Restrict Network

Can be useful when using a third-party image that we do not trust

Run with no network

docker run --network none <image>

Run with private isolated network

At least containers attached to this network can talk with another

docker network create --internal my_isolated_network
docker run --network my_isolated_network <image>

Block using firewall

e.g. using iptables or ipfw

# Get container's IP
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container_name>

# Block all outbound connections from that IP
sudo iptables -I DOCKER-USER -s <container_ip> -j DROP

or allow local network only

sudo iptables -I DOCKER-USER -s <container_ip> ! -d 192.168.0.0/16 -j DROP

Inspect Docker Image with dive

Install dive
brew install dive

Now we can run dive against any Docker image we wish to inspect…​

Run dive
dive confluentinc/cp-kafka:5.4.3
dive console
Figure 1. Screenshot of dive analyzing the Kafka Docker image

Resources:

Introspect Private Docker Registry

List images:

curl -s https://the-registry-url/v2/_catalog

Get tags for an image

curl -s https://the-registry-url/v2/the-image-name/tags/list

An example:

curl -s https://registry.local/v2/alpine/rabbitmq/tags/list
{"name":"alpine/rabbitmq","tags":["3.9.17"]}

Search for image

docker search mysql

Run bash in container

docker exec -it NAME /bin/bash

Find dangling / untagged images

docker images -f "dangling=true" -q

Resources:

Get container IP

docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container_name>

Change Auto-Restart Policy

e.g. disable auto-restart for container

docker update --restart no <IMAGE_NAME>

Output Images as CSV List

Used in GitLab builds for Trivy ..

docker image ls --format="{{.Repository}}:{{.Tag}}" | grep -v '<none>' | tr '\n' ','

Package OpenSSL as Docker Image

Dockerfile
FROM alpine:3.18
RUN apk add --no-cache openssl
ENTRYPOINT ["openssl"]
Building the image
docker build . -t openssltool
Running openssl
docker run openssltool

Prune Volumes

Helps with errors like initdb: error: could not create directory "/var/lib/postgresql/data/pg_wal": No space left on device

 
docker volume prune

or prune even more

docker system prune --volumes

Running stuff with Docker

Run local Postgres Database

docker run --name some-pg-db -p5432:5432 -e POSTGRES_PASSWORD=fancypassword -e POSTGRES_USER=theuser postgres:latest

Run Postgres Client from Docker Image

docker run --rm -it postgres:14.0 psql -h <host> -U <username> -d <database>

or connect to running postgres instance:

docker exec -it my-postgres psql -U postgres

Run local MySQL Database

docker run --name local-mysql -e MYSQL_ROOT_PASSWORD=password -p 3306:3306 -d mysql:5.7

Run Trivy Scan for Docker Image

docker run aquasec/trivy image IMAGE:TAG

Run MailPit for Testing SMTP/IMAP/POP3

docker run -d \
--restart unless-stopped \
--name=mailpit \
-p 8025:8025 \
-p 1025:1025 \
axllent/mailpit
Send Test-Email via Telnet
{
  echo "EHLO localhost"
  echo "MAIL FROM: <webmaster@hascode.com>"
  echo "RCPT TO: <micha@hascode.com>"
  echo "DATA"
  echo "From: <webmaster@hascode.com>"
  echo "To: <micha@hascode.com>"
  echo "Subject: Hey there at hascode.com"
  echo ""
  echo "How R u doing mate?"
  echo "."
  echo "QUIT"
} | telnet localhost 1025

Now we may read or E-Mail send at http://localhost:8025/:

mailpit browser view
Figure 2. MailPit Browser-UI