Docker Security

Intrinsic Docker security features

Docker comes with sane defaults. This means we can get a fairly secure Docker with minimal effort. The general consensus among experts is that Linux is a highly secure OS. This security comes as a result of the operating system’s design. Docker, which is native to Linux, implements Linux security features. In addition to leveraging Linux security features, Docker also implements its own security layer. In this section, we look at some Linux security features that make Docker more secure, and we also discuss some security features implemented by Docker.

Capabilities

In Linux, the root user has all the privileges. Non-root users require elevated permissions to access some files or perform some actions. This inherent restriction of non-root users serves as a deterrent to attacks and system compromises.

It’s risky to run a Docker container with the real root privileges, and at the same time, it can be hard to run containers with users without privileges.

Docker improves security by making sure containers run with fine-grained access or, better put, with reduced capabilities.

If a container needs the root capability of mounting a folder or binding to a port, we can start a container with just the capability required while dropping the others. This makes the root user in the container have far fewer privileges than the real root. This offers a variety of advantages in terms of security. Even if an attacker is able to get access to a container and escalate their privileges, causing real harm is far more difficult.

Kernel namespaces

Isolation is an important concept in security because it helps limit the influence and spread of an attack. Docker uses kernel namespaces to create a workspace unique to each container and isolated from the rest.

When we run a container, Docker creates a set of namespaces to ensure that the processes running inside it are separated from those running in other containers or the host system. This workload segregation allowed numerous containers to run simultaneously without interfering with each other. Because Docker establishes a network for each container, we can host two webservers, each exposing port 80.

Control groups

Containers on a host are separated from one another, but this doesn’t rule out the possibility that they share the same host. What if one of the containers uses 90% of the host system’s resources, such as the CPU, RAM, network bandwidth, and disk I/O? Even if they’re isolated, one container hogging resources that could be shared fairly with other containers on the host will impact others. This is where control groups come in. If namespaces are about isolation, control groups (cgroups) are about setting limits.

When we run a container, Docker creates a set of control groups that implements accounting and limiting. Control groups ensure each container gets its fair share of memory, CPU, disk I/O, and more. The security implication of control groups is that it helps fend off denial-of-service attacks.

Docker Content Trust signature verification

One of the important aspects of security when downloading stuff from the internet is verifying that the downloaded content has not been tampered with and that it comes from the right source. Malicious attackers have been known to package malicious code into Docker images using community-distributed images published on Docker Hub. Docker allows us to configure and enable digital signature verifications for the images we pull from the internet to make sure the image hasn’t been tampered with and also to verify the identity of the publisher.

Apart from the ways described above, there are other ways to harden the Docker kernel. While we can use capabilities that are one of the security features provided by the modern Linux kernel, we’re not limited to them. Docker allows us to use leverage other security features like TOMOYO, AppArmor, SELinux, and GRSEC to further strengthen our Docker host.