Sandboxing and program isolation in linux using many approaches (Part 2)

Lets continue with more tools for sandboxing in linux.

Firejail

Firejail is a SUID sandbox program that is used to isolate program for testing or security purpose. It it written in C and can be configured to use most of the namespaces.To start a service in firejail.

$firejail firefox

It will start firefox in a sandbox with root filesystem mounted as read only. To start firefox with only ~/Downloads and ~/.mozilla mounted for write.

$firejail --whitelist=~/.mozilla --whitelist=~/Download firefox

Firejail by default uses user namespace and mounts empty temporary filesystems (tmpfs) on top of user home directory in private mode.
To start a program in private mode

$firejail --private firefox

to start firejail in new network stack

$firejail --net=eth0 --whitelist=~/.mozilla --whitelist=~/Download firefox

To assign an IP address to the sandbox

$firejail --net=eth0 --ip=192.168.1.155 firefox

Note:
To sandbox all program running by a single user you can change the default shell of that user to /usr/bin/firejail

$chsh –shell /usr/bin/firejail

Containers

When learning about the virtualization technologies,the technology that attracts me most is containers because of their easy deployment.Containers (also known as light weight virtualization) are tools for isolation which use namespaces to archive that.They are better sandboxing utility because they generally use more then one namespaces and they are more focus on creating a whole virtual system instance rather then isolating a single process.Containers are not new technology since they are in unix and linux from decades but due to increase in Saas and Paas uses they became the hot topic since they provide the best secure environment to deliver and use these services.They are called light weight virtualization because they provide process level isolation only, means they depend on linux kernel hence only those instance can be created which uses same base kernel.There are lots of containers avaliable for linux which have gained popularity in few years.

systemd-nspawn

systemd nspawn is a utility available default with systemd which create seprate container for isolation.It uses mount and pid namespaces by default but another namespaces can also be configured.
To create a container or isolated shell you need to download a basic distribution which we have done already using debootstrap.To get inside this container

$systemd-nspawn -D my_deb

This container is stronger then chroot because it not only has different mount point but also seprate process tree(check it by ps -aux).But still the hostname and ip interfaces are same as host system. To add a own network stack you need to connect to existing network bridge.

$systemd-nspawn -D  my_deb --network-bridge=br0

this will start the container with network namespace with a pair of veth devices.You can even boot the instance by -b option.

$systemd-nspawn -bD my_deb 

Note:
While booting the container you will required to enter password of root user,so first run $passwd inside to set root password.

The whole nspawn project is relatively young hence there is still lot to develope.

Docker

Docker is the most smartest and prominent container present in linux to run applications environment,it even grab the most attension since few years. Docker containers uses most of the namespaces and cgroups present in systemd for providing strong isolated environment. Docker runs on docker deamon which starts a isolated instance like systemd-nspawn in which any service can be deployed by some tweaks.It can be use as sandboxing tool to run application securely or to deploy some software service inside it.
To get your first docker container running you need to first start docker deamon then download the base image from dockers online repository.

$service docker start
$docker pull kalilinux/kali-linux-docker

Note:
You can download other docker images also from docker hub https://hub.docker.com/.

It will download the base kali linux image.You can see all the available image on your system by

$docker images
REPOSITORY                    TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
kalilinux/kali-linux-docker   latest              63ae5ac8df0f        1 minute ago        325 MB
centos                        centos6             b9aeeaeb5e17        9 months ago        202.6 MB
hello-world                   latest              91c95931e552        9 months ago        910 B

To run a program inside your container

$docker run -i -t kalilinux/kali-linux-docker ls
bin   dev  home  lib64	mnt  proc  run	 selinux  sys  usr
boot  etc  lib	 media	opt  root  sbin  srv	  tmp  var

this will start(run) your container ,execute the command and then close the container.To get a intractive shell inside container

$docker run -t -i kalilinux/kali-linux-docker /bin/bash
root@24a70cb3095a:/# 

this will get you inside the container where you can do your stuff isolated from your host machine.24a70cb3095a is your container's id,you can check all the running containers by

$docker ps
CONTAINER ID        IMAGE                         COMMAND             CREATED              STATUS              PORTS               NAMES
24a70cb3095a        kalilinux/kali-linux-docker   "/bin/bash"         About a minute ago   Up About a minute                       angry_cori

while installing docker image, docker automatically create a veth for docker which make the docker image to connected to host system. You can check this by $ifconfig and then try to ping your host system.
At any instance you can save your docker state as a new container by

$docker commit 24a70cb3095a new_image
$docker images
REPOSITORY                    TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
new_image                     latest              a87c73abca9d        6 seconds ago       325 MB
kalilinux/kali-linux-docker   latest              63ae5ac8df0f        1 hours  ago        325 MB
centos                        centos6             b9aeeaeb5e17        9 months ago        202.6 MB
hello-world                   latest              91c95931e552        9 months ago        910 B

you can remove that image by $docker rmi newimage.To stop a container use docker stop and after that remove the files created on host node by that container.

$docker stop 24a70cb3095a
$docker rm 24a70cb3095a

For running applications on docker instance you may require to attach it to host system in some way.So,to mount the external storage to docker image you can use -v flag

$docker run -it -v /temp/:/home/ kalilinux/kali-linux-docker /bin/bash

this will mount /temp/ from main system to /home/ of host system.To attach docker port to external system port use -p

docker run -it -v /temp/:/home/ -p 4567:80 kalilinux/kali-linux-docker /bin/bash

this will attach the external port 4567 to the containers port 80. This can be very useful for saas and paas if the deployed application want to connect to external network.
Running Gui applications on docker can be another requirement many times.Docker doesn't have x server define so to do that you need to mount x server file to docker instance.

$docker run -it -v -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix \ kalilinux/kali-linux-docker /bin/bash

This will forward the X11 socket to container inside docker.
To ship docker image to another system you need to push it on docker online repository.

$docker push new_image

you can even save the container image in tar archive.

$docker export new_image

There is lot more to learn on docker but this article is not intended to get in deep dive of docker but the positive point about docker is its huge tutorials and hacks available online, from that you can easily get a strong understanding of using docker to make your work done.Docker since first release in 2013 had improved strongly and can be easily used for production or testing enviornment because of there easy to use nature. Other solutions made for docker to face all scenario are also huge like kubernetes (a google project for orchestration of docker),swarm and many more services for docker migrations,providing graphical dashboard etc are developing really fast. Automation tool for system admin like puppet and chef are also start to providing support to docker containers.

Is containers means Docker?

The interest of industries in containers developed because of docker.But there are more containers present in industiers that are comparable with docker.

Rocket(Core OS)

Rocket containers is open source Core OS Project.Core OS is operating system works on containerizing every applications present inside system.For that they have replaced traditional package manager with the Appc(applications container) which ships application software in containers.They provided reason that it will increase security inside system and will solve the dependence conflict problems having in package installation.They have also created their own golang based container which use strong namespaces feature for isolation available for linux, they named it as Rocket container.Rocket containers are said to be competitor of docker but they are working on providing a much better solution then docker.Rocket container is differ by docker bcuz it doesn't have any deamon apps to run. It directly start rocket run under spawning process.This make the container to already have an init like systemd which can continously monitor it and all application run underneath this initial process.Rocket also support standard image format that can be used by various tool hence even images from other containers like docker can also be used inside it. Rocket containers are still in beginning phase hence not much documentation or tutorial avaliable online,even yet lots of things to be develope into it.It will be really intresting to see where Rocket will be after few years.

LXC

LXC(Linux container)written in C is the oldest container present in linux.It is more focused on providing complete virtualization solution like qemu KVM it is accomplished through kernel level isolation by namespaces.
Linux containers run a whole Linux machine (or simply multiple services) inside the isolated environment provided by the Linux kernel, whereas Dockers are replacements of the traditional way of running applications
and run them in isolated environments, i.e., Docker containers are made to run a single application inside their containers.
Images for lxc are not easy to create or import images from internet. But latest releases make it little easier to use.

$sudo apt-get install lxc
$sudo lxc-create -t my_deb -n my-container
$sudo lxc-start -n my-container

To login to that continer

$sudo lxc-console -n my-container -t 1

LXC containers are even capable of nested containerisation,
which means you can run Docker or any other container
inside an LXC container without any issues.

systemd starts to provide management utility for nspawn, lxc like containers with number of tools like machinectl and journalctl.

machinectl

Its comes pre-install with systemd init manager use to manage and control the state of the systemd based virtual machine and container works underneath systemd service. To see all containers running in your system

$machinectl -a

this will show all the current running container..host shown is your main system.To get status of any running container.

$machinectl status my_deb

Note:
machinectl doesn't show docker containers since docker containers runs behind docker deamon.

To login to a container

$machinectl login my_deb

To switch off a container:-

$machinectl poweroff my_deb

To kill a container forcefully:-

$machinectl -s kill my_deb

To see logs of a container you can use journalctl:-

$journalctl -M my_deb

Are containers matter in industries:-

Lots of professionals argues that industry is not ready for container solution since they doesn't provide a prominent solution for there problem because of few reasons:-
1)Containers doesn'tt provide full virtualization.They depends on main kernel and can be broked by doing some little efforts.
2)Deploying application and managing them inside containers are not easy job to do.
3)running heavy application inside docker is not good solution.
But inspite these facts large companies like google and netflix are using containers for there services isolation from many years.And since container like docker are developing with really fast pace other large compaines are also starts to migrate to containers for their virtualizations solution.Thats why it is not wrong to say that containers are next level virualization.Beside those corporations who have shift themself to use containers (docker specially) other are working on creating there own container according to their own enviornment.

What to get from this article:-

Sandboxing are important for every IT professionals,but different professionals may require different solution.So,you may need to figure out what type of isolation is best for your work.
If you are a developer or application tester Chroot (talked initially) is never a good solution because of its easy escaping nature. Weak container like systemd-nspawn or firejail can be a good solution because of their easy to deployment nature. Using docker like containers for application testing can be little headache as making your container ready for your process to run fluently can be a little painful.
If you are a Saas or Paas provider containers will always be the best solution for you because of their strong isolation,easy shipping,live migration and clustering like features present.You may go with traditional virtualization solution(virtual machines) but resource management and quick booting like feature can only be grab with containers.