Skip to content
/ pod-recon Public

This is a Git mirror. This repo is for building a Docker image for troubleshooting in container environments

gitlab.com/patrickdung/pod-recon/

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

patrickdung/pod-recon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

101 Commits
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
NOTICE
NOTICE
 
 
docker-compose.yaml
docker-compose.yaml
 
 
readme.adoc
readme.adoc
 
 

Repository files navigation

This repo is for building a Docker image for troubleshooting in container environments. The contanier run as non-root by default. Some commands like tcpdump requires the container to run as root (Kubernetes).

Below are some use cases for docker-compose and Kubernetes. Kubernetes would be similar but not totally the same.

Please be reminded about the security implications of the capabilities being granted. The testing is performed testing with Podman and K3S.

  1. For using this image without any extra capabilities (as user "debug")

    1. traceroute -U / --udp

      • -I (ICMP) is not possible because it needs NET_RAW capability

    2. mtr: -U (UDP), -T (TCP)

    3. telnet, dig, curl, wget, openssl and etc.

  2. Run this image with net_raw capability

    docker-compose:
    cap_drop:
      - all
    cap_add:
      - net_raw

Kubernetes (Option 1)
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - all
      add:
        - net_raw
        - net_admin

Kubernetes (Option 2, not recommended)
  securityContext:
    # unspecified or set to true
    # allowPrivilegeEscalation: true
    # Not recommended because it allows privilege escalation
    # Implies that the container may execute binaries with setcap configured
    # Then the privileges may exceed or unbounded by below setting
    capabilities:
      drop:
        - all
      add:
        - net_raw

    • Then the user "debug" can additionally runs (including the previous step):

      • ping (ICMP)

      • traceroute -I (ICMP)

  3. Run this image with these capabilities

    docker-compose:
    cap_drop:
      - all
    cap_add:
      - net_raw
      - net_admin

Kubernetes (my preferred setting)
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - all
      add:
        - net_raw
        - net_admin
        - setuid
        - setgid
    # Need to run the container as root
    runAsUser: 0

    • Then the user "debug" can additionally run (including the previous steps):

      • tcpdump

      • If the conatiner is inside Kubernetes, then the user may need to run as root. Else the user cannot access the network interface (eth0). I am not sure what it is difference from podman.

  4. Note there are other alternatives for running tcpdump:

    • In the host server, use nsenter to run tcpdump inside the conatiner.

    • Check if the CNI expose an NIC on the host server, then run tcpdump on the host.

    • Using a sidecar container (Kubernetes) to run tcpdump.

  5. Other tools included in the container image

About

This is a Git mirror. This repo is for building a Docker image for troubleshooting in container environments

gitlab.com/patrickdung/pod-recon/

Topics

docker toolkit container troubleshooting podman

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages