Q
Manage Learn to apply best practices and optimize your operations.

Is read-only mode a viable approach to container hardening?

Can containers work in read-only mode, and how does this setup make a difference in security hardening?

Read-only is a common designation for objects that shouldn't be altered. Much like a read-only Word document that...

a reader can open, but not update or change, read-only containers cannot be modified after creation.

Read-only mode is a good option for container hardening, as it makes them more resistant to attacks. Setting containers as read-only thwarts simple attacks where a hacker accesses a container and adds or deletes code to create an exploit. Container hardening with read-only information prevents the hacker from modifying any files in the container -- but it also prevents anyone else from doing so.

Read-only containers work well with immutable infrastructure, wherein the IT setup is never revisited, but instead destroyed and redeployed for each update. For immutable containers, the application or service in the container is redeployed each time it needs an update, and its previously used resources are made available again.  In a mutable setup, where updates and fixes occur on the existing deployment, read-only containers would present a barrier to normal processes.  

Immutable infrastructures enable container hardening, and also have the benefit of simplicity and consistency. The approach works well with smaller units of deployment, such as container-based microservices. For example, in an application constructed of microservices, each service can deploy in an unchangeable read-only container. If a service doesn't operate correctly in production, a developer can discard the read-only container hosting that service, and then rebuild.

Read-only containers are one container hardening option. Other security measures include root access control, advanced monitoring and full security suites that protect the container, application and infrastructure.

Read-only containers are available as a feature in Docker and Kubernetes, as well as related technologies. To use the option in Docker, select the read-only flag on startup. Any attempt to make changes to the container generates an error. Additionally, Docker users can make a specific layer of the container image read-only for more selective hardening. Organizations that use a container management platform should investigate its capabilities for hardening. For example, containers in OpenShift can run in read-only mode by default using CRI-O, an implementation of Kubernetes Container Runtime Interface.

This was last published in November 2018

Dig Deeper on Managing Virtual Containers

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What methods do you use for container hardening?
Cancel

-ADS BY GOOGLE

SearchDataCenter

SearchAWS

SearchServerVirtualization

SearchCloudApplications

TheServerSide.com

SearchCloudComputing

DevOpsAgenda

Close