« Previous 1 2 3
Keeping Docker containers safe
Weak Link
A Whole Host of Changes
Although I've run through a number of ways to harden your Docker daemon and containers, there are still issues presented by the not-so-helpful butler, Jenkins. When you add more security to any solution, there's always an overhead akin to adding PINs to your credit cards or another lock to your front door (so you have to carry another key and replace it when it's been lost). As far I've discovered so far, though, there's really only one type of solution to the problem of root user access being made available to the Docker daemon.
That solution is adding (potentially) lots of granular rules to each user or adding another type of user or process to intercept the commands being run. With this approach, you limit who can run what, mount what, download what, and so on. Initially, the overhead might be a little tiresome, but ultimately this solution offers a finely tuned level of access on each host.
One freely available way to create such rules is AuthZ from a pioneering company called Twistlock [21]. Their GitHub page spells out the basic policy enforcement [22]. The impressive Twistlock also has a commercial product that includes several additional eye-watering features, such as scanning containers for Common Vulnerabilities and Exposures (CVEs) in an efficient manner through a friendly web interface. Importantly, they also manage to remove the need to write lots of rules manually using sophisticated machine learning. Additionally, there's a free-to-try Developer's Edition that's sophisticated and brimming with useful features [23] and a useful whitepaper.
Rocket-Fueled Containers
A direct rival to Docker is the CoreOS product rkt (pronounced rock-it). CoreOS sells rkt [24] out of the box as "a security-minded, standards-based container engine." You might have heard of CoreOS, because they also produce etcd and flannel , which are used by OpenShift and Kubernetes, the container orchestration engines. You can find plenty of interesting security information on the CoreOS site.
I have only used rkt for testing but have been genuinely intrigued with how I might best use it in an enterprise environment. It is slick, performant, and – would you believe – Docker container-compatible. You might be able to tell that I'm a fan. Be warned, however, that its maturity could potentially cause stumbling blocks. There's more information on migrating between Docker and rkt online [25].
I mention rkt because it boosts host security by introducing a local hypervisor into the mix – KVM [26] in this example:
$ rkt run --insecure-options=image --stage1-name=coreos.com/rkt/stage1-kvm:1.21.0 docker://registry-1.docker.io/library/nginx:latest
The turbo-charged rkt uses a KVM plugin of sorts and announces that it's using an "insecure" (unsigned) image to launch a docker://
-built image. The docs for this can be found online [27].
I will leave you to come to grips with how the clever isolation works, but the handy diagram in Figure 3 explains which component is used with the KVM approach and how it compares to the usual systemd method. I have read that similar functionality will be available via pluggables in Docker when it moves to using containerd
[29] as its run time in a future version.
Horses for Courses
Which container solution suits your needs? The quick answer is that you have a whole host of options (pun intended), and you probably will not find a one-size-fits-all solution.
For more in-depth reading, you can spend a few minutes reading a comparison of current container technologies [30] on the CoreOS site, which could be biased, intentionally or not.
You have your work cut out securing containers. I hope the methods I've suggested for mitigating their security issues offers you some solace. Before you relax too much, however, you should read a somewhat scathing but informative blog post about the dangers of the docker
group [31]. Comments such as "broken-by-design feature" are certainly a reminder to stay vigilant.
Infos
- Docker daemon attack surface: https://docs.docker.com/engine/security/security/
- "Are Docker containers really secure?" by Daniel J. Walsh: https://opensource.com/business/14/7/docker-security-selinux
- SELinux: https://selinuxproject.org/page/Main_Page
- Stop disabling SELinux: https://stopdisablingselinux.com
- Everything is a file: https://en.wikipedia.org/wiki/Everything_is_a_file
- Principle of least privilege: https://en.wikipedia.org/wiki/Principle_of_least_privilege
- Docker user guide: http://docs.oracle.com/cd/E52668_01/E75728/html/section_rdz_hmw_2q.html
- Jenkins: https://jenkins.io
- Privilege separation: https://en.wikipedia.org/wiki/Privilege_separation
- Knoppix boot disks: http://knopper.net/knoppix/index-en.html
- Amazon S3: https://aws.amazon.com/s3/
- GlusterFS: http://www.gluster.org
- Docker security: https://docs.docker.com/engine/security/security/
- User namespaces have arrived in Docker!: https://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/
- CIS Docker 1.11.0 benchmark: https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf
- AppArmor: http://wiki.apparmor.net/index.php/Main_Page
- Grsecurity: https://grsecurity.net
- PaX: https://pax.grsecurity.net
- Docker capabilities allowed and not allowed by default: https://docs.docker.com/engine/reference/run/
- Docker Bench for Security: https://github.com/docker/docker-bench-security
- Twistlock: https://www.twistlock.com
- AuthZ policy enforcement: https://github.com/twistlock/authz
- Twistlock demo: https://www.twistlock.com/demo
- rkt: https://coreos.com/rkt/
- "Moving from Docker to rkt" by Adriaan de Jonge: https://medium.com/@adriaandejonge/moving-from-docker-to-rkt-310dc9aec938#.ht63ldsn0
- KVM: http://www.linux-kvm.org/page/Main_Page
- rkt documentation: https://coreos.com/rkt/docs/latest/running-kvm-stage1.html
- rkt with containers vs. KVM: https://coreos.com/rkt/docs/latest/running-kvm-stage1.html
- containerd: https://containerd.io
- rkt vs. other projects: https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html
- Dangers of the docker group: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)