24 Sep, 2014

An Update on Railsgoat: Vagrant/Docker

by Mike McCabe

The first commit to Railsgoat was on March 19th, 2013; 604 commits later, a lot has changed. New vulnerabilities added, new features written up, new lessons created—all to help hackers learn about Rails security. But the focus for Railsgoat has always been ensuring its realism and usability, and that hasn’t changed. Railsgoat is still just as easy to get started and use as ever. We’ve even been working on some enhancements utilizing  Vagrant and  Docker to make setting up Railsgoat easier.

For those who don’t know much about Vagrant, its purpose is to, “Create and configure lightweight, reproducible, and portable development environments.” It does this through creating reusable and configured virtual machines. Docker is a Linux containerization system, and Linux containers are lightweight virtual machines that are intended to run a single process. Docker provides a light and flexible infrastructure that can be modified seamlessly. We’ll talk through some of the details of the Vagrant and Docker configuration for Railsgoat.

Vagrant pulls the configuration from a Vagrantfile. In our example below, we tell Vagrant to use Docker as the provider (as opposed to Virtualbox or VMWare). It uses a custom Docker image that runs Railsgoat in development mode. We also tell Vagrant to use port 3000 locally and to connect to port 3000 on the Docker instance.

The Vagrantfile.proxy is a unique setup to ensure we can run Docker. If we run ‘vagrant up’ on a Linux machine that supports Docker, the process will continue normally and Docker will boot up. If we’re on an OS that doesn’t support Docker natively like OS X or Windows, Vagrant will pull down a Linux image to run Docker.

Railsgoat Vagrantfile

Railsgoat Vagrantfile.proxy

Finally, the Dockerfile creates an image that runs Railsgoat. This file is pretty straightforward; it defines the use of the rails onbuild image, a pre-built Docker image meant for use with Rails apps. Once we have that image, we set up a start script and start the application. With the Vagrant setup, you won’t need to build the Docker image as we’ve pre-built an image and pushed it to Docker Hub

Now, a simple ‘vagrant up’ in the Railsgoat directory installs all dependencies and boots Railsgoat on port 3000 of our local host.

Railsgoat development is continuing; we’re looking for new ways to make learning about Rails security easier and more approachable than ever. We’ll have more vulnerabilities, write-ups, unit tests, and more in the near future. Also, if you’re interested in Docker, come out to BSidesDC where Patrick Cooley and I will give a presentation on using Docker as a security tool.

Railsgoat on Github