Are containers secure?
Probably not. But knowing each approach’s strengths and risks—and available options—could help ease adoption.
Such a decision requires two primary considerations:
VMware is a great supporter of the concept of running each containerized application in a single virtual machine, which increases security. Placing a container in its own dedicated virtual machine provides better isolation from the host machine and, naturally, from other VMs and containers running on those VMs.
But running containers in a virtual machine seems to negate many of the container benefits, such as faster start/stop, consolidation, packaging and performance comparable to running on bare metal, to name just a few.
As container adoption accelerates, container security is among other unresolved mysteries that need to be carefully examined and appropriately addressed, such as how to containerize stateful apps. Typical security related areas for look for are:
Failing to address part or all of the above could lead to significant problems:
Docker containers are very similar to LXC containers, and they have similar security features (built/designed atop the cgroups and kernel namespaces architecture), especially if you take care of running your processes inside the containers as non-privileged users (i.e. non-root).
When you start a Docker container, Docker creates a set of namespaces and control groups for the container.
Namespaces will cover the first and most straightforward isolation. Processes running within a container cannot see processes running in another container or in the host system. Each container also gets its own network stack, so a container doesn’t get privileged access to the sockets or interfaces of another container.
Control Groups (a component of Linux kernel) implement resource accounting, limiting, prioritization and control. These help assure that each container gets the required memory and CPU (not disk I/O control).
You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC or other preferred hardening options.
LXC is a “userspace” interface to Linux kernel containment features and uses the following to contain/isolate processes:
Application containers, whether implemented using Docker or LXC, clearly are gaining momentum. As container technology and usage expand and mature, it is necessary to address security considerations. The Docker blog, “Security should be part of the platform,” provides a helpful reference.
Equally important is the ability to react effectively and efficiently to live threats by clearly defining application borders, privileges and resource pools, as well as user roles/groups (RBAC). Always keep in mind that addressing the security gaps requires a holistic end-to-end approach—solving point problems might seem an acceptable short-term fix, but potentially will impose even greater risks in the long term.
The initial approach to security typically pursued is to apply the same measures of security to containers as were applied to physical machines. Recently, we have seen new software designed specifically to meet the security requirements of containers.
Review your application security exposure and prepare accordingly. Avoid reinventing the wheel—use tested and certified services.
Smarter platforms are built using microservices and expose a set of REST APIs enabling control of all aspects of infrastructure, including security.
These providers offer a wealth of complementary and beneficial information:
Twistlock: https://www.twistlock.com
Aquasec: https://www.aquasec.com
Blackduck: https://www.blackducksoftware.com
StormForge's machine learning algorithms that optimize Kubernetes clusters will be fed into CloudBolt's Augmented FinOps tools.
Run:ai enables IT teams to take advantage of container orchestration to schedule AI workloads across multiple GPUs.
Cosmonic has contributed an Operator developed for the wasmCloud platform to the CNCF, enabling WebAssembly applications to run on Kubernetes…
Cloud-native backup and recovery solutions can improve an organization’s cloud data resilience against accidents and online cyberthreats.
In total, 22 capabilities previously available in beta have graduated to stable. Many of those Kubernetes features appeal primarily to…
Red Hat added three new developer tools, expanding its DevSecOps portfolio for building secure cloud-native applications.