30-04-2024 Aarixa training event @BrewdogBrussels

Notes on containers, kubernetes and LLM apps

4MB

dissecting_containers_pods_aarixa.pdf

PDF

Open

3MB

AI_LLM_apps_introduction_aarixa.pdf

PDF

Open

Dissecting container and pods

Running containers is easy

Docker host

ubuntu machine
public ip address
security group 80, 443, 8080, 8081

Install docker

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh

sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker

Running our first container

export IP="x.x.x.x"

docker run -d -p 8080:80 --name www nginx:1.24

docker run -d -p 8081:80 --name www2 nginx:1.25

curl -kv $IP:8080

curl -kv $IP:8081

Creating our first image

mkdir ./lab1
cd lab1

echo "My Annacon secret" >./secret.txt

cat >Dockerfile <<EOF
FROM ubuntu:20.04
ADD ./secret.txt /secret.txt
RUN apt-get update && apt-get install -y curl netcat
RUN  rm -f /secret.txt
CMD bash
EOF

docker build -t myimage ./.

docker run -it myimage

docker tag myimage xxradar/myimage:01

docker login

docker push xxradar/myimage:01

docker run -it xxradar/myimage:01

Privileged

docker run -d  --privileged  --name www3 nginx:1.25

docker exec -it www3 bash

mkdir /tmp/host-fs
mount /dev/vda1

eBPF

Tracee

docker run   --name tracee --rm -it   \
   --pid=host \
   --cgroupns=host \
   --privileged \
   -v /etc/os-release:/etc/os-release-host:ro \
   aquasec/tracee:latest

Falco

sudo curl -s https://falco.org/repo/falcosecurity-packages.asc |sudo  apt-key add -

sudo echo "deb https://download.falco.org/packages/deb stable main" | sudo tee -a /etc/apt/sources.list.d/falcosecurity.list

sudo  apt-get update -y

sudo apt-get install -y falco

- rule: spawned_process_in_test_container
  desc: A process was spawned in the test container.
  condition: container.name = "falco-test" and evt.type = execve
  output: "%evt.time,%user.uid,%proc.name,%container.id,%container.name,command=%proc.cmdline"
  priority: WARNING

falco -r ./falco.rule
....

Tetragon

docker run -d --name tetragon-container --rm --pull always \
    --pid=host \
    --cgroupns=host \
    --privileged             \
    -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf    \
    quay.io/cilium/tetragon-ci:latest

docker exec tetragon-container tetra getevents -o compact

root@ip-172-31-31-30:~# cat ./tracing_policy.yaml
# This tracing policy 'connect-only-local-addrs' will report attempts
# to make outbound TCP connections to any IP address other than those
# within the 127.0.0.0/8 CIDR, from the binary /usr/bin/curl. In
# addition it will also kill the offending curl process.
#
# Description:
#  Report and block outbound TCP connections outside loopback from
#  /usr/bin/curl.
#
# In production, this could be used to force processes to only connect
# to their side cars on their local loopback, and to treat transgressions
# as evidence of malicious activity, resulting in the process being
# killed.

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "connect-only-local-addrs"
spec:
  kprobes:
  - call: "tcp_connect"
    syscall: false
    args:
    - index: 0
      type: "sock"
    selectors:
    - matchArgs:
      - index: 0
        operator: "NotDAddr"
        values:
        - "127.0.0.0/8"
      matchBinaries:
      - operator: "In"
        values:
        - "/usr/bin/curl"
      matchActions:
      - action: Sigkill

docker run -d --name tetragon-container --rm --pull always \
    --pid=host --cgroupns=host --privileged             \
    -v $PWD/tracing_policy.yaml:/tracing_policy.yaml    \
    -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf    \
    quay.io/cilium/tetragon-ci:latest                   \
    --tracing-policy /tracing_policy.yaml

Previous02-05-2024 23rd Belgium NLP Meetup @InThePocket Next01-02-2024 Belgium Kubernetes and Cloud Native Meetup @Google Brussels

Last updated 1 year ago