What Is Docker Container Security?
Docker is a great thing and can save you tons of time and effort.
Learn how to use Docker as securely as possible and catch potential
threats ahead of time to ensure Docker container security.
We have already told you how to secure the popular container orchestration solution Kubernetes. This time we will go deeper and from this article you will find out how to provide security for the well-known containerization platform Docker. If you still looking for differences between these two technologies, we suggest you to read this article Kubernetes vs Docker from Ubuntu.
Want to have an in-depth understanding of all modern aspects of Docker Container Security? Read carefully this article and bookmark it to get back later, we regularly update this page.
Docker quickly burst into the world of containers and in a couple of years has evolved from an add-on to a system for launching, orchestration, clustering, configuring, delivering and creating containers with software, and therefore the issue of Docker container security has become very relevant. Docker also has a simple interface for controlling resource constraints. Docker is based on Linux namespaces, which allow you to isolate and virtualize system resources such as network, processes, mount points, and users.
As a result, we can launch any process completely in isolation, both from the system itself and from other containers, in our unique software environment, with our own network, process tree, file system and network. First, it's worth understanding what containers are. It is a durable object that withstands stress during storage, loading, transport and protects the contents inside.
An image of a port dock may also appear in your head, where thousands of containers are stacked in rows on top of each other. Most of the goods are delivered in such containers, since they are not only durable, but also are standard, easy to store and transport, while the majority of the people involved in the delivery have no idea what is inside, because it does not matter for the delivery.
The idea of software containers is similar, as these are immutable isolated images with software, the functionality of which is most often available through API. It is a modern solution for reliably running software in almost any environment. Docker-based container virtualization is extremely popular because it allows you to quickly roll out software development and testing tools or entire projects from many components.
And everything would be fine if it were not for the whole class of specific threats Docker container security. This is the possibility of escaping from the container to the host system, shutdown of the instance as a result of denial of service, cases with the exploitation of OS kernel vulnerabilities, as well as throwing pre-compromised reference images into the repository and similar attacks.
What is Docker Container?
Docker is software for automating the deployment and management of applications in containerized environments. The software allows you to package any application with all its environment and dependencies into a special container that can be run in any modern Linux.
Thus, each container we create already includes everything necessary for the application to work - libraries, system tools, code and the runtime environment. With Docker, DevOps administrators and developers can quickly deploy, scale, and run their applications in any environment, while ensuring that the code they write will run smoothly.
Docker has many of the features that traditional virtualization systems have, for example, such as independence, when a container can be moved to any OS with a previously raised Docker service and started with one command, as well as self-sufficiency, when the container will perform all the functions assigned to it anywhere, wherever it is started, without additional configuration and service.
However, unlike traditional virtualization, where we usually build the image ourselves, Docker works with images taken from repositories. There are public and private repositories of official and unofficial images. In the documentation, they are called docker registry and the most popular and frequently used repository is Docker Hub today.
Comparison of Docker and VM
Docker image is a sequential set of software layers. Each layer is the result of a command in the Dockerfile. That is, the image is the template based on which we launch the container. But everything that is launched based on this image is the container itself. As a result, Docker has a very useful feature that allows you to run several identical copies of this image from one prepared image, that is, containers.
Docker container security has its own vulnerabilities and flaws, which can be exploited by hackers, like any other software, unfortunately. Misconfigured root accounts exposing containers to compromise, legal images with prepared backdoors, working PoC exploits and a very recent critical bug for which there is no patch yet.
Common Docker Security Issues
1. Security of the host system. One of the simplest and at the same time key security issues for Docker is the security of the host machine, in particular the OS kernel. Indeed, in an already compromised system, isolation and other container security mechanisms that we could use are unlikely to help us. If the host operating system is not properly secured, the container in Docker will also fail to secure. Accordingly, host OS security best practices should be followed.
It would be useful to run several checks for the presence of vulnerabilities. This is because Docker is designed in such a way that all running containers use the host core. Therefore, the host must be a patched, updated Linux distribution with no known vulnerabilities or signs of malware infection.
A classic example of such a case is escaping from a Docker container. In the official documentation, this bug is called container breakout and describes a situation in which a program running inside a container manages to overcome isolation mechanisms and gain root privileges or access to important information stored on the host. To implement protection against such situations, the rule for reducing the number of privileges for the container, given to it by default, is used. So, if the Docker daemon is running under root, then we create a user-level namespace for it with minimal privileges.
2. Exhaustion of resources, or DDoS per container. Comparing containers with virtual machines, the former has lighter weight. Even on old and weak hardware, you can run many containers. However, errors in the configuration of daemons, the network stack, architectural flaws, and hacker attacks can lead to states like Denial of Service.
For example, a certain container or a whole pool of containers can consume all the CPU time of the host and degrade its performance. A similar situation can arise with network interfaces when the number of generated packets exceeds the normal network bandwidth. But the way out here is quite simple, you just need to properly configure the resource limits for the container.
3. An exit outside the Docker container. This situation is widespread in Docker containers that contain a large amount of third-party software. Due to the fact that it is difficult to study their content, and few people are interested in it, it may contain malicious code that is able to get out through all the implemented restrictions and security policies.
This is how data with limited access is compromised. To address this Docker security issue, one can take a serious approach to limiting permissions to each individual container, also at the expense of a custom namespace.
4. The authenticity of Docker images. Be careful using Docker images that are available on the web. They can contain malicious hidden software or lines of code. Always ask yourself the trust level of the source from which you download the image and check it for content.
It should be noted that the encapsulation method is powerless in this case. Even self-built images can be modified by third-party software after building. Therefore, always double-check the final build.
How to Provide Docker Container Security
Transport Layer Security. Restrict connections to the Docker daemon, if remote access is required, for users with access to the client's TLS accounts. Specify which commands are allowed for which user, and create the appropriate authorization plugin for Docker. Now when starting the Docker daemon, point to the created plugin.
Secrets in Docker. Confidential information should be kept as secrets created using the docker service create command. If you add the “icc”: false option to the configuration file located in /etc/docker/daemon.json, communication between containers will be disabled in order to avoid unnecessary information leaks.
Daemon parameters. The Docker daemon starts with a bunch of default options.
- live-restore - containers without daemons to maximize availability after shutdown or reboot. This option makes it easy to install updates and patches by minimizing downtime.
- userland-proxy = false - when hairpin NATs are available or used, custom proxies become redundant and only increase the scope for attacks.
- seccomp-profile/path/to/profile - this option allows you to add a customized seccomp profile.
- no-new-privileges - prohibit containers from obtaining additional privileges via suid or sguid.
Configuration file and container. Make sure that a user has been created for the container and that the container is running as that user, not as root. If remote access is needed, secure this access with certificates, otherwise do not allow remote access to the daemon.
Isolating a custom namespace. It is especially important to make sure that the custom namespace is isolated in Docker, since it is shared with the host namespace by default. In some cases, such a feature can be used to expand privileges or even to leave the container. You can isolate your custom namespace by editing the config file as described in the Docker config file section above. Isolation is reiterated to highlight the importance of this measure.
Network interfaces. By default, Docker listens on every network interface. Since in most cases traffic is expected on only one interface, the scope for an attack is unnecessarily increased. This way, when starting a container, you can bind the ports of the container to specific host interfaces.
Socket. Never run Docker sockets inside a container, as this will allow you to run Docker commands in the container and, as a result, interact and manage the host operating system.
Docker Trust. Using this utility allows you to generate keys to verify the cryptographic integrity of images. These keys can be used to sign images using private keys that are verified using public keys on the Notary Server.
Preventive checks. Healthcheck is a powerful tool used to check the integrity of a container and can be configured in the dockerfile. Alternatively, you can use ImmuniWeb Discovery, a universal tool to check the attack surface of your organization's information system. This kind of checks should be carried out periodically to check that the container is working correctly to ensure Docker container security.
Scanning for vulnerabilities. Docker Enterprise has a built-in vulnerability scanner that has the option to download the CVE database and run it offline to scan images. Scanning images on an ongoing basis raises the level of Docker container security when you react to the emergence of holes in a timely manner.
Policy. Choosing a specific policy based on your requirements or even using several of them is a good opportunity to find as many vulnerabilities as possible. However, not all vulnerabilities are the same and apply to applications, containers or environments, so you need to look not only at their severity, but also at the factors from which this severity is calculated.
This includes attack vector, attack severity, impact on confidentiality, impact on integrity, and so on. These factors then create the final severity score using the CVSS calculator. The metric values are: none, low, medium, high, and critical. More information on these can be found at the NIST website.
Some Docker container security vulnerabilities are easy to fix, but not in all cases. When it comes to problems with base images or packages built into them, this is the responsibility of the developers of this software. However, you must prevent or at least mitigate the exploitation of existing and future vulnerabilities.
Docker is an essential tool for every modern developer as the foundation of hardware application virtualization. This technology has wide functionality and capabilities for process control. Docker allows not only deploying containers, but also quickly scaling their instances, working with multi-container Docker Compose applications, and combining several Docker hosts into a single Docker Swarm cluster.
Docker is characterized by a fairly simple syntax, so it is quite easy to learn for both experienced IT professionals and beginners. The software is compatible with all versions of Linux and Windows operating systems, so the scope of Docker is practically unlimited. However, any component can create a vulnerability: the packages installed in the Docker container, the libraries used, and even the base image.
When it comes to Docker container security issues, it is always preferable to take care of it ahead of time and try to avoid vulnerabilities before they become a real problem. These tools are easy to use, so any developer can make them part of their daily workflow or integrate them into their build and deployment pipeline.