Are docker containers secure by default?
Short answer No, is it is not more secure by default. But, we can make container secure by implementing various technologies. As we know that docker uses OS level virtualization where as VM uses hardware level virtualization.
Some of the default security model applied in docker are:
1. Kernel namespace makes it difficult for container to interact with each other.
2. cgroups (Control groups) provides accounting and limiting of resources in docker.
3. To run container or container daemon, user requires to have root privileges.
These above provides certain level of security. But still having these container are comparatively less secure than VM. This leads us if someone has to attack a container they can use kernel level exploit for that container to break it, but for VMs they need to exploit host kernel, hypervisor and VM kernel. This does not mean it is more secure, it just provides more layer of abstraction.
So, not deviating from our discussion, we can say docker containers are not secure by default. Container isolation makes it a bit a little more secure but not enough impossible to crack.
It does not mean we can’t secure it. There are various ways you can secure a docker container. Some of them are:
- Use trusted images.
- Monitoring of container activity for unusual activities.
- Enable AppArmor.
- Enable SELINUX.
- Use bastille Security hardening feature.
If you want to know more here are some resources you can check:
https://www.threatstack.com/blog/docker-security-tips-best-practices
https://docs.docker.com/engine/security/security/
Thank you for reading. Hope you learned something.