How to think about Docker security

Is Docker secure? To answer that question, we need to look at the entire Docker stack

How to think about Docker security
Håkan Dahlström (CC BY 2.0)

Is Docker secure? That’s the million-dollar question as more and more organizations migrate production workloads to containers.

But that’s a simplistic question, and there is not a yes or no answer. Instead of thinking in binary terms about Docker security (that is, trying to decide whether it is secure or not) it’s better to delve into the details of how Docker works in order to understand how the Docker security paradigm plays out.

So, let’s take a look at how Docker works and what that means for container security.

To answer the question whether Docker is secure, we’ll first take a look at the key parts of the Docker stack:

docker architecture Docker

There are two key parts to Docker: Docker Engine, which is the runtime, and Docker Hub, which is the official registry of Docker containers. It’s equally important to secure both parts of the system. And to do that, it takes an understanding of what they each consist of, which components need to be secured, and how. Let’s start with Docker Engine.

Docker Engine

Docker Engine hosts and runs containers from the container image file. It also manages networks and storage volumes. There are two key aspects to securing Docker Engine: namespaces and control groups.

Namespaces is a feature Docker inherits from the Linux kernel. Namespaces isolate containers from each other so that each process within a container has no visibility into a process running in a neighboring container.

Initially, Docker containers were run as root users by default, which was cause for a lot of concern. However, since v1.10, Docker supports namespaces, allowing you to run containers as non-root users. Namespaces are switched off by default in Docker, so need to be activated before you can use them.

Support for control groups, or cgroups, in Docker allows you to set limits for CPU, memory, networking, and block IO. By default containers can use an unlimited amount of system resources, so it’s important to set limits. Otherwise the entire system could be affected by a single hungry container.

Apart from namespaces and control groups, Docker Engine can be further hardened by the use of additional tools like SELinux and AppArmor.

SELinux provides access control for the kernel. It can manage access based on the type of process running in the container, or the level of the process, according to policies you set for the host. Based on this policy, it either enables or restricts access to the host.

AppArmor attaches a security profile to every process running on a host. The profile defines what resources a process can utilize. Docker applies a default profile to processes, but you can apply a custom profile as well.

Similar to AppArmor, Seccomp uses security profiles to restrict the number of calls a process can make. That rounds off the list of Linux-based kernel security features available in Docker Engine.

Docker Hub

While Docker Engine manages containers, it needs the other half of the Docker stack to pull container images from. That part is Docker Hub—the container registry where container images are stored and shared.

Container images can be created by anyone, and made publicly available for anyone to download. This is both a good thing and a bad thing. It’s good because it enables collaboration between developers, and makes it extremely easy to spin up an instance of an operating system or an app with just a few clicks. However, it could turn bad if you download a public container image that has a vulnerability.  

The rule of thumb is to always download official repositories, which are available for most common tools, and never download repositories from unknown authors. On top of this, each downloaded container image should be scanned for vulnerabilities.

For users of private repositories, Docker Hub will scan downloaded container images. It scans a few repositories for free, after which you need to pay for scanning as an add-on.

Docker Hub isn’t the only registry service for Docker containers. Other popular registries include Quay, AWS ECR, and GitLab Container Registry. These tools also have scanning capabilities of their own. Further, Docker Trusted Registry (DTR) can be installed behind your firewall for a fee.

Third-party security tools

While the above security features provide basic protection for Docker Engine and Docker Hub, they lack the power and reach of a dedicated container security tool. A tool like Twistlock can completely secure your Docker stack. It goes beyond any one part, and gives you a holistic view of your entire system.  

Docker is an intricate mesh of various moving and static parts. Clearly, plugging in any one of these security tools does not instantly make the entire stack secure. It will take a combination of these approaches to secure Docker at all levels.

So, next time someone asks you if Docker is secure, you should ask them which part of Docker they’re referring to. Then you can explain the various security considerations that affect that layer.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.