(by Yoshioka Tsuneo, @yoshiokatsuneo at https://paiza.IO/)
Docker is rapidly growing because it is a simple and easy-to-use lightweight virtual environments tool. But, because Docker has its own concept, and is adding more and more features, it is sometimes not very easy to have correct information and it may cause misunderstandings.
Especially, security risks tend to be overestimated or underestimated based emotion rather than on accurate information. But, it is vital to know accurate information to use Docker as a handy and secure tool.
So, here, I describe Docker container security, and things to look out for.
Myths that using Docker is risky.
Docker host can be compromised by just running container.
Because containers run on isolated environments, just running the containers(without options) does not expose Docker host to the containers. As of now, there is no known case that just running containers allows malicious containers to invade Docker host or other containers.
If you share your Docker host's directories or files with the container, the container can access the Docker host. But, the host's directories or files are not shared with the container unless you explicitly share them. (ex: by -v option)
Also, unless you explicitly open the containers' network ports to Docker host(by -p, -P option), no one outside of Docker host can connect to the container.
Note that, compared to virtual machines, containers are much more tightly coupled with operating systems. So, there is relatively more possibility to have unknown vulnerabilities and attackers abuse the vulnerability , especially when you run the containers as a root user. Always update to the latest version or apply security fixes, and pay attention to the latest security news. Consider running the container as a non-root user or using user namespace. It also makes sense to install security software.
Container's root user and Docker host's root user is always the same
In the past, there was no way to have separate user id namespace for containers, and the container and the host share the same root user.
From ver 1.10, we can use user namespace. A Docker host and containers on the host can have separate root users. Although there are multiple barriers between the containers and the host, because the root user can do so many things, it is possible to have holes to access the Docker host. Using a non-root user on the containers makes Docker container much secure.
Docker shouldn't allow containers to access host anyway
Containers that manage Docker system itself apparently need to access Docker host to manage the Docker system. For example, Shipyard(container management tool) or nginx-proxy(setting proxy by hooking container events) need to access Docker system.
Docker containers are vulnerable to the fork bomb.
In the past, there was no direct way to protect from fork bomb.
But, Docker 1.11 introduced a "--pid-limits" option which limits the number of processes on the container to protect from the fork bomb**.
Things to look out for
While there is no need to fear overly to use Docker, there are things to take care for container security.
Running container as Internet server
If you run a container as an Internet server, you should look out for security as with a normal server. Set the appropriate access control, and pay attention to the server and the application's security issues.
Never run an untrusted Docker image as an Internet server, and avoid running Docker images you don't fully understand as an Internet server.
Docker does not open container's network ports unless you explicitly open the ports. When you run Docker host on a virtual machine, the containers are not open to the Internet (unless the virtual machine is open to the Internet). If you use Docker on your PC(Windows, Mac), its firewall or router will protect the containers from connecting from the Internet(unless you explicitly allow it).
Docker command options(sharing files, opening ports)
Pay attention to the Docker command options.
Especially, if you set file sharing option(ex: -v), you allow the container to access Docker host. Take care when you share socket files such as "docker.sock" that allow the container to manage Docker. Don't share files too many, but share only necessary files with the containers.
If you open containers' network ports, and the Docker host is open to the Internet, then the container can be accessed from the Internet. If you don't have appropriate access control, attackers may intrude on your containers. When you open containers' network ports, set the appropriate access control.
If the Docker image is not stable, consider not to open network ports or explicitly disable network connection(--net=none).
Running unknown scripts
Apart from Docker, never run unknown scripts because it is quite risky. The risk is not only intrusions to the container or Docker hosts. It can be a malicious script that removes all your files or install viruses, worms, or trojans.
Pay attention to how you get the script, whether the site providing the script is reliable or not, and whether the script is downloaded using HTTPS(SSL). You can also read the scripts.
Running unknown containers
Malicious or problematic containers may abuse Internet access, or unnecessarily consume CPU or memory resource.
Official images on famous registries like Docker Hub have relatively less risky images. But, unknown containers provided by unknown sites will be high-risk.
Evaluate the risk of Docker images, and when necessary, disable network access or limit access to the resources.
Summary
Docker is a simple and easy-to-use tool that has both good parts and risk.
Especially, when you open the container's network ports to the Internet, pay attention as normal Internet server.
Docker gives you freedom to create and destroy environments instantly. It is not risky if you use reliable Docker images and does not open the container's network ports to the Internet.
Don't fear too much, but use the Docker understanding its concept, behavior, and usage.
P.S.
For Japanese readers:
I wrote a Japanese book for Docker(Docker実戦活用ガイド
paiza.IO is an online coding environment where you can just write and run code instantly. Just try it out!
