securityonion-sostat: block docker 19.03.3 packages

[dougburks]

https://blog.securityonion.net/2019/10/docker-package-issues-please-do-not.html

[dougburks]

Docker 19.03.3 had a regression for the DOCKER-USER iptables chain:
docker/for-linux#810

The following package is now available at ppa:securityonion/test:

securityonion-sostat - 20120722-0ubuntu0securityonion133 

This new securityonion-sostat package creates /etc/apt/preferences.d/securityonion-docker-block with the following:

Package: docker-ce
Pin: version 5:19.03.3~3-0~ubuntu-xenial
Pin-Priority: -1

Package: docker-ce-cli
Pin: version 5:19.03.3~3-0~ubuntu-xenial
Pin-Priority: -1

It then has a postinst script that does this:

# Emergency check for docker issue
if dpkg -l |grep docker |grep -q "5:19.03.3~3-0~ubuntu-xenial"; then
        echo
        echo "Docker 19.03.3 detected! This version has issues:"
        echo "https://blog.securityonion.net/2019/10/docker-package-issues-please-do-not.html"
        echo
        echo "We've blocked this version in /etc/apt/preferences.d/securityonion-docker-block."
        echo
        echo "We recommend removing the docker-ce and docker-ce-cli packages and re-installing:"
        echo "sudo apt purge docker-ce docker-ce-cli && sudo apt install docker-ce docker-ce-cli"
fi

soup also contains the same exact code snippet.

So when you install the updated securityonion-sostat package, it will immediately notify you if you have Docker 19.03.3 and future runs of soup are prevented from installing that Docker version.

It should be noted that if a user runs soup today to get the new securityonion-sostat, then they're running the old version of soup before the block is placed, so they will get Docker 19.03.3, but postinst should still detect this and output the message above.

Please test/verify as follows:

• start with a 16.04.6.2 box with NO updates applied

• snapshot the VM if possible

• see what iptables is supposed to look like:

sudo iptables -nvL

• in the output, you should see DOCKER-USER and it should have at least 1 reference:

Chain DOCKER-USER (1 references)

• install updates to get Docker 19.03.3:

sudo soup -y

• redo the iptables test above and you should see that DOCKER-USER is no longer referenced

• add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test

• install all updates:

sudo soup -y

• it should detect Docker 19.03.3 and prompt you to re-install Docker to get the previous version

• follow those instructions and then redo the iptables test to verify that DOCKER-USER exists and is properly referenced

• reboot and verify that DOCKER-USER exists and is properly referenced

• verify that Docker containers start properly

• anything else we missed?

Thanks in advance for your time and effort!

[weslambert]

Looks good from my testing. 👍

[dlee35]

Tested on vanilla Ubuntu 16.04.6 Server installation.

Post installation (pre testing):

After adding test repo and running sudo soup -y:

After running sudo apt purge -y docker-ce docker-ce-cli && sudo apt install -y docker-ce docker-ce-cli:

IPTables output for DOCKER-USER chain post update:

IPTables output for DOCKER-USER chain after adding Beats endpoint:

👍

[dougburks]

Thanks @weslambert and @dlee35 !

Published:
https://blog.securityonion.net/2019/10/securityonion-sostat-20120722.html