-
Notifications
You must be signed in to change notification settings - Fork 1
/
docker-operations.cheat
61 lines (39 loc) · 1.77 KB
/
docker-operations.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
% trivy, pushou
# Trivy scan local image
sudo trivy image <IMAGES>
# install Trivy (u22)
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
$ image_id: docker images --- --headers 1 --column 3
$ IMAGES: docker images --format '{{.Repository}}:{{.Tag}}'|egrep -v "<none"
% docker, repo, docker-browse, pushou
# docker-browse repo
docker-browse -r registry.iutbeziers.fr images
# docker-browse save default registry
docker-browse -r registry.iutbeziers.fr save
% containers, insecure
# docker most insecure container
docker run -it --privileged --net=host --pid=host --ipc=host --volume /:/host busybox chroot /host
% docker,security, pushou
# Network is enable between containers icc:true?
docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' |grep enable_icc:true
# Activate audit for Docker
cat <<EOF | sudo tee -a /etc/audit/rules.d/audit.rules
-w /usr/bin/dockerd -k docker
-w /etc/docker -p rwxa -k docker
-w /etc/default/docker -p rwxa -k docker
-w /etc/docker/daemon.json -p rwxa -k docker
-w /var/lib/docker -p rwxa -k docker
-w /usr/lib/systemd/system/docker.service -p rwxa -k docker
-w /usr/lib/systemd/system/docker.socket -p rwxa -k docker
-w /usr/bin/docker-runc -p rwxa -k docker
-w /usr/bin/docker-containerd -p rwxa -k docker
-w /usr/bin/containerd -p rwxa -k docker
EOF
sudo systemctl restart auditd
# get ip address for a container
docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <ID_C_DOCKER>
$ID_C_DOCKER: docker ps -q