BT

Securing Docker and Containers

by Aslan Brooke on Sep 27, 2013 |

Jérôme Petazzoni, senior engineer at dotCloud, examined the progress of security concerning Docker compared with other virtualization and container like technology in his recent blog post "CONTAINERS & DOCKER: HOW SECURE ARE THEY?".  Jérôme makes a case for the techniques that secure Docker, in spite of the techniques requiring sophisticated configuration, expert knowledge, and usage of supporting technologies available already in Linux (e.g. SELinux). 

Docker uses two primary technologies in Linux to make containers possible, these include cgroups and namespaces.  Jérôme  acknowledged that Docker essentially provides the same capabilities as LXC and also has the same security risks.  Docker aligns with the principle of least privilege in the way it configures its containers as they start, however Docker itself must run as root and so must the root user of its containers.  The Linux Kernel is the limiting factor currently requiring root.  This means that users should take care to protect the Docker daemon along with access to its REST api. Jérôme states things will improve: 

The end goal for Docker is therefore to implement two additional security improvements: 
  • map the root user of a container to a non-root user of the Docker host, to mitigate the effects of a container-to-host privilege escalation;
  • allow the Docker daemon to run without root privileges, and delegate operations requiring those privileges to well-audited sub-processes, each with its own (very limited) scope: virtual network setup, filesystem management, etc."
Jérôme  compares Docker to other traditional virtualization technologies and acknowledges that people currently view traditional virtualization to be more secure because of the extra layer of isolation that the hypervisor provides.  Traditional virtualization has been used in production for a long time and conversely there are relatively few containers used in production. Jérôme notes that as the efficiencies of using containers are realized they will be used in production more often, thereby getting the scrutiny needed to aide the Linux Community in its pursuit of patching security holes. 
 
Other LXC based containers will have the same security issues. OpenVZ is another container like technology that is thought to be more stable and secure. However it requires a custom Linux kernel to operate in its fullness and since the developers that work on it are the same that contribute to LXC we can expect LXC to supersede it once LXC matures. There are other container like technologies that work well (e.g. Solaris Zones), however they don't have nearly the same install base to aide in their improvement over time.

 

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Good summary, one typo by John Doe

Good summary. In the last sentence, you have a "there" that should be "their". -- Thanks!

Re: Good summary, one typo by Aslan Brooke

Thanks. Typo corrected as well.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

2 Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT