Tyblog

Technology, open source, unsolicited opinions & digital sovereignty
blog.tjll.net

« Docker DVWA Container How-To »

  • 2 March, 2014
  • 1,904 words
  • 10 minutes read time
Docker
Docker

Docker is an interesting cgroups-based virtualization alternative that uses containers to deploy applications.

Docker and solutions like it are useful because:

Lately I’ve been looking at vulnerable webapp sandboxes such as DVWA to test vulnerability scanners like Arachni against. Therefore, why not try using docker as an easy way to compartmentalize this and make deployment easier?

Not only will this tutorial be helpful in understanding how Docker works, but security enthusiasts will get a ridiculously easy way to deploy DVWA on (most) OSes. Let’s get started!

Introduction

In this howto I’m going to explain:

The end result of this exercise will be a Dockerfile and Docker image that can run DVWA for you with the ease of a docker run dvwa.

Docker

Docker is still under heavy development but works perfectly well for experimental and development purposes like ours. To learn all about the technology and philosophy behind docker, take a look at their excellent getting started page.

Look to that same page to get Docker installed. Note that Docker uses very Linux-specific technologies like cgroups and Aufs to work, so if you’re not on a relatively up-to-date Linux distro, you’ll likely have to run on top of a thin VirtualBox VM for this exercise.

Why am I using Docker in a virtual machine? Doesn’t that defeat the purpose?

For this exercise? A little. But by following the getting started guide, you’re preparing to run other docker images essentially instantaneously, and have the capability to deploy them on any Docker instance, whether on your desktop, EC2, a VPS, etc.

Tutorial

Docker Installation

Use Docker’s excellent getting started page to set up docker (most unices and Windows are supported, with the aforementioned caveats.) Once you can invoke docker version and see both client and server versions, you’re good to get going.

Note: OS X users: be sure to read the additional comments regarding opening ports for your VirtualBox image obtained from boot2docker.

First Image

We’re going to be setting up DVWA within a Docker container to be a webapp security testing sandbox. DVWA requires a basic LAMP stack, so let’s begin there.

With your working docker command, just issue the following command to find Docker images that contain the string ‘lamp’:

$ docker search lamp
NAME                      DESCRIPTION            STARS OFFICIAL TRUSTED
ricardoamaro/drupal-lamp  https://github.co...   2
tutum/lamp                LAMP image - Apac...   2              [OK]
mbkan/lamp                centos with ssh, ...   1
dockerfiles/centos-lamp                          1              [OK]
jbfink/lampstack          A stock Linux-Apa...   1
zorrme/lamp                                      0

What’s happening here is that the Docker index is being searched for matching images. Many of these images are based off of even more primitive images and customized with Dockerfiles, which is what we’ll be doing to an image that provides the LAMP stack we need.

We’re going to use dockerfiles/centos-lamp for our base image, as CentOS is pretty solid and we can explore its existing dockerfile pretty easily.

Issue the command:

$ docker pull dockerfiles/centos-lamp

While that’s running, take a look at the image’s source. That Dockerfile you’re looking at, along with the accompanying files from the corresponding github repo, are what created the image you’re pulling from the index right now – pretty simple.

I’d encourage you to read the short Dockerfile and look at some Dockerfile resources to understand what’s going on there. We’ll be doing the same ourselves with it as a base image.

With the image pulled from the index, check that it’s available with:

$ docker images

(if the image isn’t listed, try to pull again)

Now we can try running the container. There are a myriad of switches that you can pass to the docker run command, but we’re going to use just a couple here to achieve what we need:

$ docker run -d -p 49001:80 dockerfiles/centos-lamp

Wait for the command to successfully return (Docker will return the numeric ID of the new container it’s running.) then:

$ docker ps

If you see a running image, you’re good to go! Try browsing to http://localhost:49001. You should see the boilerplate CentOS landing page. Try browsing to http://localhost:49001/phpinfo.php as well to confirm php is working.

So what happened here? In short:

A successful phpinfo page indicates our container is up and accessible. Time to customize it.

Custom dockerfile

Dockerfiles are easy-to-understand instructions that tell Docker how to build an image. Each RUN directive in a Dockerfile executes commands, then “commits” those changes to the filesystem to the image you’re building like git or mercurial would do.

The best way to visualize this is to write one. Following where we left off, we’ve got a Docker image that can run a lamp stack for us - the same architecture that DVWA needs to run. DVWA is easy to set up – the steps to install are:

First, if your old container is still running, stop it:

$ docker stop `docker ps -q`

Now create a working directory for your Docker image source:

$ mkdir ~/docker && cd ~/docker && vim Dockerfile

Now we’re in our Dockerfile. Here are the directives we’ll use to start off with:

Which, put together, gives us our master Dockerfile:

FROM dockerfiles/centos-lamp
MAINTAINER You <you@yourdomain.com>
WORKDIR /var/www/html
RUN wget https://github.com/RandomStorm/DVWA/archive/v1.0.8.tar.gz -O- | tar xvz --strip-components=1
RUN service mysqld start && mysqladmin -uroot password p@ssw0rd && service mysqld stop
EXPOSE 80
CMD ["supervisord", "-n"]

Now, from within the directory that contains the Dockerfile, issue the command:

$ docker build -t dvwa .

You’ll see lots of stuff fly past the screen – mostly fetching the source code and extracting it. We also passed the -t flag to the build command to tag our image with the name ‘dvwa’ so that we can run it easily without using the new image’s hash. Once it’s finished, look for your newly minted image.

$ docker images

The ‘dvwa’ image is your newly build docker image. Issue the following command to run the container in daemonized mode and tell it to auto-assign a port for you:

$ docker run -d -p 80 dvwa
$ docker ps

The ps command will show you the external listener that Docker has mapped to port 80 on the container. Browse to http://localhost:[port] and DVWA will ask you to initialize the database. Just follow the instructions for DVWA from here on out.

While running, there are some useful commands you can use to control the running container. The ps command will offer you some information about all containers, most usefully exposed ports. docker logs <container id> will show you what the container has been logging (try it out to see supervisord’s output.) When you’re finished, use docker stop <contiainer id> to stop the container.

Note: Docker currently keeps around stopped images until removed. Although this preserves some state about your completed processes, if you want to start fresh images without cluttering up your disk, you can use docker ps -a to find all containers (running or not) and docker rm to forcibly remove running or terminated containers.

Where From Here?

At this point you have a ready-made DVWA container for pentesting or similar exercises. You can take your Dockerfile and build images anywhere, wipe DVWA afresh if you bork your testing environment and start a new container, and run the image wherever Docker can run.

As you can see, building images is fairly easy and lightweight. If anybody cares to create additional useful Docker images, feel free to email me or collaborate on github and I’ll add additional notes about other Docker images.

The slightly-enhanced version of this Dockerfile can be found on my github repo.