James Steidl - Fotolia

Manage Learn to apply best practices and optimize your operations.

Secure Docker on Linux or Windows platforms

With Docker appearing in businesses of all shapes and sizes, security is a concern for many IT admins. Here's how to secure Docker on the container or the host machine.

Echoing the Java boom of the late 1990s and early 2000s, container applications have exploded on to the 2010s scene as a cross-platform trend. And similar to Java, containers reside on any platform so long as it has the correct software installed.

Docker leads in container adoption among IT shops today. To secure Docker and other container software that operate across platforms, one question arises: Should system administrators focus on containers as a new attack vector, or should they focus on the host machine?

Docker on Windows

As of the time of this writing, the Windows edition of Docker is only available on Windows 10 Pro, and it further requires Microsoft Hyper-V to virtualize the Docker engine environment and to virtualize specific features within the Linux kernel. The prudent systems administrator would do well to ensure that minimal traffic is shared between the virtual machine and the host machine for secure Docker containers. A certain amount of communication must transpire between the host and VMs since Docker does not run natively on Windows. What does run on the Windows host is a Docker client built specifically for the Windows environment.

On Windows, host-based antivirus software is paramount, especially if end users connect to the Windows machine remotely. Conduct careful and frequent examinations of the process list on the host machine, and endeavor to perform periodic packet captures. Lastly, because the Docker daemon runs within a VM, Hyper-V allocates a virtual IP address to Docker Machine. Therefore, when conducting packet captures, configure the tool, such as Wireshark, to sniff specifically on the docker-machine IP address. For example, if Hyper-V allocates an IP address of 192.168.1.1 to the Docker machine, then run a capture from the host machine with the following filter:

ip.addr==192.168.1.1

This lets the systems administrator see all inbound and outbound traffic to the Docker machine.

To get even more granular when you secure Docker, consider the fact that the Docker daemon typically communicates on TCP port 2375 for unencrypted traffic and TCP port 2376 for encrypted traffic. The relevant Wireshark filter would resemble the following:

ip.addr==192.168.1.1 && (tcp.port eq 2375 || tcp.port eq 2376)

With this filter in place, Wireshark should display only traffic to and from the Docker daemon.

Container wars

While Docker's developed security-focused features, such as hardware signing built on Docker Content Trust, CoreOS has promoted its rkt container technology as a secure alternative to Docker.

Docker for Linux

Docker on Linux is a little more straightforward, as Docker is a native Linux application, built to interact directly with LXC containers. Therefore, unlike Windows setups, Docker does not require a VM -- the Docker daemon can run on a localhost.

Antivirus software is not vital to secure Docker on Linux machines. However, if policy dictates that antivirus software must be installed on all nodes, then the systems administrator can install one of the open source variety, such as Clam AntiVirus.

Linux alone cannot secure Docker. On the contrary, when administrators allow a subset of end users access to the Docker daemon, they are implicitly granted root access. Therefore, use great caution when granting access. Within the context of Docker, when an end user accesses the daemon, the user could alter the host machine's file system, even without intending to do so.

When the developers, IT team or business leaders decide to utilize Docker containers, systems administrators should take comfort in the fact that some of their usual burden is eased by Docker's cross-platform portability. However, admins cannot ignore that the cross-platform nature of Docker containers also gives rise to various other issues, not the least of which is security.

Next Steps

Don't stop with the OS: Follow a thorough container security process

Security plays a critical role in functional DevOps

Build security into the DevOps way of life

Docker and ecosystem ramp up security feature offerings

This was last published in September 2016

Dig Deeper on Managing Virtual Containers

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What precautions make Docker secure enough to run in production IT deployments?
Cancel
One of the big ones that I don’t think gets covered nearly enough is that you need to trust the containers that you run. Docker hub is a great resource, but many of the repositories out there are unofficial or user repositories. You can’t just be downloading a Docker image and running it without knowing what is in that image.
Cancel
Actually, Docker initially used LXC as its execution driver to interact with the Linux kernel, but has since moved to it’s own execution driver - libcontainer, which is a direct drop-in replacement for LXC.
Cancel
There are many other issues not covered in this article, including the network segmentation of containers, vulnerabilities in base images, the problematic user access model, and the fact that hardening the host does not take into account the specific workloads run in containers (which vary greatly...)
Cancel

-ADS BY GOOGLE

SearchDataCenter

SearchAWS

SearchServerVirtualization

SearchCloudApplications

SearchCloudComputing

DevOpsAgenda

Close