Reputation: 23502
Docker security concerns using unofficial images
How to ensure, that docker container will be secure, especially when using third party containers or base images?
- Is it correct, when using base image, it may initiate any services or mount arbitrary partitions of host filesystem under the hood, and potentially send sensitive data to attacker?
- So if I use third party container, which Dockerfile proves the container to be safe, should I traverse the whole linked list of base images (potentially very long) to ensure the container is actually safe and does what it intends of doing?
How to ensure the trustworthy of docker container in a systematic and definite way?
Upvotes: 2
Views: 964
Answers (2)
Reputation: 502
Consider Docker images similar to android/iOS mobile apps. You are never quite sure if they are safe to run, but the probability of it being safe is higher when it's from an official source such as Google play or App Store. More concretely Docker images coming from Docker hub go through security scans details of which are undisclosed as yet. So chances of a malicious image pulled from Docker hub are rare. However, one can never be paranoid enough when it comes to security. There are two ways to make sure all images coming from any source are secure:
- Proactive security: Do security source code review of each Dockerfile corresponding to Docker image, including base images which you have already expressed in question
- Reactive security: Run Docker bench, open sourced by Docker Inc., which runs as a privileged container looking for runtime known malicious activities by containers.
In summary, whenever possible use Docker images from Docker hub. Perform security code reviews of DockerFiles. Run Docker bench or any other equivalent tool that can catch malicious activities performed by containers.
References:
- Docker security scanning formerly known as Project Nautilus: https://blog.docker.com/2016/05/docker-security-scanning/
- Docker bench: https://github.com/docker/docker-bench-security
- Best practices for Dockerfile: https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
Upvotes: 4
Reputation: 766
Docker images are self-contained, meaning that unless you run them inside a container with volumes and network mode they have no way of accessing any network or memory stack of your host.
For example if I run an image inside a container by using the command:
docker run -it --network=none ubuntu:16.04
This will start the docker container ubuntu:16.04 with no mounting to host's storage and will not share any network stack with host. You can test this by running ifconfig inside the container and in your host and comparing them.
Regarding checking what the image/base-image does, a conclusion from above said is nothing harmful to your host (unless you mount your /improtant/directory_on_host to container and after starting container it removes them).
You can check what an image/base-image conatins after running by checking their dockerfile(s) or docker-compose .yml files.
Upvotes: 1
Related Questions
- Running docker securely
- Is it safe to build an unknown Dockerfile?
- Docker Images hosting in private repositories in our own servers
- How to secure public docker hub images?
- Security of a Docker image
- Better approach to docker images
- Docker Images and OS security updates
- Do we really need security updates on docker images
- Docker building docker images: User Permission/Host Questions
- How do you know that public Docker images are secure?