… containers can’t isolate me
- Never run containers as root (use unprivileged accounts such as nobody:nogroup)
- Don’t setuid
- Use SELinux
- Limit capabilities (e.g. if you need to bind to a port <1024 allow it, but drop everything else)
- Block system calls using seccomp
Docker is a fantastic tool to help in your deployment automation and sure has it’s place in testing. But in practice it’s a security nightmare for your live production systems. The problem is the additional complexity created when trying to secure docker using the above tips outweighs its benefits. It’s foolish to think that you get actual separation using containers on top of a shared kernel.
To paraphrase Theo de Raadt:
‟You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can’t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.”
EDIT 27/05/2015: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities (source). Shellshock, Heartbleed, Poodle, Logjam, etc … Docker Hub is your petri dish of choice for malware!
Valbonne Consulting provides Research & Consulting for emerging technologies in Internet/Web of Things (WoT/IoT/M2M) and Emerging-Tech. We specialise in decentralisation, security and privacy. We work across a variety of traditional industry verticals (Telecommunications, Automotive, Energy, ...). We support Open Source and technologies built on open standards.