Docker security in the future (Opensource.com)

[Posted March 19, 2015 by jake]

Over at Opensource.com, Daniel Walsh writes about applying various Linux security technologies to Docker containers. In the article, he looks at using user namespaces and seccomp filters to provide better security for Docker. "One of the problems with all of the container separation modes described here and elsewhere is that they all rely on the kernel for separation. Unlike air gapped computers, or even virtual machines, the processes within the container can talk directly to the host kernel. If the host kernel has a kernel vulnerability that a container can access, they might be able to disable all of the security and break out of the container. The x86_64 Linux kernel has over 600 system calls, a bug in any one of which could lead to a privilege escalation. Some of the system calls are seldom called, and should be eliminated from access within the container."

Docker security in the future (Opensource.com)

Posted Mar 22, 2015 17:30 UTC (Sun) by justincormack (subscriber, #70439) [Link]

Filtering 17 odd syscalls and some network protocols is going to help a little, but seccomp policies work best if they are mostly deny, and of course that is rather difficult in the situation where you are trying to contain generic applications that you know little about.

Docker security in the future (Opensource.com)

Posted Mar 23, 2015 16:26 UTC (Mon) by jhoblitt (subscriber, #77733) [Link] (1 responses)

It's likely still a performance win over hardware virtualization but the overhead of a "secure" container setup (selinux + seccomp + uid translation + network proxy containers) is starting to sound non-trivial.

Docker security in the future (Opensource.com)

Posted Mar 26, 2015 12:00 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

You make a requirement to sell more resources to the client sound like such a bad thing! ;-)