Containing Containers - Advantages and Risks

Containing Containers

Advantages and Risks

Rocco Gagliardi
by Rocco Gagliardi
time to read: 9 minutes

Container, as defined in the dictionary, is an object that can hold something. Extending its meaning: a place where some correlated items can be stored or move together; a separator of things; a constrain for the contained things.

Starting in 1982 with chroot, to BSD-jails, Solaris Containers, LXC, OpenVZ, and Docker, container systems try to keep something isolated from the host system, to keep related things together, to limit the resources a thing can utilize: all focusing and prioritizing different aspects.

This class of technologies is a so called OS-Virtualization technology, to distinguish them from the Full-Virtualization (Type-One: Hyper-visor on bare metal like XEN, ESXi, KVM; Type-Two: Hyper-visor on standard kernel, like VMware Workstation, VirtualBox, QEMU).

Full-virtualization:

Guest process ---\
Guest process -----> Guest OS ----> Host OS ----> Hardware
Guest process ---/

OS-virtualization:

Guest process ---\
Guest process --------------------> Host OS ----> Hardware
Guest process ---/

Containers are so popular because they are very useful, as example:

They try to resolve a long annoying and costly problem: easier the application life cycle, from the development to the decommissioning. This was the primary goal of Docker in its infancy, regardless to security.

Docker

During the last years of the last decade, the advent of hardware virtualization caused a large offer of PaaS, essentially cutting expenses down, that enormously expanded The Cloud. A company called dotCloud was dealing with Linux containers, and developed a framework, released in 2013 as an Open Source project called Docker.

Docker is not Docker. Up to version 1.10, Docker was running on LXC container technologies, with all the downsides. In the spring of 2014, Docker rolled out a new version: they changed from utilizing LXC to libcontainer, a library completely written in Golang and explicitly designed for containers. The library directly manages syscalls and controls the implementation of long awaited security features: Docker now supports – out of the box – namespaces, control groups, capabilities, apparmor profiles, network interfaces and firewalling rules – all in a consistent and predictable way, and without depending on LXC. This improves the isolation of Docker from the side-effects introduced across versions and distributions of LXC.

Today, Docker is not only a daemon, but contains Docker Hub, Registry, Swarm, Compose and diverse supporting tools, like Docker Notary for trusted images, and Docker Machine for provisioning. Look at Docker Security for more information.

The impact of Docker in the next years will still grow; aside the official 64-bit Linux, clients are ready to use on many platforms (Linux, Windows, macOS, FreeBSD), even Microsoft Windows is including support for Docker, and don’t forget the support in IoT world! For additional information, I strongly suggest to take a look at DockerCon 2016 – conferences

Weaknesses and benefits of Containers

Like any technology, containers suffer from some problems but also offer some benefits. On the weaknesses side, we can summarize:

On the benefit side, we can list:

Updating the threats map

New technology poses new risks; to deal with them, we need to start from the threats the OS-Virtualization introduces in our infrastructure. Some of them are container specific, others are just classic threats:

Summary

We are the Container. Your physical and virtual distinctiveness will be added to our own. Resistance is futile.

OS-virtualization isn’t really a new technology, but in the last years has been adopted by a very large number of companies, and the number is still growing rapidly.

Docker, in particular, is spreading across infrastructure because it is a great help for operators in application maintenance. At the same time, it is not always clear enough where the limitations or the problems of these technologies lies and how can they be mitigated or controlled. In this article, we recapitulated the key points of the technology and identified some attack scenarios.

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

You want to test the security of your firewall?

Our experts will get in contact with you!

×
Enhancing Data Understanding

Enhancing Data Understanding

Rocco Gagliardi

Transition to OpenSearch

Transition to OpenSearch

Rocco Gagliardi

Graylog v5

Graylog v5

Rocco Gagliardi

auditd

auditd

Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here