am using the following method

docker run -it --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /lib/systemd/system:/lib/systemd/system:ro \
    -v /usr/bin/containerd:/usr/bin/containerd:ro \
    -v /usr/bin/runc:/usr/bin/runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker/docker-bench-security

i am guessing docker bench require the /var/run/docker.sock to be mounted to the container .Since my docker daemon listen on tcp port and ip address how can i run docker bench for this
@konstruktoid
Copy link
Collaborator

Hi @ppratheesh, currently you can't. docker-bench-security requires access to the docker socket in order do get all required information.
You can however use both tcp and socket to get your situation to work.

@ppratheesh
Copy link
Author

ppratheesh commented Oct 21, 2020
edited
Loading

Hi @konstruktoid But adding socket would override tlsverify which points Docker’s tlscacert flag to a trusted CA certificate.After running docker bench i am getting warning [WARN] 2.11 - Ensure that authorization for Docker client commands is enabled
my current daemon.json

{
  "no-new-privileges": true,
  "userland-proxy": false,
  "live-restore": true,
  "log-level" : "info",
  "icc" : false,
  "tls": true,
  "tlsverify": true,
  "tlscacert": "/tmp/cer/ca.pem",
  "tlscert": "/tmp/cer/server-cert.pem",
  "tlskey": "/tmp/cer/server-key.pem",
  "hosts": ["unix:///var/run/docker.sock","tcp://127.0.0.1:2376"],
  "userns-remap": "appz"
}

so the only way to fix the warning 2.11 is to use a Docker authorization plugins

@konstruktoid
Copy link
Collaborator

What do you mean it overrides the tlsverify flag? It should just allow connections on both port :2376 and the socket (which should only be available locally). After running docker-bench, you can remove the socket setting.

Yes, 2.11 requires authorization plugins.

Also note that if you're running the official Docker image, it is out-of-date (#405) and you should try running the script or build your own image.

@konstruktoid
Copy link
Collaborator

Closing due to inactivity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@konstruktoid @ppratheesh