The objective of this blog is to highlight benefits as well as security challenges for Docker containers. It will evaluate the benefits and risks associated with deploying various workloads on Docker containers, understand the evolution of Docker containers. It is important to decide what additional security mechanisms and tools are used to employ to further reduce security risks.
Benefits of Cloud Services Based on Docker Containers
A docker container is a software that packs the code and required dependencies. It makes them to run efficiently as a standalone application. This offers several advantages compared to the virtual machine as:
- Docker container hosts on a single physical server on the host OS by sharing the resources with the system.
- The containers of the docker are self-contained. Therefore they can run the applications in any environment.
- Docker provides a standardized and lightweight format of the images for the ease in transfer of applications to other environments.
- Access to a common Operating System kernel provides higher visibility to the behaviour of individual applications.
- The reduced size of containers leads to a smaller attack surface for cloud customer workloads.
- Containers of docker encourage microservice-based application architectures. It delegate persistent data to backend datastores and away from computing instances.
Container Deployment Models in Cloud Computing Environments
There are several deployment models for the containers in the cloud. The first and most basic way of deploying containers is to enable tenants of cloud to deploy the containers inside their virtual machines running in an infrastructure as a service cloud. The cloud provides the isolation of virtual machines from other tenants. It also provides the security for the virtual machines.
The second way is to run the containers directly on a shared host. The cloud treats containers similar to the virtual machines. It applies isolation techniques directly to the containers. It includes network isolation using security groups or hiding some containers IP addresses from the public Internet by the only applying public IP addresses to a subnet of them.
Docker Containers security:
Docker containers create a set of namespaces and control groups for the container. Namespaces provide isolation as the processes running within the container are not affected by the processes running in a different container. They are neither affected by the processes running in the host system.
Containers get their own network stack which allows users to set links to allow IP traffic between the containers. They behave as physical machines connected through a common Ethernet switch.
Control groups ensure that each container gets a fair share of memory, CPU, and disk I/O. It also makes sure that a particular container doesn’t exhaust the entire resources of the system.
Leveraging Container Isolation Technologies in the Cloud
In a cloud environment, container isolation is not sufficient to achieve security for the containers in a cloud environment. The docker management stack filter API calls and parameters into the containers. The management stack for the containers allows isolation as it provides much control over the parameters and privileges to a container.
The namespaces, cgroups, AppArmor and SELinux, Linux capabilities, and seccomp provides isolation and security in containers. There is certainly less risk in running containers inside virtual machines. It is important to examine and restrict the parameters that may be passed to a container management stack since it provides isolation.
References:
https://blog.docker.com/tag/docker-security/
https://blog.docker.com/2016/02/docker-engine-1-10-security/