Docker’s stand on security is that its container platform is built to be secure by default. However, during attacks, the defaults aren’t enough, and you need a deliberate security strategy.
In this post, we look at six steps you can take to secure your containers, and confidently run them in production.
Containers provide process isolation, not entirely unlike virtual machines do. This is a good thing and a bad thing. It’s great because it lets you package and manage code with more agility. But on the downside, the isolation is weak, and vulnerabilities can easily spread beyond individual containers, affecting the host and neighboring containers.
1. Adopt microservices
If you’re using containers, there is a good chance you are already breaking your app down into microservices. But if you’re not, security concerns are another reason to refactor it into microservices.
When an app is composed of microservices, you can remove and replace just that component of your app in the event that its security is compromised. The rest of your app continues to run normally.
2. Leverage Docker’s security features
At its launch, Docker was criticized for having weak isolation features. Cgroups and namespaces were not enough to contain container vulnerabilities.
Since then, however, Docker has taken steps to better secure its containers. You should make the most of the security tools it offers to help defend your environment. Docker Bench is a list of security best practices that’s approved by the CIS (The Centre for Internet & Society).
Docker Trusted Registry, part of Docker’s enterprise offering, provides tighter security around repositories. Docker Content Trust ensures only container images built by your CI server are deployed. Staying updated on Docker’s evolving security features is essential when working with containers.
3. Use advanced access control and hardening on the host
Apart from its own features, Docker advises using Linux security features like SELinux and AppArmor to help harden the host server. By default, SELinux denies container access to services, programs, or users unless exceptions are given explicitly. Similarly, AppArmor is a mandatory access control (MAC) service. It lets the system define access controls, rather than file owners.
Third-party container registries like Quay also provide robust access controls. They support LDAP and single sign-on authorization, which are industry standards for controlling user access.
AWS ECS and other container services provided by cloud vendors also come with strong access control. ECS, for example, leverages the same IAM service that controls access for other AWS services. This is the most familiar option if you’re already invested in a cloud platform like AWS.
4. Verify third-party container repositories
Docker Hub hosts public container repositories for free. The top downloaded repositories like NGINX, Redis, and Ubuntu are official repositories. However, anyone can post a new repository to Docker Hub, and corrupted files can easily get into your systems by running unverified container repositories. The solution is to use a registry service that can scan each repository and image downloaded to ensure it’s clean.
The Docker Hub paid plan does this. Third-party Docker registries like Quay also scan repositories. If you’d like to setup a private registry instead, you can use Docker Distribution to gain tighter control over how your repositories are shared.
5. Set resource limits for containers
Compromised containers can hog system resources like compute and memory, and affect overall performance. To avoid this, you can set limits for how much memory and compute any container is allowed to use. You can add these limits as flags that are part of your ‘docker run or ‘docker create’ commands. (Read more here.)
You need to make sure you’ve provided enough memory and compute for your app to function smoothly. At the same time, you should ensure that your infrastructure has enough bandwidth to support these limits.
6. Consider third-party security tools
Finally, you could consider a purpose-built container security solution like Twistlock. This is a security tool that scans container images for vulnerabilities. It can also be integrated with CI tools like Jenkins to enhance security across your CI/CD pipeline.
Aqua Security similarly secures Docker images, and even lets you enforce automated restrictions when containers use excessive CPU and memory resources.
Docker is still in a state of infancy, and is evolving quickly. So are its security features. While Docker takes steps to ensure security by default, DevOps teams need to take the security of their apps in their own hands. This requires having a well thought-out security strategy that covers the Docker platform end-to-end.
Every step is important—how apps are architected, which container registry is used, how access is granted to users and apps, and which third-party tools go beyond the default security measures. Container security is not a solved problem, but there are many solutions and tactics available today that can provide the necessary confidence to run containerized apps in production.
About the Author
Twain Taylor began his career at Google, where, among other things, he was involved in technical support for the AdWords team. His work involved reviewing stack traces, and resolving issues affecting both customers and the Support team, and handling escalations. Later, he built branded social media applications, and automation scripts to help startups better manage their marketing operations. Today, as a technology journalist he helps IT magazines, and startups change the way teams build and ship applications.
We’re hiring! Check out the careers page for open positions in Amsterdam, London and San Francisco.
As usual, if you want to stay in the loop follow us on twitter @wercker or hop on our public slack channel. If it’s your first time using Wercker, be sure to tweet out your #greenbuilds, and we’ll send you some swag!