In recent years, the high acceptance rate of Docker has made container security an important consideration for organizations using containers for production or development.
I have been researching docker for my dissertation, and I have gathered the following resources. This article aims to provide an overview of Docker container security.
Docker Security Challenges
Let’s start by examining the security issues that containers pose. This is significant because security threats to containers fall into several diverse categories.
They first include the risk of privilege escalation through containers. For example, if an attacker could get root inside a containerized app, it could be a walking stone to gain root access to the host system.
Another security threat is an attack originating from one container, which compromises data or resources used by another container. This can occur without gaining root access.
Likewise, one container can face a humble DoS attack that takes control of all existing system resources and avoids other containers from working accurately.
Last but not least, is the danger of unverified or insecure container images. One of the great things about containers is that they can launch virtually (no pun intended) anything quickly and easily based on images from repositories such as dockerhub. Still, if you are downloading from a public source, there is a risk that you will get an image containing malicious code. There has also been instances of images containing credentials or API keys being made public.
Why Containers Present Distinct Security Challenges
Some of these threats are similar to other areas of computing. For example, security verification is always a problem in public code repositories.
However, Docker containers amplify threats in certain respects. For example, if you are using a traditional hypervisor such as KVM or Hyper-V, the issue of privilege escalation is less serious. There, the virtual environment is firmly separated from the host system (yes, yes, VM escapes happen, but it is (afaik) very rare).
However, in Docker, processes running in containers have, by default, the same namespace as the namespace on the host system. This makes it easier for users who get root in the container to get root on the host system. This is in contrast with traditional virtualization, where gaining root on the guest does not help much to become root on the host.
Protecting Your Docker Containers
All of the above is that security is a major concern with containers and there are some unique challenges in this area. Fortunately, however, there are some unique solutions that can easily address these concerns. Here are six ways to secure Docker containers.
- Start the Docker container with the -u flag so that it runs as a normal user instead of root. This is a basic first step to improving security.
- Take the previous point one step further and remove the SUID flag from the container image. This makes privilege escalation attacks even more difficult.
- Configure Docker control groups (also called cgroups). This allows you to set a limit on the number of resources each container can use. This greatly helps prevent container-based DoS attacks. (Note, however, that cgroups are not intended to provide any other security separation between containers. To do this, use namespaces.)
- (?) Use namespaces in Docker to separate containers from each other. Namespaces help ensure that users or processes running in one container do not affect users or processes in other containers.
- Do not use images from untrusted repositories. Avoid public repositories, especially if they are not from official sources and you do not know the maintainer. This may sound easy, but it’s worth noting. Often that one image you want is actually on a random repo.
- Consider using Clair (CoreOS’s container security scanner) to verify containers from the registry. You can scan images locally using Clair or run them directly from a supported public registry service (currently including CoreOS platforms Quay and Dockyard).
Container security is still an issue. However, in today’s computing environment, it is no longer an issue that cannot be solved without the same basic level of security required by other types of security challenges. Therefore, go out and secure the container with the help of the above tools!
Docker is a complex beast, and there are no simple tricks you can use to maintain the security of Docker containers. Instead, you need to think comprehensively about how to secure Docker containers and enhance your container environment at multiple levels. Doing so is the only way to ensure that you get all the benefits of a Docker container without risking significant security issues.