30-04-2024 Aarixa training event @BrewdogBrussels

Notes on containers, kubernetes and LLM apps

Dissecting container and pods

Running containers is easy

Docker host

ubuntu machine
public ip address
security group 80, 443, 8080, 8081

Install docker

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh

sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker

Running our first container

export IP="x.x.x.x"

docker run -d -p 8080:80 --name www nginx:1.24

docker run -d -p 8081:80 --name www2 nginx:1.25

curl -kv $IP:8080

curl -kv $IP:8081

Creating our first image

mkdir ./lab1
cd lab1

echo "My Annacon secret" >./secret.txt

cat >Dockerfile <<EOF
FROM ubuntu:20.04
ADD ./secret.txt /secret.txt
RUN apt-get update && apt-get install -y curl netcat
RUN  rm -f /secret.txt
CMD bash
EOF

docker build -t myimage ./.

docker run -it myimage

docker tag myimage xxradar/myimage:01

docker login

docker push xxradar/myimage:01

docker run -it xxradar/myimage:01

Privileged

docker run -d  --privileged  --name www3 nginx:1.25

docker exec -it www3 bash

mkdir /tmp/host-fs
mount /dev/vda1

eBPF

Tracee

docker run   --name tracee --rm -it   \
   --pid=host \
   --cgroupns=host \
   --privileged \
   -v /etc/os-release:/etc/os-release-host:ro \
   aquasec/tracee:latest

Falco

sudo curl -s https://falco.org/repo/falcosecurity-packages.asc |sudo  apt-key add -

sudo echo "deb https://download.falco.org/packages/deb stable main" | sudo tee -a /etc/apt/sources.list.d/falcosecurity.list

sudo  apt-get update -y

sudo apt-get install -y falco

- rule: spawned_process_in_test_container
  desc: A process was spawned in the test container.
  condition: container.name = "falco-test" and evt.type = execve
  output: "%evt.time,%user.uid,%proc.name,%container.id,%container.name,command=%proc.cmdline"
  priority: WARNING

falco -r ./falco.rule
....

Tetragon

docker run -d --name tetragon-container --rm --pull always \
    --pid=host \
    --cgroupns=host \
    --privileged             \
    -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf    \
    quay.io/cilium/tetragon-ci:latest

docker exec tetragon-container tetra getevents -o compact

root@ip-172-31-31-30:~# cat ./tracing_policy.yaml
# This tracing policy 'connect-only-local-addrs' will report attempts
# to make outbound TCP connections to any IP address other than those
# within the 127.0.0.0/8 CIDR, from the binary /usr/bin/curl. In
# addition it will also kill the offending curl process.
#
# Description:
#  Report and block outbound TCP connections outside loopback from
#  /usr/bin/curl.
#
# In production, this could be used to force processes to only connect
# to their side cars on their local loopback, and to treat transgressions
# as evidence of malicious activity, resulting in the process being
# killed.

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "connect-only-local-addrs"
spec:
  kprobes:
  - call: "tcp_connect"
    syscall: false
    args:
    - index: 0
      type: "sock"
    selectors:
    - matchArgs:
      - index: 0
        operator: "NotDAddr"
        values:
        - "127.0.0.0/8"
      matchBinaries:
      - operator: "In"
        values:
        - "/usr/bin/curl"
      matchActions:
      - action: Sigkill

docker run -d --name tetragon-container --rm --pull always \
    --pid=host --cgroupns=host --privileged             \
    -v $PWD/tracing_policy.yaml:/tracing_policy.yaml    \
    -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf    \
    quay.io/cilium/tetragon-ci:latest                   \
    --tracing-policy /tracing_policy.yaml

Previous02-05-2024 23rd Belgium NLP Meetup @InThePocket Next01-02-2024 Belgium Kubernetes and Cloud Native Meetup @Google Brussels

Last updated 9 months ago