Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Securing Docker and Containers

Securing Docker and Containers

This item in japanese

Lire ce contenu en français

Jérôme Petazzoni, senior engineer at dotCloud, examined the progress of security concerning Docker compared with other virtualization and container like technology in his recent blog post "CONTAINERS & DOCKER: HOW SECURE ARE THEY?".  Jérôme makes a case for the techniques that secure Docker, in spite of the techniques requiring sophisticated configuration, expert knowledge, and usage of supporting technologies available already in Linux (e.g. SELinux). 

Docker uses two primary technologies in Linux to make containers possible, these include cgroups and namespaces.  Jérôme  acknowledged that Docker essentially provides the same capabilities as LXC and also has the same security risks.  Docker aligns with the principle of least privilege in the way it configures its containers as they start, however Docker itself must run as root and so must the root user of its containers.  The Linux Kernel is the limiting factor currently requiring root.  This means that users should take care to protect the Docker daemon along with access to its REST api. Jérôme states things will improve: 

The end goal for Docker is therefore to implement two additional security improvements: 
  • map the root user of a container to a non-root user of the Docker host, to mitigate the effects of a container-to-host privilege escalation;
  • allow the Docker daemon to run without root privileges, and delegate operations requiring those privileges to well-audited sub-processes, each with its own (very limited) scope: virtual network setup, filesystem management, etc."
Jérôme  compares Docker to other traditional virtualization technologies and acknowledges that people currently view traditional virtualization to be more secure because of the extra layer of isolation that the hypervisor provides.  Traditional virtualization has been used in production for a long time and conversely there are relatively few containers used in production. Jérôme notes that as the efficiencies of using containers are realized they will be used in production more often, thereby getting the scrutiny needed to aide the Linux Community in its pursuit of patching security holes. 
Other LXC based containers will have the same security issues. OpenVZ is another container like technology that is thought to be more stable and secure. However it requires a custom Linux kernel to operate in its fullness and since the developers that work on it are the same that contribute to LXC we can expect LXC to supersede it once LXC matures. There are other container like technologies that work well (e.g. Solaris Zones), however they don't have nearly the same install base to aide in their improvement over time.


Rate this Article