Docker is an open platform for distributed applications for developers and system administrators. Docker's goal...
is to quickly allow developers and platform engineering teams to put together apps from components and ease the tension between development, quality assurance and production from inconsistent application performance and functionality.
Docker is comprised of two pieces. The first is the Docker Engine, a lightweight runtime and packaging tool based on the Linux kernel that allows for isolation and kernel sharing between Docker "containers"; the second is Docker Hub, a cloud service for sharing applications and automating workflows. While there are many potential benefits of Docker for developers and administrators, there are also a number of potential security issues and risks.
In this tip, we'll look at how Docker works and what security risks it could pose for enterprises using it to develop cloud applications.
How it works
The Docker Engine is tied in many ways to classic virtualization technology -- abstracting application components, binaries and system libraries into an isolated container that shares kernel resources on the installed system with other containers and natively installed applications. Docker Engine relies on Linux Containers (LXC) that isolate assets using cgroups for resource isolation (CPU, memory, etc.) and namespace isolation to limit access to the system process tree, network, users and file system.
The cloud model for Docker -- the Docker Hub -- is a number of things: a hosted environment for Docker-enabled containers, a sharing environment for creating hybrid clouds between organizations and different application and platform builds, and also a marketplace for new components and tools designed to help organizations build and promote applications.
Running the Docker daemon requires root privileges on the Linux host or kernel installation. This can have some significant security consequences if poorly managed since the Docker application can be used to share underlying system resources with any containers, and can potentially allow the containers to modify files and attributes of the host OS. Under certain circumstances, a malicious user could even leverage APIs to cause Docker to create entirely new containers. Docker modified its REST API to use traditional UNIX sockets, allowing users to take advantage of standard UNIX permissions to limit access and control over Docker actions.
On the other hand, Docker recommends severely limiting privileged use within containers since many of the normal root capabilities are handled outside the containers by the Docker daemon and components. In many ways, Docker containers could help to limit exposure and improve security if permissions and privilege limitation are implemented properly.
The Docker host should also be locked down in traditional ways. Docker recommends limiting the services running, except for minimal administrative tools needed for access and management of the system. Linux hardening and mandatory access control tools like AppArmor and SELinux work well with Docker, which can help prevent excessive privileged use or illicit access from a poorly configured container.
In the Docker Hub cloud environment, many of the traditional security concerns for SaaS providers still apply. The security of the underlying host systems will be critical, as well as repository monitoring to ensure no private container data is exposed or account and authentication data available.
In June 2014, a security researcher posted proof-of-concept code that allowed Docker containers to access and manipulate the Docker host file system, acting as a simplified version of a virtual machine escape exploit. While this exploit was only applicable to some versions of Docker, it did raise concerns about how containers and applications are being deployed. The Docker team maintains that Docker containers are not as secure as virtual machines, and recommends against deploying highly sensitive data or privileged applications. Aside from this, the Linux security controls within the Docker host and affiliated with the Docker Engine can be used to control and restrict access.
With the rapid evolution in DevOps and hybrid cloud architecture, the need for fast, simple and consistent application development and deployment workflow becomes more paramount than ever before. Since Google supports Docker with App Engine integration, it seems Docker is here to stay, and hopefully security controls for Docker will continue to improve as its popularity grows.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures.
Want more information on Docker networking? Here's how Linux containers will change your network.
London’s Orchard and Fig join Docker