Container Security with Docker

Introduction:

Enterprises are adopting the Agile methodology to make software development faster. Containerization is the new era of the software development. Docker helps to package and deploy applications in any environment.It gives isolation capabilities for a containerized application.

Some key points while adopting Docker is:

1. Docker isolate applications from each other.
2. Docker isolate applications from the host.
3. Restrict the capabilities and improve the security of the applications.
4. Least privilege gives more security while adopting Docker in production.

Container Security with Docker

Linux operating system gives the feature of the isolation. Docker client uses best practices of Linux security and makes them available to end-user.

Namespaces:

Docker takes advantage of Linux namespaces which provide isolated workspace what we called as the container. When a container is created docker creates separate namespaces for this container which isolates container from all other containers.

It creates following namespaces:

1. PID Namespace: Each container has its own set of PID namespaces.
2. MNT Namespace: Namespace for the mount directory.
3. IPC Namespace: Interprocess communication creates grouping where containers can communicate with each other in the same namespace.
4. NET Namespace: Network stack for the container which avoids privilege access to the sockets and interfaces of another container.
5. UTS Namespace: This provides isolation between system identifier. The hostname and NIS domain name.

CGroups:

To ensure good container multi-tenancy Docker uses Linux kernel level functionality cgroups. It allows Docker to control which resource each container can access.

Seccomp:

Docker uses secure computing mode (seccomp), a feature in the Linux kernel. Docker default seccomp profile consists whitelist calls that allow and blocks around 50 system calls.

Process restrictions:

The default capabilities inside Docker container is less than half total capabilities assigned to a Linux process. It will reduce application level vulnerabilities.

Secure by itself:

Docker takes “secure by default” approach to secure Docker engine. It uses capabilities of Linux and provides out of box protection.

Security Chart by Docker:

Before moving to the production with Docker make sure security of environment with above chart.

In the conclusion,

1. Containers provide isolation from a host and other containers using namespaces.

2. Applications packaged in containers are fundamentally secured by default.

3.Specifically, Docker provides set of security practices and with strong defaults with Container security.