Lead Image © Sergey Nivens, 123RF.com

Improving Docker security now and in the future

Caution!

Article from ADMIN 29/2015

By Sebastian Meyer

The focus for container solutions such as Docker is increasingly shifting to security. Some vulnerabilities have been addressed, with plans to take further steps in the future to secure container virtualization.

Security [1] seems to be lagging behind the pace of other developments in the Docker camp. Although increasing numbers of enterprises are using Docker at the data center, the technologies administrators use to safeguard containers are only slowly establishing themselves. In many cases, it is precisely the features that make Docker popular that also open up vulnerabilities (Figure 1).

Figure 1: The Docker website lauds its containers as an instant solution.

What the Kernel Does Not Isolate

Docker relies on the Linux kernel's ability to create reciprocally isolated environments in which applications run. These containers are lean because they share the same kernel but are executed in separate run-time environments, thanks to cgroups [2] and namespaces [3], which define which resources a container can use. At the same time, the container itself only sees certain processes and network functions.

Although an attacker will find it difficult to interact with the host's kernel from a hijacked virtual machine, container isolation does not provide the same defenses. The attacker

...

Use Express-Checkout link below to read the full article (PDF).