« Previous 1 2 3
Dialing up security for Docker containers
Container Security
Conclusions
Docker containers are theoretically less secure than VM systems such as KVM.
Steps such as using TLS and MAC can help to lock down the Docker environment. Seccomp is also recommended if containers of several customers run on the same system.
Admins should also pay attention to permissions: Container documentation sometimes states that privileged mode is required. Similar to the unspeakable wget URL | sudo bash
constructs, which are found all over on the web, this privileged mode requirement is often a sign of bad container design rather than technical necessity.
Last but not least, be sure you are using a reliable container image. It may be tempting to download and launch any old image from the Docker Hub, but you are running a risk if the image is out of date or if you can't verify exactly what is actually inside the image file.
Develop a suitable continuous integration/continuous delivery workflow and use it to build containers for your own requirements. At the very least, admins should only use images that come from trusted sources. In addition to increased security, this operating concept has the side effect of making container operations easier and friendlier.
If you spend some time and energy on addressing the security issues, you'll find that you can operate Docker containers quite securely.
Infos
- Client certificates for Docker: https://docs.docker.com/engine/security/https
- TinyCA: https://tinyca.alioth.debian.org
- Seccomp policy: https://docs.docker.com/engine/security/seccomp
- "Stop disabling SELinux": https://stopdisablingselinux.com/
- GitLab: https://about.gitlab.com/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)