Docker containers have become so ubiquitous sometimes respected security professionals tweet ridiculous things like:
docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh
http://localhost:8080/?anonym=true&app=ZAP
— Jerry Gamblin (@JGamblin) June 7, 2016
…but it is 2016 and you should never run code on your machine if you don’t know what it does. These are mini-virtual machines and not magically secure little shipping containers*. At a minimum you should do these basic things to get some idea of what you are putting on your machine before you run it.
Pull the container first:
docker pull jgamblin/tiny-tor
Use Docker Inspect to look at the container’s metadata:
docker inspect jgamblin/tiny-tor
You will want to carefully read through that output and take time to look at these fields:
- Image The image this container is running.
- NetworkSettings The network settings for the container,
- LogPath The system path to this container’s log file.
- Name The user defined name for the container.
- Volumes Defines the volume mapping between the host system and the container.
- HostConfig Key configurations for how the container will interact with the host system. These could take CPU and memory limits, networking values, or device driver paths.
- Config The runtime configuration options set when the docker run command was executed.
Use Docker History to see how the image was built:
docker history jgamblin/tiny-tor
Protip: CenturylinkLabs released a tool to create a Dockerfile from a container.
Run the container without network access and look around a bit:
docker run -t -i --net=none jgamblin/tiny-tor /bin/sh
After you have done the following steps and feel comfortable you can then:
docker run -t -i -p 9050:9050 jgamblin/tiny-tor
If you do these basic things you can feel a little better about what you are running on your system.
* What a magically secure little shipping container might look like:
