How secure is Docker? In the early days, the answer to that question from many Ops professionals would have been “not very.” To be fair, when Docker was first launched in 2013, it lacked some of the the robust security features and tools to make containers secure enough for enterprise adoption.
But a lot has changed since 2013. Docker now benefits from a range of security enhancements that are built into the platform. And depending on how exactly an organisation intends to use Docker containers, there are additional tools and design approaches available to make Docker even more secure.
Below, we take a look at the current state of Docker security, and what users can do to make sure Docker is as secure as possible in production environments.
Purpose-built security tools for Docker
As Docker has grown in popularity, so has the suite of tools available to help secure containers.
One important set of tools are image scanners. Tools like Clair by CoreOS and Docker Security Scanning integrated into the Docker Hub can check for vulnerabilities in images automatically, saving a lot of time. They can also send notifications over email when a vulnerability is detected and look for fixes.
Twistlock is a security suite for containers that provides a multi-faceted approach, which covers many areas of security. It not only hardens container applications, but also provides monitoring, analysis and response to threats. This addresses the visibility problems that companies face when using containers, as well as a host of other security vulnerabilities. It also solves the issue of unfamiliarity that many users have with containers in comparison to VMs, making containers harder to secure in some cases. Twistlock is one of the few commercially available solutions that focuses exclusively on securing Docker.
Docker’s own efforts to secure containers
Docker has introduced a number of security updates and features over the past several years, which have fixed a lot of the security issues that left people hesitant to adopt Docker when it first launched in 2013. These developments have made Docker easier to use in the enterprise, and help to explain the growth of Docker in production environments.
Some of the more basic security solutions that harken back to Docker’s early days are Namespaces and CGroups. Namespaces provide the first and most straightforward form of isolation between containers, preventing them from interacting with each other. User Namespaces allow for different privileges, which can be assigned on a granular level to different users.
CGroups can restrict the amount of resources that a container is allowed to use. For example, they can limit the availability of resources like memory and processing power on a per-container basis. Hard limits can be applied to containers to make sure that processes are killed if they start taking too many resources, providing a safeguard against exploitation by an external source..
Docker has also developed Docker Bench, a script that can test containers and their hosts’ security configurations against a set of best practices provided by the Center for Internet Security.
Docker Swarm, which as of Docker version 1.12 is built into Docker, also provides some security features. It secures nodes with Transport Layer Security (TLS) certificates and encrypts communication between nodes.
Finally, Docker content trust is a very elegant solution to ensuring that containers aren't compromised and that provenance and traceability is maintained.
Docker in a hosted environment
Another way to help add security to a Docker deployment, especially for organisations without a high level of experience working with Docker, is to use managed hosting platforms for running Docker. This approach offers the convenience of simplified management and some built-in security features.
The best example is Amazon’s EC2 container service (abbreviated as ECS), which can run Docker containers while enveloping them in additional security features, such as Identity and Access Management (IAM) roles and permissions. Azure and Google Cloud also offer their own managed Docker services, with security best practices built in.
Beyond this, Dockers commercial Docker Datacenter product or Docker cloud product is the best way to run enterprise containers securely behind the firewall or in the cloud.
On the whole, taking a look at how Docker has improved over the years, it can be safely said that Docker is significantly more secure today compared to when it was first released. While security fears about Docker early on were reasonable, Docker now benefits from a number of security enhancements that make it ready for any type of enterprise production environment.