$ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE redis latest 5f515359c7f8 5 days ago 183 MB nginx latest 05a60462f8ba 5 days ago 181 MB mongo 3.2 fe9198c04d62 5 days ago 342 MB <none><none> 00285df0df87 5 days ago 342 MB ubuntu 18.04 329ed837d508 3 days ago 63.3MB ubuntu bionic 329ed837d508 3 days ago 63.3MB
列表包含了 仓库名、标签、镜像 ID、创建时间 以及 所占用的空间。
其中仓库名、标签在之前的基础概念章节已经介绍过了。镜像 ID 则是镜像的唯一标识,一个镜像可以对应多个 标签。因此,在上面的例子中,我们可以看到 ubuntu:18.04 和 ubuntu:bionic 拥有相同的 ID,因为它们对应的是同一个镜像。
docker image ls -f dangling=true REPOSITORY TAG IMAGE ID CREATED SIZE <none><none> 00285df0df87 5 days ago 342 MB
一般来说,虚悬镜像已经失去了存在的价值,是可以随意删除的,可以用下面的命令删除
1
docker image prune
中间层镜像
为了加速镜像构建、重复利用资源,Docker 会利用 中间层镜像。所以在使用一段时间后,可能会看到一些依赖的中间层镜像。默认的 docker image ls 列表中只会显示顶层镜像,如果希望显示包括中间层镜像在内的所有镜像的话,需要加 -a 参数。这样会看到很多无标签的镜像,与之前的虚悬镜像不同,这些无标签的镜像很多都是中间层镜像,是其它镜像所依赖的镜像。这些无标签镜像不应该删除,否则会导致上层镜像因为依赖丢失而出错。
# Supported detection methods: # # 1. Privileged Mode # 2. Mount Docker Socket # 3. Mount Procfs # 4. Mount Root Directory # 5. Open Docker Remote API # 6. CVE-2016-5195 DirtyCow # 7. CVE-2020-14386 # 8. CVE-2022-0847 DirtyPipe # 9. CVE-2017-1000112 # 10. CVE-2021-22555 # 11. Mount Host Var Log # 12. CAP_DAC_READ_SEARCH # 13. CAP_SYS_ADMIN # 14. CAP_SYS_PTRACE # 15. CVE-2022-0492
CheckCommandExists(){ $1 >/dev/null 2>&1 ret=$? if [ "$ret" -eq 0 ]; then return 1 fi return 0 }
# Install command InstallCommand(){ # install command if not present CheckCommandExists $1 if [ $? -eq 0 ]; then # Check network timeout 3 bash -c "echo -e >/dev/tcp/baidu.com/80" > /dev/null 2>&1 && IsNetWork=1 || IsNetWork=0 if [ $IsNetWork -eq 1 ];then echo -e "\033[93m[!] It is detected that the $1 command does not exist in the current system, and the command is being installed.\033[0m"
CheckCommandExists sudo if [ $? -eq 0 ]; then CheckCommandExists apt-get if [ $? -eq 0 ];then if [ "$1" = "capsh" ];then apt-get -y update >/dev/null 2>&1 && apt-get install -y libcap2-bin >/dev/null 2>&1 else apt-get -y update >/dev/null 2>&1 && apt-get install -y $1 >/dev/null 2>&1 fi fi CheckCommandExists yum if [ $? -eq 0 ];then if [ "$1" = "capsh" ];then yum -y update >/dev/null 2>&1 && yum install -y libcap >/dev/null 2>&1 else yum -y update >/dev/null 2>&1 && yum install -y $1 >/dev/null 2>&1 fi fi else CheckCommandExists apt-get if [ $? -eq 0 ];then if [ "$1" = "capsh" ];then sudo apt-get -y update >/dev/null 2>&1 && apt-get install -y libcap2-bin >/dev/null 2>&1 else sudo apt-get -y update >/dev/null 2>&1 && apt-get install -y $1 >/dev/null 2>&1 fi fi CheckCommandExists yum if [ $? -eq 0 ];then if [ "$1" = "capsh" ];then sudo yum -y update >/dev/null 2>&1 && yum install -y libcap >/dev/null 2>&1 else sudo yum -y update >/dev/null 2>&1 && yum install -y $1 >/dev/null 2>&1 fi fi fi CheckCommandExists $1 if [ $? -eq 0 ]; then echo -e "\033[93m[!] $1 command installation failed.\033[0m" else echo -e "\033[93m[!] $1 command installation completed.\033[0m" fi fi fi }
# 0. Check The Current Environment CheckTheCurrentEnvironment(){ if [ ! -f "/proc/1/cgroup" ];then IsContainer=0 else cat /proc/1/cgroup | grep -qi docker && IsContainer=1 || IsContainer=0 fi
if [ $IsContainer -eq 0 ];then echo -e "\033[31m[-] Not currently a container environment.\033[0m" exit 1 else echo -e "\033[33m[!] Currently in a container, checking ......\033[0m" VulnerabilityExists=0 fi }
if [ $IsPrivilegedMode -eq 1 ];then echo -e "\033[92m[+] The current container is in privileged mode.\033[0m" VulnerabilityExists=1 fi }
# 2. Check Docker Socket Mount CheckDockerSocketMount(){ if [ ! -f "/var/run/docker.sock" ];then IsDockerSocketMount=0 else ls /var/run/ | grep -qi docker.sock && IsDockerSocketMount=1 || IsDockerSocketMount=0 fi if [ $IsDockerSocketMount -eq 1 ];then echo -e "\033[92m[+] The current container has docker socket mounted.\033[0m" VulnerabilityExists=1 fi }
# 6. Check CVE-2016-5195 DirtyCow # 2.6.22 <= ver <= 4.8.3 CheckCVE_2016_5195DirtyCow(){ # 2.6.22 <= ver <= 2.6.xx if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -eq 6 && "$MinorRevision" -ge 22 ]];then echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" VulnerabilityExists=1 fi
# 2.7 <= ver <= 2.x if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -ge 7 ]];then echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" VulnerabilityExists=1 fi
# ver = 3 if [[ "$KernelVersion" -eq 3 ]];then echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" VulnerabilityExists=1 fi
# 4.x <= ver <= 4.8 if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -lt 8 ]];then echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" VulnerabilityExists=1 fi
# 4.8.x <= ver <= 4.8.3 if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -eq 8 && "$MinorRevision" -le 3 ]];then echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" VulnerabilityExists=1 fi }
# 7. CVE-2020-14386 # 4.6 <= ver < 5.9 CheckCVE_2020_14386(){ # 4.6 <= ver < 4.x if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -ge 6 ]];then echo -e "\033[92m[+] The current container has the CVE-2020-14386 vulnerability.\033[0m" VulnerabilityExists=1 fi
# 5.x <= ver < 5.9 if [[ $KernelVersion -eq 5 && $MajorRevision -lt 9 ]];then echo -e "\033[92m[+] The current container has the CVE-2020-14386 vulnerability.\033[0m" VulnerabilityExists=1 fi }
# 8. CVE-2022-0847 DirtyPipe # 5.8 <= ver < 5.10.102 < ver < 5.15.25 < ver < 5.16.11 CheckCVE_2022_0847(){ if [ $KernelVersion -eq 5 ];then # 5.8 <= ver < 5.10.x if [[ "$MajorRevision" -ge 8 && "$MajorRevision" -lt 10 ]];then echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" VulnerabilityExists=1 fi # 5.10.x <= ver < 5.10.102 if [[ "$MajorRevision" -eq 10 && "$MinorRevision" -lt 102 ]];then echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" VulnerabilityExists=1 fi # 5.10.102 < ver <= 5.10.x if [[ "$MajorRevision" -eq 10 && "$MinorRevision" -gt 102 ]];then echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" VulnerabilityExists=1 fi
# 5.10.x < ver < 5.15.x if [[ "$MajorRevision" -gt 10 && "$MajorRevision" -lt 15 ]];then echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" VulnerabilityExists=1 fi
# 5.15.x <= ver < 5.15.25 if [[ "$MajorRevision" -eq 15 && "$MinorRevision" -lt 25 ]];then echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" VulnerabilityExists=1 fi # 5.15.25 < ver <= 5.15.x if [[ "$MajorRevision" -eq 15 && "$MinorRevision" -gt 25 ]];then echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" VulnerabilityExists=1 fi
# 5.16.x <= ver < 5.16.11 if [[ "$MajorRevision" -eq 16 && "$MinorRevision" -lt 11 ]];then echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" VulnerabilityExists=1 fi fi }
# 9. CVE-2017-1000112 # 4.4 <= ver<=4.13 CheckCVE_2017_1000112(){ # 4.4 <= ver <= 4.13 if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -ge 4 && "$MajorRevision" -le 13 ]];then echo -e "\033[92m[+] The current container has the CVE-2017-1000112 vulnerability.\033[0m" VulnerabilityExists=1 fi }
# 10. CVE-2021-22555 # 2.6.19 <= ver <= 5.12 CheckCVE_2021_22555(){ # 2.6.19 <= ver <= 2.6.xx if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -eq 6 && "$MinorRevision" -ge 19 ]];then echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" VulnerabilityExists=1 fi # 2.7 <= ver <= 2.x if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -ge 7 ]];then echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" VulnerabilityExists=1 fi
# ver = 3 or ver = 4 if [[ "$KernelVersion" -eq 3 || "$KernelVersion" -eq 4 ]];then echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" VulnerabilityExists=1 fi
# 5.x <= ver <= 5.12 if [[ $KernelVersion -eq 5 && $MajorRevision -le 12 ]];then echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" VulnerabilityExists=1 fi }
# 11. Mount Host Var Log CheckVarLogMount(){ if [ ! -f "/var/run/secrets/kubernetes.io/serviceaccount/token" ];then IsPodEnv=0 else IsPodEnv=1 fi if [ $IsPodEnv -eq 1 ];then find / -name lastlog 2>/dev/null | wc -l | grep -q 3 && IsVarLogMount=1 || IsVarLogMount=0 if [ $IsVarLogMount -eq 1 ];then echo -e "\033[92m[+] The current container has /var/log mounted.\033[0m" VulnerabilityExists=1 fi fi }
# 12. Check CAP_DAC_READ_SEARCH ChekckCAP_DAC_READ_SEARCH(){ if command -v capsh >/dev/null 2>&1; then cap_dac_read_searchNum=`capsh --print | grep cap_dac_read_search | wc -l` if [ $cap_dac_read_searchNum -gt 0 ];then echo -e "\033[92m[+] The current container has the CAP_DAC_READ_SEARCH permission.\033[0m" VulnerabilityExists=1 fi fi }
# 13. Check CAP_SYS_ADMIN CheckCAP_SYS_ADMIN(){ if command -v capsh >/dev/null 2>&1; then cap_sys_adminNum=`capsh --print | grep cap_sys_admin | wc -l` if [ $cap_sys_adminNum -gt 0 ];then echo -e "\033[92m[+] The current container has the CAP_SYS_ADMIN permission.\033[0m" VulnerabilityExists=1 fi fi }
# 14. Check CAP_SYS_PTRACE CheckCAP_SYS_PTRACE(){ if command -v capsh >/dev/null 2>&1; then cap_sys_ptraceNum=`capsh --print | grep cap_sys_ptrace | wc -l` if [ $cap_sys_ptraceNum -gt 0 ];then echo -e "\033[92m[+] The current container has the CAP_SYS_PTRACE permission.\033[0m" VulnerabilityExists=1 fi fi }
# 15. Check CVE-2022-0492, Code By https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492/blob/main/can-ctr-escape-cve-2022-0492.sh CheckCVE_2022_0492(){ # Setup test dir test_dir=/tmp/.cve-2022-0492-test if mkdir -p $test_dir ; then # Test whether escape via user namespaces is possible while read -r subsys do if unshare -UrmC --propagation=unchanged bash -c "mount -t cgroup -o $subsys cgroup $test_dir 2>&1 >/dev/null && test -w $test_dir/release_agent" >/dev/null 2>&1 ; then echo -e "\033[92m[+] The current container has the CVE-2022-0492 vulnerability.\033[0m" fi done <<< $(cat /proc/$$/cgroup | grep -Eo '[0-9]+:[^:]+' | grep -Eo '[^:]+$') umount $test_dir >/dev/null 2>&1 && rm -rf $test_dir >/dev/null 2>&1 fi }
main() { # 0. Check the current environment CheckTheCurrentEnvironment
# 1. Check Privileged Mode CheckPrivilegedMode
# 2. Check Docker Socket Mount CheckDockerSocketMount
# 3. Check Procfs Mount CheckProcfsMount
# 4. Check Root Directory Mount CheckRootDirectoryMount