0

We are building docker images in CodeBuild. This works fine but we have a "HIGH" security hub finding because we had to enable priviledged mode:

CodeBuild.5 CodeBuild project environments should not have privileged mode enabled

I'm currently looking for a way to build docker images without using priviledged mode. I saw this URL from AWS where they are also using priviledged mode.

How can I build docker images without using this mode so we are compliant with the security hub rules?

DenCowboy
  • 13,884
  • 38
  • 114
  • 210
  • Your link doesn't work. Also I don't think what you are asking for is possible. – Mark B Aug 11 '22 at 12:25
  • @DenCowboy did you get an answer for this.? – shubham Aug 22 '22 at 11:42
  • @shubham No, could be it's not possible.. – DenCowboy Aug 22 '22 at 15:09
  • 1
    Not possible currently. The user/role that executes the build needs access to `unix:///var/run/docker.sock`. If AWS wants to fix this then underneath the hood they need to modify `/etc/systemd/system/sockets.target.wants/docker.socket` (or similar) to allow access to the docker socket to a specific local group (not root) and then add the local user that is running the build to that group. This would allow access to the unix socket but not require full root escalation to perform the build. That's my best understanding of the problem. Sort of surprised AWS hasn't rolled out a solution for this. – ekeyser Dec 27 '22 at 17:52
  • @ekeyser Funny here is that they have a Security Hub finding complaining about it, while there is no solution. – DenCowboy Dec 29 '22 at 13:05
  • @DenCowboy Totally. So check this out - https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codebuild.BuildEnvironment.html near the bottom of the page it describes privileged mode. Ignore that this is cdk documentation. The wording of `privileged` makes it sound like AWS has images specifically for building docker containers which don't require this mode to be `true`. Is it just me or is that how it reads to you also? On second thought maybe the wording is fine - docker build AND AWS image needs to have this mode set to `true`. I guess that makes sense. – ekeyser Dec 30 '22 at 14:31

2 Answers2

0

if we refer to AWS guide https://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html

Because you use this build project to build a Docker image, select Privileged

since you're building docker image, codebuild would require privilegedMode=true

@ekeyse has shared the cdk doc that privilege mode is required otherwise it will fail

Specify true to enable running the Docker daemon inside a Docker container. This value must be set to true only if this build project will be used to build Docker images, and the specified build environment image is not one provided by AWS CodeBuild with Docker support. Otherwise, all associated builds that attempt to interact with the Docker daemon will fail.

I personally think that security hub is informing you that there is codebuild project running on privilege mode, you may ignore if that is intended

Pureiboi
  • 1
-2

You can do it throughout aws cli.

aws codebuild update-project --name "my-project-name" --environment "{\"type\": \"LINUX_CONTAINER\",\"image\": \"aws/codebuild/amazonlinux2-x86_64-standard:2.0\",\"computeType\": \"BUILD_GENERAL1_SMALL\",\"privilegedMode\": false}" --profile my-aws-profile-nonprod

Here is AWS Documentation

There is no way (for now) to do it throughout AWS console. But you can see your configuration here on console:
AWS Config > Resources > my-project-name > View Configuration Item (JSON)

and you can check the result afterwards.

fLoveARTh
  • 9
  • 3
  • Unfortunately, this doesn't solve the posted question because it doesn't address building a docker image successfully w/o requiring `privilegedMode=true`. BTW you can make the change in the console w/o using the cli. – ekeyser Dec 27 '22 at 17:46