Skip to content

Latest commit

 

History

History
76 lines (62 loc) · 5.93 KB

mitigations.md

File metadata and controls

76 lines (62 loc) · 5.93 KB

Mitigation Strategies Analysis for marcelbirkner/docker-ci-tool-stack

Mitigation Strategy: Utilize sysbox Runtime

Description:

  1. Install sysbox: Follow the official sysbox installation instructions (https://github.com/nestybox/sysbox/blob/master/docs/user-guide/install.md) for your specific host operating system. This typically involves installing a package and configuring the Docker daemon to use sysbox as a runtime.
  2. Configure Docker Daemon: Modify the Docker daemon configuration (usually /etc/docker/daemon.json) to include sysbox as a runtime. An example configuration snippet: 
    {
  "runtimes": {
    "sysbox-runc": {
      "path": "/usr/local/sbin/sysbox-runc"
    }
  }
}
  3. Update CI Configuration: In your CI configuration (e.g., docker-compose.yml if using Docker Compose, or your CI platform's configuration), specify the sysbox-runc runtime for the containers that need to run Docker inside. This is the crucial step that directly addresses the docker-ci-tool-stack's core functionality. Example (Docker Compose): 
    services:
  my-ci-service:  # This is the service that uses docker-ci-tool-stack
    image: my-ci-image
    runtime: sysbox-runc
    # ... other configurations ...
  4. Test: Thoroughly test your CI pipeline with sysbox to ensure compatibility and that all required functionality (specifically, the ability to build and run Docker images within the CI container) works as expected.

Threats Mitigated:

  • Privileged Container Escape (Critical): Directly addresses the primary risk of docker-ci-tool-stack – the potential for a compromised container to escape and gain root access to the host system via the Docker daemon. DinD without sysbox makes this a very high-risk scenario.
  • Host Resource Abuse (High): Reduces the risk of a compromised container directly manipulating host resources due to the enhanced isolation provided by sysbox. This is a direct consequence of the privileged access inherent in standard DinD.
  • Docker Daemon Compromise (Critical): Eliminates the direct exposure of the host's Docker daemon to the CI containers, preventing attackers from controlling other containers or the host itself. This is the core vulnerability of using docker-ci-tool-stack without sysbox.

Impact:

  • Privileged Container Escape: Risk reduced from Critical to Low.
  • Host Resource Abuse: Risk reduced from High to Medium.
  • Docker Daemon Compromise: Risk reduced from Critical to Low.

Currently Implemented: [PLACEHOLDER: Specify where this is implemented. Examples:]

  • "Implemented in the development branch, docker-compose.yml file, for all CI services that use docker-ci-tool-stack."
  • "Partially implemented; sysbox is installed, but not yet configured in the CI pipeline for the services using docker-ci-tool-stack."
  • "Not implemented."

Missing Implementation: [PLACEHOLDER: Specify where this is missing. Examples:]

  • "Missing implementation in the production environment. Needs to be rolled out after testing in staging."
  • "Missing configuration in the Jenkinsfile for some specific jobs that utilize docker-ci-tool-stack."
  • "Fully implemented."

Mitigation Strategy: Restrict Docker Daemon Access (if DinD is unavoidable)

Description:

  1. TLS Authentication: Configure the Docker daemon to require TLS authentication. This involves generating server and client certificates.
  2. Client Certificates: Create client certificates specifically for the CI container that needs to access the Docker daemon.
  3. Docker Daemon Configuration: Modify the Docker daemon configuration (/etc/docker/daemon.json) to enable TLS and specify the paths to the server certificate, key, and CA certificate.
  4. CI Container Configuration: Configure the CI container to use the client certificate and key when connecting to the Docker daemon. This typically involves setting environment variables like DOCKER_HOST, DOCKER_TLS_VERIFY, DOCKER_CERT_PATH.
  5. Dedicated Docker Daemon (Optional): Consider running a separate, isolated Docker daemon specifically for CI, distinct from any production Docker daemons. This further limits the impact of a compromise. This daemon should still use TLS.
  6. Network Isolation: Ensure this dedicated Docker daemon (or the main daemon if a dedicated one isn't used) is only accessible from the CI network.

This mitigation is only relevant if sysbox is not used. If sysbox is used, this mitigation is unnecessary and redundant.

Threats Mitigated:

  • Docker Daemon Compromise (High): Reduces (but does not eliminate) the risk of unauthorized access to the Docker daemon. Without TLS, any container with access to the Docker socket could control the host.
  • Privileged Container Escape (High): Indirectly reduces the risk by making it harder to compromise the Docker daemon, which is the pathway to container escape in traditional DinD.

Impact:

  • Docker Daemon Compromise: Risk reduced from High to Medium (still a significant risk).
  • Privileged Container Escape: Risk reduced from High to Medium (still a significant risk).

Currently Implemented: [PLACEHOLDER: Specify where this is implemented.]

  • "Implemented with TLS authentication and a dedicated Docker daemon for CI."
  • "Partially implemented; TLS is enabled, but client certificates are not consistently used."
  • "Not implemented (relying on sysbox instead)."

Missing Implementation: [PLACEHOLDER: Specify where this is missing.]

  • "Missing a dedicated Docker daemon for CI; using the host's main daemon."
  • "Missing consistent use of client certificates across all CI jobs."
  • "Fully implemented." (Or "Not applicable; using sysbox.")