Docker containers ushered in a revolutionary perspective toward software development and deployment. Containerization of applications with Docker automatically unloads a lot of perks for developers. For one, we now enjoy the cross-compatibility of container images. We now create software that runs just as well in the dev environment as in production. However, Docker security is something a developer must intentionally set up.
This post explores the key Docker security concerns and how you can configure your instances from a security-first standpoint. We'll also impart a few best practices to provide peace of mind when hosting applications in Docker containers.
Before we deliver on all these promises, let's unroll the concept of Docker containers as a primer to the security concerns and features that will follow. Experienced engineers are free to skip the next section and head for the security-specifics thereafter.
What Is a Docker Container?
A container (the Docker definition) is a bundle of tools and dependencies, as well as the operating environment that allows software to execute, regardless of where said bundle lives.
Containers being shipped (Source: Ian Taylor, Unsplash)
If you look at the image above, the containers being shipped will continue to protect and deliver goods inside them regardless of the vehicle on which they travel. The same concept holds with Docker containers. You can move containers around and never have to worry about performance or compatibility issues on applications inside.
That said—and sticking with our analogy—Docker security covers access, vulnerabilities, and configurations, concerning not only the unit containers but the overall orchestration (vehicle) system with which they're spun up. In our case, that's the Docker daemon (dockerd). Let's dive deeper into these security concerns in greater detail next.
3 Typical Docker Security Concerns
It's good to assume that hackers are persistently looking for cracks and loopholes in your infrastructure. It keeps engineers on their toes, ready and prepared for even the sneakiest of unauthorized access attempts. The surface area for attacks when using Docker containers has three obvious entry points.
Badly configured Docker instances
How one container communicates with the rest
User access rights and permissions
While each of these factors/concerns have different threat levels to containers in your Docker instance, none should be taken for granted. Let's examine how and why they're worth securing at all times.
1. Relaxed Configurations
Unless you're using a managed Docker service (distro) from any of the cloud services providers, you're typically responsible for setting how your environment manages containers. This includes setting the Docker daemon to run either with root or rootless, which already changes the access it has to your entire ecosystem. Long story short, configurations are the first layer of protection you can enforce before adding third-party tools. They touch on every other security aspect and should be monitored as your ecosystem scales.
2. The Container Ecosystem
Although every container encases its own services, it's common for containers to communicate with each other and share resources. This means one hacked container will have access to the rest of the outlay. Lateral movement from a single vulnerable entry point is so much easier when all containers have default root access within (and to other) clusters.
3. The End User
Another crucial security frontier is the end user. While we can focus on application or back-end access, the major concern is if any users gain access to the Docker daemon. If they do, they basically can use all client commands to carry out tasks and even change configurations. Still on this point, containers themselves behave as though they're users with permissions to call for resources.
Docker, the platform, has long been implementing patches to seal out attackers. A good example of these proactive security updates is the protocol changes made in version 0.5.2. This update replaced TCP with Unix socket to seal middleman and cross-site forgery attacks, among other vulnerabilities.
Docker Security Best Practices
With the three major security concerns as guidance, every engineer should attempt to stay up to date with the security features in Docker. Knowing these helps with making the best of out-of-the-box configurable defenses and plugins that extend instances to attain a better security stance.
Let's round off the guide with five best practices that standardize good security habits when using Docker containers.
While there are more than five such activities, the following are key to maintaining safety without compromising on the performance of containers.
1. Use the Latest Version of Docker
As previously alluded to, Docker security improves (almost) every time new patches roll out. This is a free security improvement every engineer should afford their organization. Sometimes this means going through application configurations to match new standards. However, in order to have a better security standpoint, it's all worth the effort.
2. Give Containers the Least Privileges Necessary
By default, containers have the capability to escalate their access levels when looking for resources in their peers. This lowers the need for human intervention, maintaining container uptime. However, this is a risky feature that attackers can use to escalate ranks as they move from one resource to another. Making sure containers have a low permission rating means you sign off on any requests to escalate their access levels.
3. Opt Out of the Default Root Setting
Root users behave and access resources as though they're system administrators. Unless absolutely necessary, activate the non-root level of access for all entities. Here we mean users, containers, services, and any others you may have. This removes the chance of unauthorized access to sensitive sections of your infrastructure.
4. Scan Base Images Before Implementation
When creating containers from images, make sure they are safe. Usually, third-party-sourced images contain open-source applications or plugins that can be the chink attackers need to crack into your containers. When you have found those with the bare minimum tools for your containers, make sure they follow your policies by aligning their privileges with the rest of your infrastructure.
5. Use Audits to Learn About Your Instance
This is better done before attacks, but logs and audit trails allow more visibility into your Docker instances. To this extent, some engineers apply analytics tools to augment the power of the Docker CLI for visibility. Sometimes keeping track of every change becomes a laborious task in itself. Leveraging the power of third-party tools makes you proactive, instead of reactive.
As your Docker security requirements change, these five best practices form the basis of a safe organization. Treating every activity with intentional care, documenting changes, and setting rules to govern access and usage will save you from disastrous attacks in the future.
Final Thoughts: Staying Secure When Using Docker
While Docker security concerns are mitigated because containers separate applications across an infrastructure, we can't rely on that alone. Engineers in contact with containers on the daily should use the configurable safety controls within Docker as a line of defense against attacks.
Setting a clear governance outline for resources and user accounts is a good long-term Docker security plan. This makes best practices a runbook equivalent for everyone with an account, and the end users of hosted applications.
Even with all the above in place, the use of analytics and audit tools such as CloudBees is encouraged. This reinforces engineers' efforts in making the most of default Docker security features. Above all else, visibility is a key requirement in keeping Docker secure. After all, you can only guard against what you know.
This post was written by Taurai Mutimutema. Taurai is a systems analyst with a knack for writing, which was probably sparked by the need to document technical processes during code and implementation sessions. He enjoys learning new technology and talks about tech even more than he writes.
Stay up to date
We'll never share your email address and you can opt out at any time, we promise.