Is Docker Secure? The Wrong Question to Ask

This article was originally published on Twistlock by Twain Taylor. With their kind permission, we’re sharing it here for Codeship readers.

Is Docker secure? Docker security is the million-dollar question as more and more organizations migrate production workloads to containers.

But that’s a simplistic question, and there is not a yes or no answer. Instead of thinking in binary terms about Docker security (that is, trying to decide whether it is secure or not), it’s better to delve into the details of how Docker works in order to understand how the Docker security paradigm plays out.

So, let’s take a look at how Docker works and what that means for container security.

To answer the question “is Docker secure?”, we’ll first take a look at the key parts of the Docker stack:

There are two key parts to Docker: Docker Engine and Docker Hub. It’s equally important to secure both parts of the system. And to do that, it takes an understanding of what they each consist of, which components need to be secured, and how. Let’s start with Docker Engine.

Docker Engine hosts and runs containers from the container image file. It also manages networks, and storage volumes. There are two key aspects to securing Docker Engine: namespaces and cgroups.

Namespaces

Namespaces is a feature Docker inherits from the Linux Kernel. Namespaces isolate containers from each other so that each process within a container has no visibility into a process running in a neighboring container.

Initially, Docker containers were run as root users by default, which was cause for a lot of concern. However, since v1.10, Docker supports namespaces, and you can run containers as non-root users. Namespaces are switched off by default in Docker, and need to be activated.

cgroups cgroups in Docker allow you to set limits for CPU, memory, networking, and block IO. By default containers can use an unlimited amount of system resources, so it’s important to set limits so that the entire system is not affected by a single hungry container.

SELinux, AppArmor, and SecComp

Apart from namespaces and cgroups, Docker Engine can be further hardened by the use of additional tools like SELinux and AppArmor.

SELinux provides access control for the kernel. It can manage access based on the type of process running in the container, or the level of the process. Based on this, it either enables or restricts access to the host.

AppArmor attaches a security profile to every process running on a host. The profile defines what resources a process can utilize. Docker applies a default profile to processes, but you can apply a custom profile as well.

Similar to AppArmor, SecComp uses security profiles to restrict the number of calls a process can make. That rounds off the list of Linux-based kernel security features available in Docker Engine.

While Docker Engine manages containers, it needs the other half of the Docker stack to pull container images from. That part is Docker Hub—the container registry where container images are stored and shared.

Container images can be created by anyone, and made publicly available for anyone to download. This is both a good and a bad thing. It’s good because it enables collaboration between developers, and makes it extremely easy to spin up an instance of an operating system or an app with just a few clicks. However, it could turn bad if you download a public container image that has a vulnerability.

The rule of thumb is to always download official repositories, which are available for most common tools, and never download repositories from unknown authors. On top of this, each downloaded container image needs to be scanned for vulnerabilities.

Scan Docker images Docker Hub scans downloaded container images. It scans a few repositories for free, after which you need to pay for scanning as an add-on.

Docker Hub isn’t the only registry service. Other popular registries include Quay, AWS ECR, and GitLab Container Registry. These tools also have scanning capabilities of their own. Further, Docker Trusted Registry (DTR) can be installed behind your firewall for a fee.

While the above security features provide basic protection for Docker Engine and Docker Hub, they lack the power and reach of a dedicated container security tool. A tool like Twistlock can completely secure your Docker stack end-to-end. It goes beyond any one part, and gives you a holistic view of your entire system.

To circle back to our opening thought—Docker is an intricate layer of various moving and static parts. Simply using any one of these tools does not instantly make your stack secure. It takes a combination of these approaches to add Docker security at all levels.

So, next time someone asks you if Docker is secure, you really should ask them which part of Docker they’re referring to, then explain the various Docker security considerations that affect that layer.