Security was once the bane of Docker containers. As recently as 2014, bloggers were writing things like "using containers for security isolation is not a good idea" and that Docker is not safe "in absolute terms."
Fast forward to 2016, however, and a lot has changed. Thanks to new features from Docker itself, as well as the introduction of crucial security tools elsewhere in the container ecosystem, it has become much easier to secure Docker containers.
Here, I'll take a look at common container security challenges, and the tools and strategies you can use to solve or mitigate them.
Docker Security Challenges
Let's start by going over the security issues that containers pose. This is important because security threats on containers fall into several different categories.
They include, first, the risk of privilege escalation via containers. For example, if an attacker can get root inside a containerized app, that could become a stepping stone to gaining root access to the host system.
Another security threat is an attack originating from one container that compromises data or resources used by a different container. This could potentially happen even without getting root access.
Similarly, you could face simple DoS attacks where one container seizes control of all available system resources in order to stop other containers from operating properly.
Last but certainly not least is the risk of insecure or unvalidated app images. Part of the magic of containers is how quickly and easily they let you spin up apps based on images that you pull from a repository. If you're downloading from a public repository, however, there is a risk that you'll get an image containing malicious code, or that someone has tampered with the repo's authentication mechanism to insert a malicious image in the place of what appears to be a validated, signed image.
Why Containers Present Special Security Challenges
Some of these threats are par for the course in any type of computing environment. Security validation is always an issue with a public code repository, for instance.
But with Docker containers, the threats are amplified in certain respects. For instance, the privilege escalation issue would not be as serious if you were using a traditional hypervisor, like KVM or Hyper-V. There, the virtual environment would be strictly abstracted from the host system.
But with Docker, a process running inside a container has the same namespace as one on the host system by default. That makes it much easier for someone who gains root inside a container to get root on the host system. With traditional virtualization, in contrast, getting root access on a guest won't do much to help you become root on the host.
Repository validation and image signing also arguably represent special threats in the container world. That's because it has become common for admins to pull images from public repositories maintained by people they don't know. This is a cultural issue more than a technical one. But it's also a problem that isn't as serious within the context of public repos used for other purposes, like installing packages on a Linux system. There, admins tend to stick to the "official" repositories and packages delivered by the maintainers of their distribution.
Protecting Your Docker Containers
All of the above is to say that security is a serious concern when it comes to containers, and that there are some unique challenges in this area. Fortunately, however, there are also some unique solutions that make it easy to address these concerns. Here are 6 ways you can secure Docker containers.
- Always make sure to start Docker containers with the -u flag so that they run as an ordinary user instead of root. This is a basic first step toward improving security.
- Taking the previous point a step further, remove SUID flags from your container images. This makes privilege escalation attacks even harder.
- Configure Docker control groups (also known as cgroups), which let you set limits on how many resources each container can use. This will go a long way toward preventing container-based DoS attacks. (Note, however, that cgroups aren't intended to help provide other security isolations between containers—to do that, you use namespaces.)
- Use namespaces in Docker to isolate containers from one another. Namespaces help assure that a user or process running inside one container can't affect those in other containers.
- Don't use images from repos you don't trust. In particular, avoid public repos if they're not from an official source and you don't know the maintainer. This may sound like a no-brainer, but it's worth noting because it's sometimes so tempting to pull an image from a random registry.
- Consider using Clair (CoreOS's container security scanner) to validate containers from your registries. You can use Clair to scan images locally or you can run it directly from public registry services that are supported (which, for now, include CoreOS's own platform, Quay, as well as Dockyard).
Container security remains a challenge. But it's no longer an issue that can't be solved without the same basic level of vigilance as that demanded by any other type of security challenge in a modern computing environment. So, with the assistance of the tools above, go forth and secure your containers!
Monitoring the events and output from Docker containers can also provide useful information. As Michael Floyd, Sumo Logic's Head of Developer Programs explains in this blog, "Sumo Logic delivers a comprehensive strategy for monitoring your Docker infrastructure with a native collection source for events, stats, configurations and logs, and provides views into things like container performance for CPU, memory, and the network." With the Sumo Logic App for Docker, there’s no need to parse different log formats, or manage logging dependencies between containers. Analytics like this can be useful in validating container resources. In addition, Sumo Logic’s advanced machine-learning and analytics capabilities can enable you to analyze, troubleshoot, and perform root cause analysis of issues surfacing from distributed container-based applications and Docker containers themselves.
Editor's Note: Docker Security - 6 Ways to Secure Your Docker Containers is published by the Sumo Logic DevOps Community. Also, be sure to check out the Sumo Logic Open Source page for free tools and code that will enable you to monitor and troubleshoot applications from code to production.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.