17

The concept put forward by Docker and LXC seems to be, from a security perspective, a move in the right direction. Afraid of a MySQL zero-day? Run it in a Docker container and it won't be able to cause damage to the host operating system.

However, it's definitely not a silver bullet. What needs to be done to secure Docker and LXC containers? What are the attack models, and how can they be secured and mitigated?

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
Naftuli Kay
  • 6,715
  • 9
  • 47
  • 75

3 Answers3

9

Docker and LXC are a great concept; isolate potentially vulnerable applications from the rest of the system to limit the damage they can do if something does go wrong.

They are not silver bullets, mostly due to limitations in the design of Linux itself i.e. root is root, even inside a chroot. http://www.bpfh.net/simes/computing/chroot-break.html

There are ways of plugging the holes that LXC and docker don't yet cover. The most popular way is to use them in conjunction with mandatory access controls such as selinux. http://mattoncloud.org/2012/07/16/are-lxc-containers-enough/

user2675345
  • 1,651
  • 9
  • 10
  • root user that drops capabilities has less privileges than a "normal" root user. – Matrix Apr 02 '14 at 06:31
  • Yes that is common practice however if a malicious application manages to gain root privileges, through a bug for example, then LXC or docker in their current state will not be able to contain it because root is root. Explore the link in my answer to learn more. – user2675345 Apr 02 '14 at 11:03
  • How would a successfully exploited web application running as a Docker container escalate privileges using a kernel exploit if the container is restricted with SELinux? You'd need to write the file containing exploit code, make it executable, then execute it and hope it works. And even then, you're still limited by cgroups namepsaces, etc. – Matrix Apr 02 '14 at 17:08
  • 2
    Using [LXC unprivileged containers](https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/), the root user is not root anymore: from the host system point of view he just has the same privileges as the container owner (ie. a end-user account), no more. – WhiteWinterWolf Aug 17 '15 at 09:16
7

Really the same way you secure anything else. LXC doesn't add anything new to the equation, it's just using cgroups to add more isolation between tasks. And Docker is just LXC automated.

Secure your server as you always secure your server. Process isolation, privileges only as necessary, keep software up to date, log management, monitoring ... everything you've already heard.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 2
    So I should basically follow the same rules: don't run anything as root, access control with AppArmor/SELinux, iptables rules to prevent processes from attaching things they won't need, etc. If a process gains root in a container, can they attack the host OS? (I mean, can they do damage that I can't undo by simply burninating the container?) – Naftuli Kay Apr 01 '14 at 18:37
  • If you log manage, are you going to put it in the same cloud as the hosting provider? – munchkin Aug 17 '15 at 08:46
  • @munchkin perhaps. And perhaps not. Depends on your risk profile, cost sensitivity, and other factors. The solution that is appropriate for you is not necessarily appropriate for everyone else. – tylerl Aug 17 '15 at 19:29
0

The fact is that docker containers by default are really secure especially if you run processes as "non-privileged" users inside the container. To add an extra layer of safety you can enable AppArmor, SELinux, GRSEC, or other hardening systems. https://www.emspace.com.au/hardening-docker-containers/

Matts Cloud
  • 1