diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..35e87e6 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,6 @@ +.git +.github +.devcontainer +*.md +LICENSE +.gitignore \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index e7eef24..55c13fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker.io/docker/dockerfile-upstream:1.9.0 # check=error=true -FROM quay.io/centos/centos:stream9 +FROM ubuntu:22.04 LABEL org.opencontainers.image.title="Debug Container" \ org.opencontainers.image.authors="Phil Huang " \ org.opencontainers.image.source="https://github.com/pichuang/debug-container" \ @@ -10,52 +10,59 @@ LABEL org.opencontainers.image.title="Debug Container" \ org.opencontainers.image.url="ghcr.io/pichuang/debug-container:master" \ org.opencontainers.image.documentation="https://github.com/pichuang/debug-container" -# Install packages and clean up in one layer -# hadolint ignore=DL3033 -RUN yum -y install epel-release && \ - rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9 && \ - yum -y update && \ - yum -y --allowerasing install \ - python3.11 \ - python3.11-pip \ - iputils \ - mtr \ +# Install core networking and debugging tools in one layer to minimize image size +ENV DEBIAN_FRONTEND=noninteractive +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + bash \ + python3 \ + python3-pip \ + iputils-ping \ + mtr-tiny \ net-tools \ htop \ vim \ git \ - bind-utils \ - iproute \ - nmap-ncat \ + dnsutils \ + iproute2 \ + netcat \ wget \ curl \ tcpdump \ sysstat \ numactl \ - hping3 \ - dnsperf \ jq \ - speedtest-cli \ iperf3 \ - procps-ng \ + procps \ nmap \ - ethtool && \ - yum -y clean all && \ - rm -rf /var/cache/yum && \ - rm /root/anaconda-ks.cfg /root/anaconda-post.log /root/original-ks.cfg /root/anaconda-post-nochroot.log - -# Clone repository -RUN git clone https://github.com/upa/deadman.git /root/deadman + ethtool \ + sudo \ + tini \ + ca-certificates && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* # Set motd COPY motd /etc/motd -RUN echo "cat /etc/motd" >> ~/.bashrc + +# Create non-root user +RUN useradd -ms /bin/bash debuguser && \ + echo "debuguser ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/debuguser && \ + chmod 0440 /etc/sudoers.d/debuguser && \ + echo "cat /etc/motd" >> /home/debuguser/.bashrc EXPOSE 5566 -# hadolint ignore=DL3002 -USER root -WORKDIR /root +# Use tini as init to properly handle signals +ENTRYPOINT ["/usr/bin/tini", "--"] + +# Switch to non-root user +USER debuguser +WORKDIR /home/debuguser ENV HOSTNAME=debug-container +# Add health check +HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ + CMD curl -f http://localhost:5566/ || exit 1 + CMD ["/bin/bash", "-l"] diff --git a/README.md b/README.md index f1ef901..75ace8e 100644 --- a/README.md +++ b/README.md @@ -4,20 +4,25 @@ [![OpenSSF - Scorecard supply-chain security](https://github.com/pichuang/debug-container/actions/workflows/scorecard.yml/badge.svg)](https://github.com/pichuang/debug-container/actions/workflows/scorecard.yml) -This container can be thought of as the administrator’s shell. Many of the debugging tools (such as ping, traceroute, and mtr) and man pages that an administrator might use to diagnose problems on the host are in this container. +This container can be thought of as the administrator's shell. Many of the debugging tools (such as ping, traceroute, and mtr) and man pages that an administrator might use to diagnose problems on the host are in this container. - Networking-related commands: - - [x] iproute + - [x] iproute2 - [x] net-tools - - [x] mtr - - [x] dig - - [x] ping + - [x] mtr-tiny + - [x] dnsutils (dig) + - [x] iputils-ping - [x] ethtool - - [x] nmap-ncat + - [x] netcat + - [x] nmap + - [x] tcpdump + - [x] curl - Generic commands: - [x] vim - [x] git - [x] htop + - [x] sudo + - [x] tini (proper init process) ## Download ``` @@ -81,7 +86,6 @@ If you don't see a command prompt, try pressing enter. root [ / ]# cat /etc/os-release | head -n 2 ``` - ## How to use `debug-container` on Red Hat OpenShift? 1. Namespace Level Debugging: Running one Pod in project and `any node` @@ -137,7 +141,6 @@ spec: args: [ "while true; do sleep 30; done;" ] ``` - ## How to build the container images? - If you choose buildah... ``` @@ -149,6 +152,34 @@ make build-buildah make build-docker ``` +## Security Best Practices + +When using debug containers, especially with elevated privileges, consider the following security best practices: + +1. **Avoid running privileged containers in production**: The `--privileged` flag gives containers full access to the host, which can be a security risk. + +2. **Use non-root users**: The debug container now runs with a non-root user by default. This provides an extra layer of security. + +3. **Limit container capabilities**: When possible, specify only the capabilities your container needs rather than running with full privileges. + +4. **Time-limit debug sessions**: Always use the `--rm` flag to ensure containers are removed when the session ends. + +5. **Restrict volume mounts**: Only mount the volumes necessary for debugging. + +6. **Use network isolation**: When possible, use the default bridge network rather than host networking. + +7. **Apply resource limits**: Consider setting memory and CPU limits on debug containers. + +8. **Monitor container activity**: Keep track of who is using debug containers and monitor their activities. + +Example of a more secure debug container run with limited privileges: + +```bash +docker run -it --rm --name debug-container \ + --cap-add=NET_ADMIN --cap-add=SYS_PTRACE \ + --security-opt=no-new-privileges \ + ghcr.io/pichuang/debug-container:master +``` ## Author * **Phil Huang**