Some thoughts about Docker security concerns
Since 2014, the use of containers started making a big growth in IT, and especially in devops.
The benefits are undeniable: flexibility and go-live times, small size of deployement images, task specific and reproducible containers.
However when using a container platform for development or IT operations, should be considered also security.
For examples, below i try to explain five things that need to be keeped in mind when using Docker for your mission-critical applications:
Denial-of-service attacks
All containers share kernel resources.
So,if one container can monopolize access to host resources, it can slow down other containers on the host, resulting in a denial-of-service.
Compromising secrets
When a container accesses a database or service, it will likely require a secret, such as an API key or username and password. An attacker who can get access to this secret will also have access to the service.
Kernel exploits
In a contained architecture, the kernel is shared among all containers and the host: a container cause a kernel panic, it will take down the whole host or can eventually exploit a kernel vulnerability..
Container breakouts
By default, an attacker who gains access to a container should not be able to gain access to other containers or the host.
However, users are not namespaced, so any process that breaks out of the container will have the same privileges on the host as it did in the container: if you were root in the container, you will be root on the host.
Compromising images
If an attacker can trick you into running his image, both the host and your data are at risk. Similarly, you need to be sure that the images you are running are up-to-date and do not contain versions of software with known vulnerabilities.
How i can make a security assessment of my dockerized applications?
Clair is an interesting project for static analysis of vulnerabilities in application containers, that can ingests vulnerability metadata from a configured set of sources and stores it in the database.
During deployement, clients can use the Clair API to index their container images, creating a list of features present in the image and stores them in the database.
After clients use the Clair API to query the database for vulnerabilities of a particular image: correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.
Finally, when updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occured.
Below a video of the presentation of the project performed by Joey Schorr and Quentin Machu at ContainerDays Boston 2016:
https://www.youtube.com/watch?v=Kri67PtPv6s
...and here the slides: https://docs.google.com/presentation/d/1ExQGZs-pQ56TpW_ifcUl2l_ml87fpCMY6-wdug87OFU/pub?start=false&loop=false&slide=id.g1409a6907c_2_7
For more information about the project, please refers to official GitHub repository: https://github.com/coreos/clair
References
- https://www.oreilly.com/learning/clair-clarity-with-container-security-scanning
- https://github.com/coreos/clair