[WARN] 4.1 - Ensure a user for the container has been created

[yaminisridaran]

[WARN] 4.1 - Ensure a user for the container has been created
I am deploying my container in Kubernetes using deployment and configured security context to runAsUser: 1000

When I execute the docker bench tool that pod is displayed with warning Running as root.

$ docker inspect --format 'User={{.Config.User}}' 81ab3f4a5a87
User=1000

Can anyone please help me with this issue

[konstruktoid]

Hi @yaminisridaran, I haven't tested the script in a K8s environment and it wasn't really written with that in mind, but could you share the commands used when creating the container?

$ docker run -ti -d --user nobody alpine sleep 1000
60ddbfc694604914705e920d53371af368fc729b38a833dd02d4ac73e85a148a
$ docker inspect --format 'User={{.Config.User}}' 60dd
User=nobody
$ docker run -ti -d --user=root alpine sleep 1000
9412c8c4582a6b035feb50f84921f39636fc8817a12bc88f1bdb5f5a41aa9c01
$ docker inspect --format 'User={{.Config.User}}' 9412
User=root
$ docker run -ti -d --user=1000 alpine sleep 1000
af8ff8e2d53459d504a22ef2356c1df31fbfc8c3a0c9fa92980816de358cf1bd
$ docker inspect --format 'User={{.Config.User}}' af8
User=1000

[konstruktoid]

$ docker inspect --format 'User={{.Config.User}}' $(docker ps -q)
User=1000
User=root
User=nobody
User=nobody
User=nobody
$ for user in $(docker inspect --format 'User={{.Config.User}}' $(docker ps -q)); do if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then echo "FAIL"; else echo "OK"; fi; done
OK
FAIL
OK
OK
OK

[yaminisridaran]

@konstruktoid I tried the above mentioned both the commands.
for user in $(docker inspect --format 'User={{.Config.User}}' $(docker ps -q)); do if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=" ]; then echo "FAIL"; else echo "OK"; fi; done
FAIL
FAIL
OK
OK
OK
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL

[konstruktoid]

And what does docker inspect --format 'User={{.Config.User}}' $(docker ps -q) output?

[yaminisridaran]

@konstruktoid$ docker inspect --format 'User={{.Config.User}}' $(docker ps -q)
User=0
User=
User=1000
User=1000
User=1000
User=
User=0
User=
User=0
User=0
User=0
User=0
User=
User=
User=
User=0
User=
User=0
User=0
User=
User=

[konstruktoid]

So the test works when doing it manually, you only got three containers with a non-root user defined.

[yaminisridaran]

@konstruktoid Yes. But these 3 container are in single pod. But the docker bench tool shows this pod running as ROOT

[konstruktoid]

@yaminisridaran, the script isn't in anyway K8s aware so pods et al isn't taken into consideration, only Docker commands and settings.

[yaminisridaran]

@konstruktoid but as per the docker commands and settings these containers should not be displayed in the output.

[yaminisridaran]

I see the same issue with memory restriction docker benchmark. Have configured memory restriction and I am able to see the memory restriction using command docker stats --all --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}". But still the container is displayed in the docker benchmark output

[konstruktoid]

Could you do sudo bash -x docker-bench-security.sh -c container_images &> ./dbs.log and then upload the dbs.log (after you cleaned it, if necessary) to gist.github.com and paste the link?

[yaminisridaran]

@konstruktoid The log output has my container image names. I think I will not be able to upload with the names.

[yaminisridaran]

Any other way to debug this issue

[konstruktoid]

well, you can redact the names.

[yaminisridaran]

@konstruktoid dbs.log has some many containers from my cluster. changing all those name takes time. Do we have a simpler way to verify this?

[konstruktoid]

Can't you just script the redaction? sed 's/<insert logic here>/REDACTED/g'
It's hard to find any bugs without logs and specially since the basic stuff works as seen above.

[yaminisridaran]

@konstruktoid I executed /usr/local/bin # docker-bench-security.sh -c container_images &> ./dbs.log

Below I have mentioned the output. But I did not notice any separate logs

output dbs.log screenshot

[yaminisridaran]

@konstruktoid Found out the issue. Pause container in pod it is considering as root user.

[konstruktoid]

@yaminisridaran Thanks for looking into this, and that's a kind of funny result.

Basic Docker:

$ docker run -ti -d --user nobody alpine sleep 1000
0ce6c5f69bc374786b6c0d845b5ce3a92d57acc6afdb3bf7e026c46e8bd70bda
$ docker inspect --format 'User={{.Config.User}}' 0ce
User=nobody
$ docker pause 0ce
0ce
$ docker inspect --format 'User={{.Config.User}}' 0ce
User=nobody
$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                   PORTS               NAMES
0ce6c5f69bc3        alpine              "sleep 1000"        33 seconds ago      Up 32 seconds (Paused)                       sad_saha
$ docker inspect --format 'User={{.Config.User}}' 0ce
User=nobody
$ docker stop 0ce
0ce
$ docker inspect --format 'User={{.Config.User}}' 0ce
User=nobody

[yaminisridaran]

@konstruktoid User=0 needs to be considered as root user.
I think if [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=" ] needs to verify for user=0.

[konstruktoid]

We do? https://github.com/docker/docker-bench-security/blob/master/tests/4_container_images.sh#L37

[yaminisridaran]

@konstruktoid I am using the below mention comment to launch and I noticed the 4_container_images.sh is not the latest. looks like latest changes in 4_container_images.sh is not reflecting in the docker image of docker-bench. Am I missing anything here?

docker run -it --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /usr/bin/containerd:/usr/bin/containerd:ro \
    -v /usr/bin/runc:/usr/bin/runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker/docker-bench-security

[konstruktoid]

Ah yes, see #405... It's a classic.

[yaminisridaran]

@konstruktoid I would like to do the signing, publish the docker image. Can you please guide me how to do it.

[konstruktoid]

See #405 (comment)

[konstruktoid]

Closing since we're all waiting for the Docker organization.