Lets continue with more tools for sandboxing in linux.
Firejail is a SUID sandbox program that is used to isolate program for testing or security purpose. It it written in C and can be configured to use most of the namespaces.To start a service in firejail.
It will start firefox in a sandbox with root filesystem mounted as read only. To start firefox with only ~/Downloads and ~/.mozilla mounted for write.
$firejail --whitelist=~/.mozilla --whitelist=~/Download firefox
Firejail by default uses user namespace and mounts empty temporary filesystems (tmpfs) on top of user home directory in private mode.
To start a program in private mode
$firejail --private firefox
to start firejail in new network stack
$firejail --net=eth0 --whitelist=~/.mozilla --whitelist=~/Download firefox
To assign an IP address to the sandbox
$firejail --net=eth0 --ip=192.168.1.155 firefox
To sandbox all program running by a single user you can change the default shell of that user to /usr/bin/firejail $chsh –shell /usr/bin/firejail
When learning about the virtualization technologies,the technology that attracts me most is containers because of their easy deployment.Containers (also known as light weight virtualization) are tools for isolation which use namespaces to archive that.They are better sandboxing utility because they generally use more then one namespaces and they are more focus on creating a whole virtual system instance rather then isolating a single process.Containers are not new technology since they are in unix and linux from decades but due to increase in Saas and Paas uses they became the hot topic since they provide the best secure environment to deliver and use these services.They are called light weight virtualization because they provide process level isolation only, means they depend on linux kernel hence only those instance can be created which uses same base kernel.There are lots of containers avaliable for linux which have gained popularity in few years.
systemd nspawn is a utility available default with systemd which create seprate container for isolation.It uses mount and pid namespaces by default but another namespaces can also be configured.
To create a container or isolated shell you need to download a basic distribution which we have done already using debootstrap.To get inside this container
$systemd-nspawn -D my_deb
This container is stronger then chroot because it not only has different mount point but also seprate process tree(check it by ps -aux).But still the hostname and ip interfaces are same as host system. To add a own network stack you need to connect to existing network bridge.
$systemd-nspawn -D my_deb --network-bridge=br0
this will start the container with network namespace with a pair of veth devices.You can even boot the instance by -b option.
$systemd-nspawn -bD my_deb
While booting the container you will required to enter password of root user,so first run $passwd inside to set root password.The whole nspawn project is relatively young hence there is still lot to develope.
Docker is the most smartest and prominent container present in linux to run applications environment,it even grab the most attension since few years. Docker containers uses most of the namespaces and cgroups present in systemd for providing strong isolated environment. Docker runs on docker deamon which starts a isolated instance like systemd-nspawn in which any service can be deployed by some tweaks.It can be use as sandboxing tool to run application securely or to deploy some software service inside it.
To get your first docker container running you need to first start docker deamon then download the base image from dockers online repository.
$service docker start $docker pull kalilinux/kali-linux-docker
You can download other docker images also from docker hub https://hub.docker.com/.
It will download the base kali linux image.You can see all the available image on your system by
$docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE kalilinux/kali-linux-docker latest 63ae5ac8df0f 1 minute ago 325 MB centos centos6 b9aeeaeb5e17 9 months ago 202.6 MB hello-world latest 91c95931e552 9 months ago 910 B
To run a program inside your container
$docker run -i -t kalilinux/kali-linux-docker ls bin dev home lib64 mnt proc run selinux sys usr boot etc lib media opt root sbin srv tmp var
this will start(run) your container ,execute the command and then close the container.To get a intractive shell inside container
$docker run -t -i kalilinux/kali-linux-docker /bin/bash root@24a70cb3095a:/#
this will get you inside the container where you can do your stuff isolated from your host machine.24a70cb3095a is your container's id,you can check all the running containers by
$docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 24a70cb3095a kalilinux/kali-linux-docker "/bin/bash" About a minute ago Up About a minute angry_cori
while installing docker image, docker automatically create a veth for docker which make the docker image to connected to host system. You can check this by $ifconfig and then try to ping your host system.
At any instance you can save your docker state as a new container by
$docker commit 24a70cb3095a new_image $docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE new_image latest a87c73abca9d 6 seconds ago 325 MB kalilinux/kali-linux-docker latest 63ae5ac8df0f 1 hours ago 325 MB centos centos6 b9aeeaeb5e17 9 months ago 202.6 MB hello-world latest 91c95931e552 9 months ago 910 B
you can remove that image by $docker rmi newimage.To stop a container use docker stop and after that remove the files created on host node by that container.
$docker stop 24a70cb3095a $docker rm 24a70cb3095a
For running applications on docker instance you may require to attach it to host system in some way.So,to mount the external storage to docker image you can use -v flag
$docker run -it -v /temp/:/home/ kalilinux/kali-linux-docker /bin/bash
this will mount /temp/ from main system to /home/ of host system.To attach docker port to external system port use -p
$docker run -it -v /temp/:/home/ -p 4567:80 kalilinux/kali-linux-docker /bin/bash
this will attach the external port 4567 to the containers port 80. This can be very useful for saas and paas if the deployed application want to connect to external network.
Running Gui applications on docker can be another requirement many times.Docker doesn't have x server define so to do that you need to mount x server file to docker instance.
$docker run -it -v -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix \ kalilinux/kali-linux-docker /bin/bash
This will forward the X11 socket to container inside docker.
To ship docker image to another system you need to push it on docker online repository.
$docker push new_image
you can even save the container image in tar archive.
$docker export new_image
There is lot more to learn on docker but this article is not intended to get in deep dive of docker but the positive point about docker is its huge tutorials and hacks available online, from that you can easily get a strong understanding of using docker to make your work done.Docker since first release in 2013 had improved strongly and can be easily used for production or testing enviornment because of there easy to use nature. Other solutions made for docker to face all scenario are also huge like kubernetes (a google project for orchestration of docker),swarm and many more services for docker migrations,providing graphical dashboard etc are developing really fast. Automation tool for system admin like puppet and chef are also start to providing support to docker containers.
Is containers means Docker?
The interest of industries in containers developed because of docker.But there are more containers present in industiers that are comparable with docker.
Rocket containers is open source Core OS Project.Core OS is operating system works on containerizing every applications present inside system.For that they have replaced traditional package manager with the Appc(applications container) which ships application software in containers.They provided reason that it will increase security inside system and will solve the dependence conflict problems having in package installation.They have also created their own golang based container which use strong namespaces feature for isolation available for linux, they named it as Rocket container.Rocket containers are said to be competitor of docker but they are working on providing a much better solution then docker.Rocket container is differ by docker bcuz it doesn't have any deamon apps to run. It directly start rocket run under spawning process.This make the container to already have an init like systemd which can continously monitor it and all application run underneath this initial process.Rocket also support standard image format that can be used by various tool hence even images from other containers like docker can also be used inside it. Rocket containers are still in beginning phase hence not much documentation or tutorial avaliable online,even yet lots of things to be develope into it.It will be really intresting to see where Rocket will be after few years.
LXC(Linux container)written in C is the oldest container present in linux.It is more focused on providing complete virtualization solution like qemu KVM it is accomplished through kernel level isolation by namespaces.
Linux containers run a whole Linux machine (or simply multiple services) inside the isolated environment provided by the Linux kernel, whereas Dockers are replacements of the traditional way of running applications
and run them in isolated environments, i.e., Docker containers are made to run a single application inside their containers.
Images for lxc are not easy to create or import images from internet. But latest releases make it little easier to use.
$sudo apt-get install lxc $sudo lxc-create -t my_deb -n my-container $sudo lxc-start -n my-container
To login to that continer
$sudo lxc-console -n my-container -t 1
LXC containers are even capable of nested containerisation, which means you can run Docker or any other container inside an LXC container without any issues.
systemd starts to provide management utility for nspawn, lxc like containers with number of tools like machinectl and journalctl.
Its comes pre-install with systemd init manager use to manage and control the state of the systemd based virtual machine and container works underneath systemd service. To see all containers running in your system
this will show all the current running container..host shown is your main system.To get status of any running container.
$machinectl status my_deb
machinectl doesn't show docker containers since docker containers runs behind docker deamon.
To login to a container
$machinectl login my_deb
To switch off a container:-
$machinectl poweroff my_deb
To kill a container forcefully:-
$machinectl -s kill my_deb
To see logs of a container you can use journalctl:-
$journalctl -M my_deb
Are containers matter in industries:-
Lots of professionals argues that industry is not ready for container solution since they doesn't provide a prominent solution for there problem because of few reasons:-
- Containers doesn'tt provide full virtualization.They depends on main kernel and can be broked by doing some little efforts.
- Deploying application and managing them inside containers are not easy job to do.
- running heavy application inside docker is not good solution.
But inspite these facts large companies like google and netflix are using containers for there services isolation from many years.And since container like docker are developing with really fast pace other large compaines are also starts to migrate to containers for their virtualizations solution.Thats why it is not wrong to say that containers are next level virualization.Beside those corporations who have shift themself to use containers (docker specially) other are working on creating there own container according to their own enviornment.
What to get from this article:-
Sandboxing are important for every IT professionals,but different professionals may require different solution.So,you may need to figure out what type of isolation is best for your work.
If you are a developer or application tester Chroot (talked initially) is never a good solution because of its easy escaping nature. Weak container like systemd-nspawn or firejail can be a good solution because of their easy to deployment nature. Using docker like containers for application testing can be little headache as making your container ready for your process to run fluently can be a little painful.
If you are a Saas or Paas provider containers will always be the best solution for you because of their strong isolation,easy shipping,live migration and clustering like features present.You may go with traditional virtualization solution(virtual machines) but resource management and quick booting like feature can only be grab with containers.