30-04-2024 Aarixa training event @BrewdogBrussels
Notes on containers, kubernetes and LLM apps
Dissecting container and pods
Running containers is easy
Docker host
ubuntu machine
public ip address
security group 80, 443, 8080, 8081
Install docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
Running our first container
export IP="x.x.x.x"
docker run -d -p 8080:80 --name www nginx:1.24
docker run -d -p 8081:80 --name www2 nginx:1.25
curl -kv $IP:8080
curl -kv $IP:8081
Creating our first image
mkdir ./lab1
cd lab1
echo "My Annacon secret" >./secret.txt
cat >Dockerfile <<EOF
FROM ubuntu:20.04
ADD ./secret.txt /secret.txt
RUN apt-get update && apt-get install -y curl netcat
RUN rm -f /secret.txt
CMD bash
EOF
docker build -t myimage ./.
docker run -it myimage
docker tag myimage xxradar/myimage:01
docker login
docker push xxradar/myimage:01
docker run -it xxradar/myimage:01
Privileged
docker run -d --privileged --name www3 nginx:1.25
docker exec -it www3 bash
mkdir /tmp/host-fs
mount /dev/vda1
eBPF
Tracee
docker run --name tracee --rm -it \
--pid=host \
--cgroupns=host \
--privileged \
-v /etc/os-release:/etc/os-release-host:ro \
aquasec/tracee:latest
Falco
sudo curl -s https://falco.org/repo/falcosecurity-packages.asc |sudo apt-key add -
sudo echo "deb https://download.falco.org/packages/deb stable main" | sudo tee -a /etc/apt/sources.list.d/falcosecurity.list
sudo apt-get update -y
sudo apt-get install -y falco
- rule: spawned_process_in_test_container
desc: A process was spawned in the test container.
condition: container.name = "falco-test" and evt.type = execve
output: "%evt.time,%user.uid,%proc.name,%container.id,%container.name,command=%proc.cmdline"
priority: WARNING
falco -r ./falco.rule
....
Tetragon
docker run -d --name tetragon-container --rm --pull always \
--pid=host \
--cgroupns=host \
--privileged \
-v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \
quay.io/cilium/tetragon-ci:latest
docker exec tetragon-container tetra getevents -o compact
root@ip-172-31-31-30:~# cat ./tracing_policy.yaml
# This tracing policy 'connect-only-local-addrs' will report attempts
# to make outbound TCP connections to any IP address other than those
# within the 127.0.0.0/8 CIDR, from the binary /usr/bin/curl. In
# addition it will also kill the offending curl process.
#
# Description:
# Report and block outbound TCP connections outside loopback from
# /usr/bin/curl.
#
# In production, this could be used to force processes to only connect
# to their side cars on their local loopback, and to treat transgressions
# as evidence of malicious activity, resulting in the process being
# killed.
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "connect-only-local-addrs"
spec:
kprobes:
- call: "tcp_connect"
syscall: false
args:
- index: 0
type: "sock"
selectors:
- matchArgs:
- index: 0
operator: "NotDAddr"
values:
- "127.0.0.0/8"
matchBinaries:
- operator: "In"
values:
- "/usr/bin/curl"
matchActions:
- action: Sigkill
docker run -d --name tetragon-container --rm --pull always \
--pid=host --cgroupns=host --privileged \
-v $PWD/tracing_policy.yaml:/tracing_policy.yaml \
-v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \
quay.io/cilium/tetragon-ci:latest \
--tracing-policy /tracing_policy.yaml
Previous02-05-2024 23rd Belgium NLP Meetup @InThePocketNext01-02-2024 Belgium Kubernetes and Cloud Native Meetup @Google Brussels
Last updated