Forgot your password?
typodupeerror
Cloud Open Source Red Hat Software Security Virtualization

Bringing New Security Features To Docker 29

Posted by timothy
from the password-is-stevedore dept.
Czech37 writes SELinux lead Dan Walsh wrote last month that Docker "containers do not contain" and that the host system isn't completely protected. Today, Walsh details the steps that Docker, Red Hat, and the open source community are taking to make Docker more secure: "Basically, we want to put in as many security barriers to break out as possible. If a privileged process can break out of one containment tool, we want to block them with the next. With Docker, we are want to take advantage of as many security components of Linux as possible. If "Docker" isn't a familiar word, the project's website is informative; the very short version is that it's a Linux-based "open platform for developers and sysadmins to build, ship, and run distributed applications"; Wikipedia has a good explanation, too.
This discussion has been archived. No new comments can be posted.

Bringing New Security Features To Docker

Comments Filter:
  • by Chrisq (894406) on Wednesday September 03, 2014 @10:00AM (#47816721)

    "Basically, we want to put in as many security barriers to break out as possible. If a privileged process can break out of one containment tool, we want to block them with the next. With Docker, we are want to take advantage of as many security components of Linux as possible.

    Take this to the ultimate conclusion and you have just reinvented virtualisation.

    • by mlts (1038732) on Wednesday September 03, 2014 @10:06AM (#47816799)

      Or something close to the BSD jail() command.

      What would be close to ideal would be something like jail() except that the jailed program would get its own loopback filesystem. This way, if a malicious task does things like make a lot of files in effort to consume all free inodes or create a directory link so deep rm() can't unlink it, the damage just affects that partition, and nothing else. I've found malware that did that in Windows, so when I use sandboxes, they go to their own dedicated volume that can be easily reformatted.

      • by Liquid-Gecka (319494) on Wednesday September 03, 2014 @01:21PM (#47818709)

        This is basically the approach that most container systems use. A scratch space is mounted on top of the various container objects that is a partition on LVM. Interacting with the file system will only impact your locally allocated space.

        Docker may be like jail() in a way, but true linux cgroups/namespaces are far more powerful. For one, they can be set on individual processes (including threads). So you can create a thread which has a different view of the filesystem than say the main thread. Sure, the attack vector exists to share information between them but now you can basically make one more hop for an attacker. You can make threads which have no network access, or make a thread which has no access to the process list on a system.

        So picture using this with a web browser. You can make that crappy module run in a process which has no network access, a root file system that is empty (/var/empty or some such) and can not see any of the other processes on the system. Its only access to the outside world is through a SOCKS proxy passed in as a file descriptor. Even better this can be done with minimal system calls and no setup from the end user so you don't need any of the real infrastructure that jails require. Just recently they added user namespaces as well so uid "0" in a namespace isn't uid 0 on the host OS.

        I love that you can harden a web server by having all the threads accept a "resolver" thread have no network access, and have all the threads except a logging thread have no file system access (or limited file system access), while also limiting the resolver thread to say 50M of memory, the main processing thread to 80% CPU and 12G of memory, and the logging thread to 10% CPU and 10k file system operations per second.. etc.

        The per thread aspect of the whole setup is way cool, but the zero administrative overhead for a large chunk of it is even cooler. =)

    • by jbolden (176878)

      Absolutely right and well said. Docker is about deploying tons of trusted containers on a server. It doesn't have a security layer. If you want fewer less secure containers you want virtualization.

    • by gmuslera (3436)

      The idea of containers is that full virtualization requires too much resources. Put your apps in its own filesystem/network/users/processes/memory/etc in an efficient way (adding cow/union fs to the mix is one of the big advantages of docker) and you are running at basically native speed, using very little extra disk (i.e. 2 vms running ubuntu have the full copy of ubuntu each, even deduplication don't match the saving you do with different containers sharing the same base), and memory (just one kernel load

    • by Rich0 (548339)

      Not necessarily. The point of containers is to do this stuff in the kernel so that your box doesn't have to run 10 kernels, with 10 sets of disk caches, and 10 sets of extra ram so that the OOM killer doesn't get triggered 3 times per day, etc. You can get rid of a lot of overhead with containers, and allow resource allocation to be much more dynamic.

      However, the problem is that the security isn't 100% there. It is fine for hosting 10 of your own services in containers when you could otherwise safely run

      • by Lennie (16154)

        I think you meant to say: the point of Linux containers is...

        Because many providers of VPS you mentioned at the end are still selling OpenVZ containers (of which a lot of code is already upstream in the mainline Linux kernel).

  • by Anonymous Coward

    FreeBSD's jails have been around for about 15 years, and Solaris' zones about 10. Why the hell didn't the LXC folks just not copy what already worked?

    * https://en.wikipedia.org/wiki/FreeBSD_jail
    * https://en.wikipedia.org/wiki/Solaris_Containers
    * https://en.wikipedia.org/wiki/Operating_system%E2%80%93level_virtualization

    • by gmuslera (3436)

      You forgot to name OpenVZ [openvz.org] too, that is older than Solaris Zones. And Docker is originally based on LXC, that have several years. But is more than just containers, the layered copy-on-write union filesystem have a lot of practical advantages, the git-like repository for images redefines app packaging and the simple api is flexible enough to spawn a lot of projects that improved the ecosystem a lot in the last year.

    • by McKing (1017)

      When I was a sysadmin in our Unix team, I loved zones and championed them throughout our organization. In the span of a year, we migrated from scores of older, slower Sun systems into a blade chassis with 10 blades, each running Solaris 10 with up to two dozen zones each. Our big Oracle database used to run on a Sun E10000 system that was literally the size of full rack, and we moved it onto a zone on a T2 blade and gained a ton of performance. We even finally had a real DR solution, since the old solution

  • Docker is just a way of starting processes on top of a union file system, with some simple capabilities management. You can wrap whatever other security features you want around it. Frankly, SELinux wouldn't be my first choice, both because of where it comes from and because I don't like the way it works, but, hey, whatever floats your boat.

    As far as SELinux and AppArmor are concerned, what I'd really like to see is being able to install Ubuntu without either package installed. Right now, I seem to be prett

As in certain cults it is possible to kill a process if you know its true name. -- Ken Thompson and Dennis M. Ritchie

Working...