
Ask HN: What is your company's policy for Docker Hub? - cgrater
What is your company&#x27;s policy regarding downloading images from Docker Hub and other related container registries (e.g. Google Container Registry)?  Does your corporate proxy allow you to download anything?  Do you need to get approval from a group&#x2F;committee for each download?<p>At the company I work we have not opened up Docker Hub and are looking at the best way to manage and also provide security.
======
k4ch0w
I would manage a private registry.

It's no different than trusting code in a 3pp library. I'd vet the code before
running it. In some cases, you are giving the running container root access to
your computer. Take a look at the Dirty Cow to exploit that allows you to
break out of the container and control the host.

[https://blog.paranoidsoftware.com/dirty-cow-
cve-2016-5195-do...](https://blog.paranoidsoftware.com/dirty-cow-
cve-2016-5195-docker-container-escape/)

You never know what people will put into their images. I built a tool to help
reverse engineer images to find files people put in their images here.

[https://github.com/P3GLEG/Whaler](https://github.com/P3GLEG/Whaler)

I have found so much weird stuff that people build into the containers. I
wouldn't trust them implicitly because it's a packaged black box.

~~~
amirathi
Whaler looks great. As I understand it, it gives us a Dockerfile for a given
image.

Do you know if it's possible to reverse engineer the entire source code of my
app from the Docker image?

~~~
k4ch0w
It depends on the language it was compiled in. It'll help you retrieve the
binary, but you need to use the right tool to get the source code from it.
It's not different than download an app on your host machine. It just make it
easier for you to see what people put in an image. Android/Java is a language
you can get the entire source from excluding if they obfuscate it.

------
graystevens
It certainly depends how your company views its risks and how docker fits into
their “threat model” - you’re running someone else’s code on your secure
internal networks, so it should be treated like external/unauthorised
software.

It’s not unheard of for Docker images to be backdoored or tampered with, just
look at last month - [https://arstechnica.com/information-
technology/2018/06/backd...](https://arstechnica.com/information-
technology/2018/06/backdoored-images-downloaded-5-million-times-finally-
removed-from-docker-hub/)

If they’re trivial images, maybe mirror them internally and walk through their
internals if that doesn’t consume too much time.

------
Raed667
We run a private registry. Everything on it has to be home made on top of
centOS.

~~~
marcc
Everything on your private registry requires a CentOS base image? What about
public images? If you wanted to run elasticsearch or nginx, would your company
policy be to build a custom nginx or elasticsearch container image?

~~~
Raed667
Exactly we don't use public images, build everything on top of CentOS in
house.

~~~
cgrater
Are you essentially reverse-engineering popular images like mysql/mysql? Are
you not running vendor products that might reference public images?

