# 30-04-2024 Aarixa training event @BrewdogBrussels

{% file src="<https://3206435539-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9cpSbcxtdxRVTcR6t4Ou%2Fuploads%2FfR3zuVR7yznHmBIela0p%2Fdissecting_containers_pods_aarixa.pdf?alt=media&token=b9877a03-223c-4103-8dd0-24a6977685e2>" %}

{% file src="<https://3206435539-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9cpSbcxtdxRVTcR6t4Ou%2Fuploads%2FkBvOisxKESsSdtPrV9i0%2FAI_LLM_apps_introduction_aarixa.pdf?alt=media&token=00f0d1ed-32a5-4ce2-8d35-ccc3a670b123>" %}

## Dissecting container and pods

### Running containers is easy <a href="#toc_1" id="toc_1"></a>

#### Docker host <a href="#toc_2" id="toc_2"></a>

* ubuntu machine
* public ip address
* security group 80, 443, 8080, 8081

#### Install docker <a href="#toc_3" id="toc_3"></a>

```
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
```

```
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
```

#### Running our first container <a href="#toc_4" id="toc_4"></a>

```
export IP="x.x.x.x"
```

```
docker run -d -p 8080:80 --name www nginx:1.24
```

```
docker run -d -p 8081:80 --name www2 nginx:1.25
```

```
curl -kv $IP:8080
```

```
curl -kv $IP:8081
```

#### Creating our first image <a href="#toc_5" id="toc_5"></a>

```
mkdir ./lab1
cd lab1
```

```
echo "My Annacon secret" >./secret.txt
```

```
cat >Dockerfile <<EOF
FROM ubuntu:20.04
ADD ./secret.txt /secret.txt
RUN apt-get update && apt-get install -y curl netcat
RUN  rm -f /secret.txt
CMD bash
EOF
```

```
docker build -t myimage ./.
```

```
docker run -it myimage
```

```
docker tag myimage xxradar/myimage:01
```

```
docker login
```

```
docker push xxradar/myimage:01
```

```
docker run -it xxradar/myimage:01
```

#### Privileged <a href="#toc_12" id="toc_12"></a>

```
docker run -d  --privileged  --name www3 nginx:1.25
```

```
docker exec -it www3 bash
```

```
mkdir /tmp/host-fs
mount /dev/vda1
```

### eBPF <a href="#toc_14" id="toc_14"></a>

#### Tracee <a href="#toc_15" id="toc_15"></a>

```
docker run   --name tracee --rm -it   \
   --pid=host \
   --cgroupns=host \
   --privileged \
   -v /etc/os-release:/etc/os-release-host:ro \
   aquasec/tracee:latest
```

#### Falco <a href="#toc_16" id="toc_16"></a>

```
sudo curl -s https://falco.org/repo/falcosecurity-packages.asc |sudo  apt-key add -

sudo echo "deb https://download.falco.org/packages/deb stable main" | sudo tee -a /etc/apt/sources.list.d/falcosecurity.list

sudo  apt-get update -y

sudo apt-get install -y falco

```

```
- rule: spawned_process_in_test_container
  desc: A process was spawned in the test container.
  condition: container.name = "falco-test" and evt.type = execve
  output: "%evt.time,%user.uid,%proc.name,%container.id,%container.name,command=%proc.cmdline"
  priority: WARNING
```

```
falco -r ./falco.rule
....
```

#### Tetragon <a href="#toc_17" id="toc_17"></a>

```
docker run -d --name tetragon-container --rm --pull always \
    --pid=host \
    --cgroupns=host \
    --privileged             \
    -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf    \
    quay.io/cilium/tetragon-ci:latest
```

```
docker exec tetragon-container tetra getevents -o compact
```

```
root@ip-172-31-31-30:~# cat ./tracing_policy.yaml
# This tracing policy 'connect-only-local-addrs' will report attempts
# to make outbound TCP connections to any IP address other than those
# within the 127.0.0.0/8 CIDR, from the binary /usr/bin/curl. In
# addition it will also kill the offending curl process.
#
# Description:
#  Report and block outbound TCP connections outside loopback from
#  /usr/bin/curl.
#
# In production, this could be used to force processes to only connect
# to their side cars on their local loopback, and to treat transgressions
# as evidence of malicious activity, resulting in the process being
# killed.

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "connect-only-local-addrs"
spec:
  kprobes:
  - call: "tcp_connect"
    syscall: false
    args:
    - index: 0
      type: "sock"
    selectors:
    - matchArgs:
      - index: 0
        operator: "NotDAddr"
        values:
        - "127.0.0.0/8"
      matchBinaries:
      - operator: "In"
        values:
        - "/usr/bin/curl"
      matchActions:
      - action: Sigkill
```

```
docker run -d --name tetragon-container --rm --pull always \
    --pid=host --cgroupns=host --privileged             \
    -v $PWD/tracing_policy.yaml:/tracing_policy.yaml    \
    -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf    \
    quay.io/cilium/tetragon-ci:latest                   \
    --tracing-policy /tracing_policy.yaml
```