Docker, which has now been around for four years, is the world's leading software container platform.
Four years may not seem like a long time. At that age, Docker is still relatively young, even for a software company.
And because of Docker’s youngness, you may also assume that it is insecure. Indeed, it was pretty insecure in its early days.Fast-forward to today, however, and Docker is much more secure than many people realize. Docker has worked hard to secure its platform over the past couple of years by addressing every new vulnerability as quickly as possible.
In short, Docker has grown up, and has made a lot of changes to address vulnerabilities and show just how secure it can be. Below, I outline the steps Docker has taken to become as secure as any other major enterprise software platform. I also offer some tips for Docker security best-practices.
Docker focuses on security by default
Docker believes that security should be strong by default, without additional setup. That's why containers automatically start with a limited set of capabilities, dropping all Linux capabilities except those needed.
To help reduce the risks of container breakout, Docker has the feature user namespacing. When a container is deployed, user namespacing allows containerized applications to run without having root permission. This means that the “root” user within a container has much less privileges than the real root user. By creating a set of namespaces for each specific container, Docker provides a simple form of isolation between containers, which prevents them from interacting with each other.
Namespaces also reduce the host surface area, which in turn restricts access to the host, and protects both the host and the containers.
And if you’re wondering how the Docker daemon (or server) has control, the Docker daemon will still run as root but the containers are handled separately. (See image below.)
For a really detailed look at how Docker namespaces work, check out this resource: https://asciinema.org/a/5uyrknsjg7u2fad6ii0wgizd4?speed=2
Tools to make Docker even more secure
The great thing about the burgeoning Docker ecosystem is that you don’t need to settle just for the security defaults in Docker. A range of tools and add-ons are available to make Docker even more secure.
Here’s a rundown of just some of them:
- Docker’s Docker Bench, a script that runs automated tests on containers and their hosts’ security configurations, and checks for a set of common best practices provided by the Center for Internet Security.
- Image scanners that can check images automatically, verifying that they are free from known security vulnerabilities or injections. Some image scanners are Clair by CoreOS and Docker Security Scanning.
- Twistlock is a security suite for containers that hardens container applications, checks for container vulnerabilities or misconfigurations, and has active runtime defense, security analytics and response to threats.
- LinuxKit is a toolkit for building custom minimal Linux distributions. It is made to work only with containers (and is built with containers), which allows LinuxKit to separate system services and minimise the attack surface.
- SwarmKit is a toolkit for organizing distributed systems at any scale. It includes primitives for node discovery, raft-based consensus, task scheduling, and more. SwarmKit uses TLS for node authentication (this can be done without SwarmKit too), role authorization and transport encryption. This also supports the secure by default idea that I mentioned earlier. This is different than Swarm Mode.
- Swarm Mode is a way to manage a cluster of Docker engines, or nodes, which is called a swarm. If the Docker engines are in a cluster, then they are running in swarm mode. Each engine in the swarm has TLS authentication and encryption to secure communications between itself and all other nodes, just like in SwarmKit.
- VM’s and Docker containers play well together by protecting the virtual machine itself and providing defense in-depth for the host. This provides two layers of isolation, containers and VMs, to the application.
Dan Walsh, a.k.a. Mr. SELinux and current Red Hat Consulting Engineer, said in 2014 that “containers do not contain.” At the time, it was hard to argue with that statement, which was made when Docker was younger and rougher around the edges.
A couple of years later, however, Docker has been hardened considerably through the introduction of numerous new security tools and features. Looking at how Docker has improved over the years, it can be safely said that Docker is significantly more secure today compared to when it had just begun. And I have a feeling it will only continue to get more secure.
About the Author
Samantha has a background in visual and UX design, and is currently studying software engineering at Holberton School. In her (very little) free time she enjoys photography, writing, yoga, learning new things, and making all things pretty. Follow her on Twitter @SamScislowicz.
We’re hiring! Check out the careers page for open positions in Amsterdam, London and San Francisco.
As usual, if you want to stay in the loop follow us on twitter @wercker or hop on our public slack channel. If it’s your first time using Wercker, be sure to tweet out your #greenbuilds, and we’ll send you some swag!