Reputation: 7360
Is it useful to run publicly-reachable applications as Docker containers just for the sake of security?
There are many use-cases found for docker, and they all have something to do with portability, testing, availability, ... which are especially useful for large enterprise applications.
Considering a single Linux server in the internet, that acts as mail- web- and application server - mostly for private use. No cluster, no need to migrate services, no similar services, that could be created from the same image.
Is it useful to consider wrapping each of the provided services in a Docker container, instead of just running them directly on the server (in a chroot environment) when considering the security of the whole server, or would that be using a sledgehammer to crack a nut?
As far as I would understand, the security would really be increased, as the services would be really isolated, and even gaining root privileges wouldn't allow to escape the chroot, but the maintenance requirements would increase, as I would need to maintain several independent operations system (security updates, log analysis, ...).
What would you propose, and what experiences have you made with Docker in small environments?
Upvotes: 1
Views: 72
Answers (1)
Reputation: 9146
From my point of security is, or will be, one of the strengths of linux containers and Docker. But there is a long way to get a secure environment and completely isolated inside a container. Docker and some other big collaborators like RedHat have shown a lot of efforts and interest in securing containers, and any public security flag (about isolation) in Docker has been fixed. Today Docker is not a replacement in terms of isolation to hardware virtualization, but there are projects working in Hypervisors running container that will help in this area. This issue is more related to companies offering IAAS or PAAS where they use virtualization to isolate each client.
In my opinion for a case as you propose, running each service inside a Docker container provides one more layer in your security scheme. If one of the service is compromised there will be one extra lock to gain access to all your server and the rest of services. Maybe the maintenance of the services increases a little, but if you organize your Dockerfiles to use a common Docker image as base, and you (or somebody else) update that base image regularly, you don't need to update all the Docker container one by one. And also if you use a base image that is update regularly (i.e.: Ubuntu, CentOS) the security issues that affect those images will be updated fixed rapidly and you'd only have to rebuild and relaunch your containers to update them. Maybe is an extra work but if security is a priority, Docker may be an added value.
Upvotes: 1
Related Questions
- Why it is unsafe to run applications as root in Docker container?
- What are the disadvantages of a Docker container using the host network?
- What is the preferred, secure method of exposing docker services to a web application?
- Does it makes sense to use Docker containers on production VPS/VDS?
- Should processes run on docker be visible to the outside operating system?
- Are docker containers safe enough to run third-party untrusted containers side-by-side with production system?
- Building a docker container: will it be public?
- "Dockerized" apps frequently are built on top of OS containers. Why doesn't this defeat the purpose?
- Security and isolation: Running non-root application in privileged-mode container
- What makes docker secure?