Docker Security, Hardened Containers and a Layered Strategy
- April 12, 2016
Docker recently unveiled version 1.10 of its popular container technology. Security was a major focus of the release with several features designed to strengthen the security of Docker containers. According to the Docker blog,
“All the big features you’ve been asking for are now available to use: user namespacing for isolating system users, seccomp profiles for filtering syscalls, and an authorization plugin system for restricting access to Engine features. Another big security enhancement is that image IDs now represent the content that is inside an image, in a similar way to how Git commits represent the content inside commits.”
We are excited about these additions because as adoption of Docker grows, so do the number of questions we get about container security. The new features provide real value in that they build-in a number of security controls, allowing organizations to focus more time on driving strategic value. Let’s look a little more deeply into why that is the case.
Namespacing is the most anticipated of these new features as it directly addresses the common concern that containers have access to the root on the host, leaving every instance equally vulnerable to the damage a breach could cause. Now Docker supports the ability to use namespaces and with it advanced OS functions inside a container without affecting every container running on the same server. Said another way, Docker 1.10 separates the processes in the container from the processes of the host and now each process can have its own set of user and group IDs. While all containers on a given server still share the same kernel, additional security controls, such as those recommended by the CIS Docker 1.6 Benchmark, are helpful and advisable.
With version 1.10, Docker now features secure computing (or seccomp) profiles that limit the system calls that can be made. These profiles add another level of security in that they put guardrails around container processes, helping ensure they only do what they need to do – not try endless system calls to find and exploit a vulnerability.
My other favorite security addition to Docker is the ability for image IDs to reflect the content inside. Working with highly regulated industries like healthcare where artifacts must be tracked at every step of the way, this makes a huge difference. Now instead of creating a custom solution to tag and track assets, Docker will do this natively making it easier for companies with compliance requirements to take advantage of the efficiencies inherent in Dockerization.
Last, but certainly not least are the new authorization plug-ins which allow organizations to create very granular policies about who can execute what. Further, you can also create policies to filter results from the daemon to users. For example, if you don’t want a certain user to see all the containers that are currently running, you can filter them, thus increasing security around access and privilege.
Focused on Docker best practices, as realized through our extensive experience with clients across industries, we are excited about the new Docker security features and look forward to continue watching Docker evolve. The theme of the security features in this release is really around providing an additional layer of isolation to further increase security. This directly addresses how we like to think about the topic here at Flux7, as best viewed through the lens of layered security. When paired with Linux OS seccomp, CIS Benchmarking and other security tools, it is easy to see how Docker security has grown significantly, all while helping to continue to facilitate the DevOps benefits for which Docker has become exceedingly popular.
We are laser focused on helping our clients introduce and fine-tune DevOps in their organization, creating concrete benefits such as bringing more services to market more quickly through portable applications that run reliably and seamlessly in an agile environment. We’ve found Docker to be a strong enabling technology.