Build a secure Docker host environment on Linux systems
In the cutting-edge technology world of containers, don't lose sight of the fundamental security best practices that protect workloads and minimize attack surfaces.
A secure Docker setup, broadly speaking, relies on how IT operations manages the Linux host OS, the Docker environment and its containers.
The following guidelines are general, not OS-specific, and help ensure safe container operations in diverse environments. Check with the specific OS vendor for best practices around security, including access control, up-to-date patches, audits and isolation for the OS version used with containers.
Start at the host layer
Run the latest stable OS release and patches on container hosts. Unlike VMs, containers share host OS resources and files, so a security issue could affect the entire Docker estate. OS management isn't difficult for enterprise IT teams, but approach with caution -- review all documentation prior to committing an update for Docker hosting systems. Virtual snapshots are a useful tool for this process, providing a log of changes and a rollback target if needed.
Application security is only as good as what's on the stack below it. Assess the security settings on the host in question. Anyone with administrator-level access to the OS can manipulate the containers in the default configuration. Administrators should use keys for remote login to increase the environment's security level. In addition, implement a firewall, and restrict access to only trusted networks. Keep the attack surface to a minimum.
Audits work hand in hand with security. Don't ignore system audits until the information is needed -- it won't be available, because it hasn't been recorded. Engage in a strong log monitoring and management process that terminates in a dedicated log storage host, with restricted access.
In the same vein, Docker host systems should run only Docker containers. A host should run as few services as possible. Non-Docker services can, if necessary, be converted to containers to abstract them away from the host OS and other containers on the system.
Create a secure Docker environment
Administrators can take simple steps to stabilize container operations. Keep the /var/lib/docker directory partitioned within the system. This separation ensures that any storage space issues within the Docker environment won't crash the OS and consequently take out all the containers on that host. Use logical volume management to ease storage allocation. It virtualizes storage partitioning to share resources effectively across multiple workloads.
A secure Docker setup also depends on vigilance regarding images, which are the static packages of code, dependencies and libraries needed for a container to run. Not all Docker images are to be trusted. Build Docker images in-house to ensure that developers and users get only what the image is meant to have. This assuages security concerns -- and paranoia -- and provides the opportunity for image optimization because the organization is the only target user.
Security at the next level
Third-party container security tools provide more fine-grained control than admin-led measures to secure Docker, but the benefits might not balance out the price tag or training investment. Organizations that do seek out third-party tools should consider startups and free tools, established IT vendors that have added container security capabilities through acquisition and vendors building up the capabilities natively.
A sampling of container security tools includes:
- Alert Logic Cloud Defender and Threat Manager
- Aqua Security
- CSPi's ARIA Software Defined Security
- Deepfence
- Docker Enterprise Edition
- FlawCheck from Tenable Network Security
- NeuVector
- Qualys Container Security
- Twistlock
Additionally, cloud vendors provide container security services and best practices as part of their offerings, such as Google Kubernetes Engine.
If custom image builds are out of your organization's wheelhouse, or not always needed, use official builds only. For example, download the Ubuntu Docker image from the official repository. Unofficial builds aren't necessarily wrong but might not meet the user's expectations and reliability demands -- and some third-party images are intentionally fraudulent or malicious.
Avoid infiltration of erroneous or malicious container images through a global content trust requirement. Trusted images come from a verified source -- such as Docker's official repository on Docker Hub -- and can be built upon for finely tuned control over the environment. Enable the content trust flag globally to prevent potentially dangerous images from sneaking in uninvited.
Many aspects of basic Docker security boil down to good computer hygiene and common sense: Tighten down the virtual hatches, run only the minimum necessary services and applications and restrict host access to only those users who need it. And always be careful what you download.