Docker container escape refers to the process and result in which the attacker has obtained the command execution capability under certain permissions in the container by hijacking the containerized business logic or direct control; because docker uses isolation technology , so the process inside the container cannot see the outside process, but the outside process can see inside, so if a container can access outside resources, or even obtain the permissions of the host host, this is called "Docker escape".
The operating environment of this tutorial: linux7.3 system, docker version 19.03, Dell G3 computer.
What is docker container escape
"Container escape" refers to such a process and result:First, the attacker hijacks the containerized business logic, Or direct control (CaaS and other scenarios where container control is legally obtained), etc., have obtained the command execution capability under certain permissions in the container;
Attackers use this command execution capability to Some methods further obtain certain permissions on the direct host where the container is located (we often see the scenario of "a physical machine runs a virtual machine, and the virtual machine then runs the container". The direct host in this scenario refers to the virtual machine outside the container). command execution capabilities.
Because Docker uses isolation technology, the process inside the container cannot see the outside process, but the outside process can see inside, so if a container can access the outside process resources, or even obtain the permissions of the host host. This is called "Docker escape".
There are currently three reasons for Docker escape:
Caused by kernel vulnerabilities.
#Caused by Docker software design.
# Caused by improper privilege mode and configuration.
The following is a brief explanation of these three escape methods.
1. Escape caused by kernel vulnerability
Because Docker is a directly shared host host kernel, when there is a security vulnerability in the host host kernel, it will also be affected Docker security may cause Docker to escape. The specific process is as follows:
Use the kernel vulnerability to enter the kernel context
Obtain the task struct of the current process
Backtrace the task list to obtain the task struct with pid = 1 and copy its related data
Switch the current namespace
Open the root shell and complete the escape
2. Escape caused by Docker software design
A typical example is Docker’s standardized container execution engine----runc. Runc was exposed to a Docker escape vulnerability CVE-2019-5736 in February 2019. The principle of the vulnerability is that Docker, Containerd or other runc-based programs are prone to security vulnerabilities at runtime. An attacker can obtain the file handle when the host runc executes the file through a specific container image or exec operation and modify the runc binary file. , thereby obtaining the root execution permission of the host machine, causing Docker to escape.
3. Escape caused by directory mounting in privileged mode
This escape method is more commonly used than the other two. Privileged mode was introduced to Docker in version 6.0. Its core function is to allow root in the container to have root permissions on the external physical machine. Previously, the root user in the container only had the permissions of ordinary users on the external physical machine.
After starting the container in privileged mode (docker run --privileged), the Docker container is allowed to access all devices on the host, can obtain access rights to a large number of device files, and can execute the mount command to mount.
When controlling a container using privileged mode, the Docker administrator can mount the external host disk device into the container through the mount command to obtain file read and write permissions for the entire host. In addition, he can also write Execute commands on the host machine by entering scheduled tasks and other methods.
In addition to using privileged mode to start Docker, which will cause Docker to escape, using functional mechanisms will also cause Docker to escape. The Linux kernel has introduced functional mechanisms (Capabilities) since version 2.2, breaking the concepts of super users and ordinary users in UNIX/LINUX operating systems, allowing ordinary users to execute commands that can only be run with super user privileges. For example, when the container is started with --cap-add=SYSADMIN, the Container process is allowed to execute a series of system management commands such as mount and umount. If the attacker mounts the external device directory in the container at this time, Docker escape will occur.
Recommended learning: "docker video tutorial"
The above is the detailed content of What is docker container escape. For more information, please follow other related articles on the PHP Chinese website!
Docker vs. Virtual Machines: A ComparisonMay 09, 2025 am 12:19 AMDocker and virtual machines have their own advantages and disadvantages, and the choice should be based on specific needs. 1.Docker is lightweight and fast, suitable for microservices and CI/CD, fast startup and low resource utilization. 2. Virtual machines provide high isolation and multi-operating system support, but they consume a lot of resources and slow startup.
Docker's Architecture: Understanding Containers and ImagesMay 08, 2025 am 12:17 AMThe core concept of Docker architecture is containers and mirrors: 1. Mirrors are the blueprint of containers, including applications and their dependencies. 2. Containers are running instances of images and are created based on images. 3. The mirror consists of multiple read-only layers, and the writable layer is added when the container is running. 4. Implement resource isolation and management through Linux namespace and control groups.
The Power of Docker: Containerization ExplainedMay 07, 2025 am 12:07 AMDocker simplifies the construction, deployment and operation of applications through containerization technology. 1) Docker is an open source platform that uses container technology to package applications and their dependencies to ensure cross-environment consistency. 2) Mirrors and containers are the core of Docker. The mirror is the executable package of the application and the container is the running instance of the image. 3) Basic usage of Docker is like running an Nginx server, and advanced usage is like using DockerCompose to manage multi-container applications. 4) Common errors include image download failure and container startup failure, and debugging skills include viewing logs and checking ports. 5) Performance optimization and best practices include mirror optimization, resource management and security improvement.
Kubernetes and Docker: Deploying and Managing Containerized AppsMay 06, 2025 am 12:13 AMThe steps to deploy containerized applications using Kubernetes and Docker include: 1. Build a Docker image, define the application image using Dockerfile and push it to DockerHub. 2. Create Deployment and Service in Kubernetes to manage and expose applications. 3. Use HorizontalPodAutoscaler to achieve dynamic scaling. 4. Debug common problems through kubectl command. 5. Optimize performance, define resource limitations and requests, and manage configurations using Helm.
Docker: An Introduction to Containerization TechnologyMay 05, 2025 am 12:11 AMDocker is an open source platform for developing, packaging and running applications, and through containerization technology, solving the consistency of applications in different environments. 1. Build the image: Define the application environment and dependencies through the Dockerfile and build it using the dockerbuild command. 2. Run the container: Use the dockerrun command to start the container from the mirror. 3. Manage containers: manage container life cycle through dockerps, dockerstop, dockerrm and other commands.
Docker and Linux: Building Portable ApplicationsMay 03, 2025 am 12:17 AMHow to build portable applications with Docker and Linux? First, use Dockerfile to containerize the application, and then manage and deploy the container in a Linux environment. 1) Write a Dockerfile and package the application and its dependencies into a mirror. 2) Build and run containers on Linux using dockerbuild and dockerrun commands. 3) Manage multi-container applications through DockerCompose and define service dependencies. 4) Optimize the image size and resource configuration, enhance security, and improve application performance and portability.
Docker and Kubernetes: The Power of Container OrchestrationMay 02, 2025 am 12:06 AMDocker and Kubernetes improve application deployment and management efficiency through container orchestration. 1.Docker builds images through Dockerfile and runs containers to ensure application consistency. 2. Kubernetes manages containers through Pod, Deployment and Service to achieve automated deployment and expansion.
Docker vs. Kubernetes: Key Differences and SynergiesMay 01, 2025 am 12:09 AMDocker and Kubernetes are leaders in containerization and orchestration. Docker focuses on container lifecycle management and is suitable for small projects; Kubernetes is good at container orchestration and is suitable for large-scale production environments. The combination of the two can improve development and deployment efficiency.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Dreamweaver Mac version
Visual web development tools
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
SublimeText3 Chinese version
Chinese version, very easy to use
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
