Application containers have emerged as a popular option for enterprises looking to accelerate the development and...
deployment of mobile and Web applications. Docker is currently the most popular option from a field that includes Microsoft's Drawbridge, Canonical's LXD and CoreOS Rocket. However, this virtualization technique for deploying and running applications, while good for saving computing resources, is not without its drawbacks. This tip takes a closer look at application containers from a security perspective, examines the pros and cons, and looks at the options available for enterprises.
The benefits of containerized applications
A container has its own virtual file system, process listing and network stack to provide an independent runtime environment for an application while avoiding the overhead of a full-fledged virtual machine. Containers share the OS kernel with each other and the underlying host, so they can run faster and offer management features that are difficult to accomplish with traditional virtualization. An application distributed in a container incorporates all the dependencies and configuration necessary for it to run, eliminating the need for end users to install additional packages or third-party resources. This makes it easier to harden and lock down an application, and improves portability across machines. It also decreases the number of components that need to be patched with security updates, with no danger of updates adversely affecting other applications.
There are various ways application containers can be hardened. Where appropriate, developers should restrict the ability of an application to modify files by deploying containers with a read-only file system. Using the "--cap-add" and "--cap-drop" flags can restrict the capabilities of a particular application container. Docker is now compatible with seccomp (secure computing mode), which can disable selected system calls from container processes. Containers also make it easier to isolate or segregate applications running directly on the same host, as an application running in one container only has access to the ports and files explicitly exposed by other containers. Deploying application containers in conjunction with virtual machines allows an entire group of services to be isolated from each other and then grouped inside of a virtual machine.
Security concerns for containerized applications
Container-based isolation, however, is not as strong as that of real virtual machines, which run independent OS instances on top of a hypervisor without sharing the kernel with the underlying OS. Therefore, applications with different security profiles should not be run in containers on the same host, as processes within the container can talk directly to the host kernel.
Containers use Linux namespaces to provide the isolated workspace for each application. However, it is difficult to implement user ID isolation, so a process running in a container with UID 1000 will also have the privileges of UID 1000 on the underlying host. This introduces risks, particularly when a process in a container is running with the root UID of 0, as it will have root-level privileges on the underlying host. The good news is Docker version 1.10 introduces user namespaces that allows for custom mappings to be provided per container. This is cutting edge technology and it should hopefully plug a gap in container security.
Like any new technology, developers and system administrators need to completely familiarize themselves with the security issues and best practices before deploying application containers on production systems. Docker, for example, provides several tools and documentation to help enterprises secure their containerized applications. The Docker Bench for Security is a script that checks for dozens of common best practices around deploying Docker containers in production, while the CIS Docker 1.6 Benchmark document, from the CIS Security Benchmarks program, provides prescriptive guidance for establishing a secure configuration posture for Docker container version 1.6. The Docker Security section of the website provides plenty of additional advice; it's all essential reading for anyone planning to develop, deploy or secure containerized applications that incorporate Docker technology. Container technology is evolving rapidly and those using it should subscribe to the appropriate mailing lists to stay abreast of new threats, mitigations and best practices.
Read more on the best practices for container security