This article from opensource.com is based on a talk I gave at DockerCon this year. It will discuss Docker container security, where we are currently, and where we are headed.
Containers do not contain
I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system.
- I have heard people say Docker containers are as secure as running processes in separate VMs/KVM.
- I know people are downloading random Docker images and then launching them on their host.
- I have even seen PaaS servers (not OpenShift, yet) allowing users to upload their own images to run on a multi-tenant system.
- I have a co-worker who said: "Docker is about running random code downloaded from the Internet and running it as root."
"Will you walk into my parlour?," said the Spider to the Fly.
Stop assuming that Docker and the Linux kernel protect you from malware.
Do you care?
If you are not running Docker on a multi-tenant system, and you are using good security practices for the services running within a container, you probably do not need to worry. Just assume that privileged processes running within the container are the same as privileged processes running outside of the container.
Some people make the mistake of thinking of containers as a better and faster way of of running virtual machines. From a security point of view, containers are much weaker, which I will cover later in this article.
If you believe as I do, Docker containers should be treated as "container services"—meaning treated as containers running Apache the same way you would treat the Apache service running on your system., this means you would do the following:
- Drop privileges as quickly as possible
- Run your services as non-root whenever possible
- Treat root within a container as if it is root outside of the container
Currently we are telling people in Common Criteria to treat privileged processes within a container with the same criteria as privileged processes running outside the container.
Don't run random Docker images on your system. In a lot of ways I see the Docker container revolution as similar to the Linux revolution around 1999. At that time, when an administrator heard about a new cool Linux service, they would:
- Search the Internet for a package at places like rpmfind.net or just random websites
- Download the program onto their system
- Install if via RPM or make install
- Run it with privilege
What could go wrong?
Read the entire article: Are Docker containers really secure? | Opensource.com.