|
2 | 2 | title = "docker resource" |
3 | 3 | draft = false |
4 | 4 |
|
5 | | -platform = "linux" |
6 | | - |
7 | | -[menu.resources] |
8 | | - title = "docker" |
9 | | - identifier = "resources/core/docker.md docker resource" |
10 | | - parent = "resources/core" |
11 | 5 | +++ |
12 | 6 |
|
13 | | -Use the `docker` Chef InSpec audit resource to test configuration data for the Docker daemon. It's a very comprehensive resource. See also: [docker_container](/resources/core/docker_container/) and [docker_image](/resources/core/docker_image/), too. |
14 | | - |
15 | | -## Availability |
16 | | - |
17 | | -### Install |
18 | | - |
19 | | -{{< readfile file="content/reusable/md/inspec_installation.md" >}} |
20 | | - |
21 | | -### Version |
22 | | - |
23 | | -This resource first became available in v1.21.0 of InSpec. |
24 | | - |
25 | | -## Syntax |
26 | | - |
27 | | -A `docker` resource block allows you to write tests for many containers: |
28 | | - |
29 | | -```ruby |
30 | | -describe docker.containers do |
31 | | - its('images') { should_not include 'u12:latest' } |
32 | | -end |
33 | | -``` |
34 | | - |
35 | | -or: |
36 | | - |
37 | | -```ruby |
38 | | -describe docker.containers.where { names == 'flamboyant_allen' } do |
39 | | - it { should be_running } |
40 | | -end |
41 | | -``` |
42 | | - |
43 | | -where: |
44 | | - |
45 | | -- `.where()` may specify a specific item and value, to which the resource parameters are compared |
46 | | -- `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers` |
47 | | - |
48 | | -The `docker` resource block also declares allows you to write test for many images: |
49 | | - |
50 | | -```ruby |
51 | | -describe docker.images do |
52 | | - its('repositories') { should_not include 'insecure_image' } |
53 | | -end |
54 | | -``` |
55 | | - |
56 | | -or if you want to query specific images: |
57 | | - |
58 | | -```ruby |
59 | | -describe docker.images.where { repository == 'ubuntu' && tag == '12.04' } do |
60 | | - it { should_not exist } |
61 | | -end |
62 | | -``` |
63 | | - |
64 | | -where: |
65 | | - |
66 | | -- `.where()` may specify a specific filter and expected value, against which parameters are compared |
67 | | - |
68 | | -## Examples |
69 | | - |
70 | | -The following examples show how to use this Chef InSpec audit resource. |
71 | | - |
72 | | -### Return all running containers |
73 | | - |
74 | | -```ruby |
75 | | -docker.containers.running?.ids.each do |id| |
76 | | - describe docker.object(id) do |
77 | | - its('State.Health.Status') { should eq 'healthy' } |
78 | | - end |
79 | | -end |
80 | | -``` |
81 | | - |
82 | | -### Verify a Docker Server and Client version |
83 | | - |
84 | | -```ruby |
85 | | -describe docker.version do |
86 | | - its('Server.Version') { should cmp >= '1.12'} |
87 | | - its('Client.Version') { should cmp >= '1.12'} |
88 | | -end |
89 | | -``` |
90 | | - |
91 | | -### Iterate over all containers to verify host configuration |
92 | | - |
93 | | -```ruby |
94 | | -docker.containers.ids.each do |id| |
95 | | - # call Docker inspect for a specific container id |
96 | | - describe docker.object(id) do |
97 | | - its(%w(HostConfig Privileged)) { should cmp false } |
98 | | - its(%w(HostConfig Privileged)) { should_not cmp true } |
99 | | - end |
100 | | -end |
101 | | -``` |
102 | | - |
103 | | -### Iterate over all images to verify the container was built without ADD instruction |
104 | | - |
105 | | -```ruby |
106 | | -docker.images.ids.each do |id| |
107 | | - describe command("docker history #{id}| grep 'ADD'") do |
108 | | - its('stdout') { should eq '' } |
109 | | - end |
110 | | -end |
111 | | -``` |
112 | | - |
113 | | -### Verify that health-checks are enabled for a container |
114 | | - |
115 | | -```ruby |
116 | | -describe docker.object('71b5df59442b') do |
117 | | - its(%w(Config Healthcheck)) { should_not eq nil } |
118 | | -end |
119 | | -``` |
120 | | - |
121 | | -## How to run the DevSec Docker baseline profile |
122 | | - |
123 | | -You can run the `docker-baseline` profile to test Docker in two possible ways: |
124 | | - |
125 | | -Clone the profile: |
126 | | - |
127 | | -```sh |
128 | | -git clone https://github.com/dev-sec/cis-docker-benchmark.git |
129 | | -``` |
130 | | - |
131 | | -and then run: |
132 | | - |
133 | | -```sh |
134 | | -inspec exec cis-docker-benchmark |
135 | | -``` |
136 | | - |
137 | | -Or execute the profile directly using a URL: |
138 | | - |
139 | | -```sh |
140 | | -inspec exec https://github.com/dev-sec/cis-docker-benchmark |
141 | | -``` |
142 | | - |
143 | | -## Resource parameters |
144 | | - |
145 | | -- `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers` |
146 | | - |
147 | | -## Resource Parameter Examples |
148 | | - |
149 | | -### containers |
150 | | - |
151 | | -`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/). |
152 | | - |
153 | | -```ruby |
154 | | -describe docker.containers do |
155 | | - its('ids') { should include 'sha:71b5df59...442b' } |
156 | | - its('commands') { should_not include '/bin/sh' } |
157 | | - its('images') { should_not include 'u12:latest' } |
158 | | - its('ports') { should include '0.0.0.0:1234->1234/tcp' } |
159 | | - its('labels') { should include 'License=GPLv2' } |
160 | | -end |
161 | | -``` |
162 | | - |
163 | | -### object('id') |
164 | | - |
165 | | -`object` returns low-level information about Docker objects. It's calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood. |
166 | | - |
167 | | -```ruby |
168 | | -describe docker.object(id) do |
169 | | - its('Configuration.Path') { should eq 'value' } |
170 | | -end |
171 | | -``` |
172 | | - |
173 | | -### images |
174 | | - |
175 | | -`images` returns information about a Docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/). |
176 | | - |
177 | | -```ruby |
178 | | -describe docker.images do |
179 | | - its('ids') { should include 'sha:12b5df59...442b' } |
180 | | - its('repositories') { should_not include 'my_image' } |
181 | | - its('tags') { should_not include 'unwanted_tag' } |
182 | | - its('sizes') { should_not include '1.41 GB' } |
183 | | -end |
184 | | -``` |
185 | | - |
186 | | -### plugins |
187 | | - |
188 | | -`plugins` returns information about Docker plugins as returned by [docker plugin ls](https://docs.docker.com/engine/reference/commandline/plugin/). |
189 | | - |
190 | | -```ruby |
191 | | -describe docker.plugins do |
192 | | - its('names') { should include ['store/weaveworks/net-plugin', 'docker4x/cloudstor'] } |
193 | | - its('ids') { should cmp ['6ea8176de74b', '771d3ee7c7ea'] } |
194 | | - its('versions') { should cmp ['2.3.0', '18.03.1-ce-aws1'] } |
195 | | - its('enabled') { should cmp [true, false] } |
196 | | -end |
197 | | -``` |
198 | | - |
199 | | -### info |
200 | | - |
201 | | -`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/) |
202 | | - |
203 | | -```ruby |
204 | | -describe docker.info do |
205 | | - its('Configuration.Path') { should eq 'value' } |
206 | | -end |
207 | | -``` |
208 | | - |
209 | | -### version |
210 | | - |
211 | | -`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/) |
212 | | - |
213 | | -```ruby |
214 | | -describe docker.version do |
215 | | - its('Server.Version') { should cmp >= '1.12'} |
216 | | - its('Client.Version') { should cmp >= '1.12'} |
217 | | -end |
218 | | -``` |
219 | | - |
220 | | -## Properties |
221 | | - |
222 | | -- `id` |
223 | | -- `image` |
224 | | -- `repo` |
225 | | -- `tag` |
226 | | -- `ports` |
227 | | -- `command` |
228 | | - |
229 | | -## Property Examples |
230 | | - |
231 | | -### id |
232 | | - |
233 | | -```ruby |
234 | | -describe docker_container(name: 'an-echo-server') do |
235 | | - its('id') { should_not eq '' } |
236 | | -end |
237 | | -``` |
238 | | - |
239 | | -### image |
240 | | - |
241 | | -```ruby |
242 | | -describe docker_container(name: 'an-echo-server') do |
243 | | - its('image') { should eq 'busybox:latest' } |
244 | | -end |
245 | | -``` |
246 | | - |
247 | | -### repo |
248 | | - |
249 | | -```ruby |
250 | | -describe docker_container(name: 'an-echo-server') do |
251 | | - its('repo') { should eq 'busybox' } |
252 | | -end |
253 | | -``` |
254 | | - |
255 | | -### tag |
256 | | - |
257 | | -```ruby |
258 | | -describe docker_container(name: 'an-echo-server') do |
259 | | - its('tag') { should eq 'latest' } |
260 | | -end |
261 | | -``` |
262 | | - |
263 | | -### ports |
264 | | - |
265 | | -```ruby |
266 | | -describe docker_container(name: 'an-echo-server') do |
267 | | - its('ports') { should eq '0.0.0.0:1234->1234/tcp' } |
268 | | -end |
269 | | -``` |
270 | | - |
271 | | -### command |
272 | | - |
273 | | -```ruby |
274 | | -describe docker_container(name: 'an-echo-server') do |
275 | | - its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' } |
276 | | -end |
277 | | -``` |
278 | | - |
279 | | -## Matchers |
280 | | - |
281 | | -{{< readfile file="content/reusable/md/inspec_matchers_link.md" >}} |
| 7 | +{{< readfile file="content/reusable/md/modularized_resource.md" >}} |
0 commit comments