github.com/nf/docker@v1.8.1/docs/articles/security.md (about)

     1  <!--[metadata]>
     2  +++
     3  title = "Docker security"
     4  description = "Review of the Docker Daemon attack surface"
     5  keywords = ["Docker, Docker documentation,  security"]
     6  [menu.main]
     7  parent = "smn_administrate"
     8  weight = 2
     9  +++
    10  <![end-metadata]-->
    11  
    12  # Docker security
    13  
    14  There are three major areas to consider when reviewing Docker security:
    15  
    16   - the intrinsic security of the kernel and its support for
    17     namespaces and cgroups;
    18   - the attack surface of the Docker daemon itself;
    19   - loopholes in the container configuration profile, either by default,
    20     or when customized by users.
    21   - the "hardening" security features of the kernel and how they
    22     interact with containers.
    23  
    24  ## Kernel namespaces
    25  
    26  Docker containers are very similar to LXC containers, and they have
    27  similar security features. When you start a container with
    28  `docker run`, behind the scenes Docker creates a set of namespaces and control
    29  groups for the container.
    30  
    31  **Namespaces provide the first and most straightforward form of
    32  isolation**: processes running within a container cannot see, and even
    33  less affect, processes running in another container, or in the host
    34  system.
    35  
    36  **Each container also gets its own network stack**, meaning that a
    37  container doesn't get privileged access to the sockets or interfaces
    38  of another container. Of course, if the host system is setup
    39  accordingly, containers can interact with each other through their
    40  respective network interfaces — just like they can interact with
    41  external hosts. When you specify public ports for your containers or use
    42  [*links*](/userguide/dockerlinks)
    43  then IP traffic is allowed between containers. They can ping each other,
    44  send/receive UDP packets, and establish TCP connections, but that can be
    45  restricted if necessary. From a network architecture point of view, all
    46  containers on a given Docker host are sitting on bridge interfaces. This
    47  means that they are just like physical machines connected through a
    48  common Ethernet switch; no more, no less.
    49  
    50  How mature is the code providing kernel namespaces and private
    51  networking? Kernel namespaces were introduced [between kernel version
    52  2.6.15 and
    53  2.6.26](http://lxc.sourceforge.net/index.php/about/kernel-namespaces/).
    54  This means that since July 2008 (date of the 2.6.26 release, now 5 years
    55  ago), namespace code has been exercised and scrutinized on a large
    56  number of production systems. And there is more: the design and
    57  inspiration for the namespaces code are even older. Namespaces are
    58  actually an effort to reimplement the features of [OpenVZ](
    59  http://en.wikipedia.org/wiki/OpenVZ) in such a way that they could be
    60  merged within the mainstream kernel. And OpenVZ was initially released
    61  in 2005, so both the design and the implementation are pretty mature.
    62  
    63  ## Control groups
    64  
    65  Control Groups are another key component of Linux Containers. They
    66  implement resource accounting and limiting. They provide many
    67  useful metrics, but they also help ensure that each container gets
    68  its fair share of memory, CPU, disk I/O; and, more importantly, that a
    69  single container cannot bring the system down by exhausting one of those
    70  resources.
    71  
    72  So while they do not play a role in preventing one container from
    73  accessing or affecting the data and processes of another container, they
    74  are essential to fend off some denial-of-service attacks. They are
    75  particularly important on multi-tenant platforms, like public and
    76  private PaaS, to guarantee a consistent uptime (and performance) even
    77  when some applications start to misbehave.
    78  
    79  Control Groups have been around for a while as well: the code was
    80  started in 2006, and initially merged in kernel 2.6.24.
    81  
    82  ## Docker daemon attack surface
    83  
    84  Running containers (and applications) with Docker implies running the
    85  Docker daemon. This daemon currently requires `root` privileges, and you
    86  should therefore be aware of some important details.
    87  
    88  First of all, **only trusted users should be allowed to control your
    89  Docker daemon**. This is a direct consequence of some powerful Docker
    90  features. Specifically, Docker allows you to share a directory between
    91  the Docker host and a guest container; and it allows you to do so
    92  without limiting the access rights of the container. This means that you
    93  can start a container where the `/host` directory will be the `/` directory
    94  on your host; and the container will be able to alter your host filesystem
    95  without any restriction. This is similar to how virtualization systems
    96  allow filesystem resource sharing. Nothing prevents you from sharing your
    97  root filesystem (or even your root block device) with a virtual machine.
    98  
    99  This has a strong security implication: for example, if you instrument Docker
   100  from a web server to provision containers through an API, you should be
   101  even more careful than usual with parameter checking, to make sure that
   102  a malicious user cannot pass crafted parameters causing Docker to create
   103  arbitrary containers.
   104  
   105  For this reason, the REST API endpoint (used by the Docker CLI to
   106  communicate with the Docker daemon) changed in Docker 0.5.2, and now
   107  uses a UNIX socket instead of a TCP socket bound on 127.0.0.1 (the
   108  latter being prone to cross-site-scripting attacks if you happen to run
   109  Docker directly on your local machine, outside of a VM). You can then
   110  use traditional UNIX permission checks to limit access to the control
   111  socket.
   112  
   113  You can also expose the REST API over HTTP if you explicitly decide to do so.
   114  However, if you do that, being aware of the above mentioned security
   115  implication, you should ensure that it will be reachable only from a
   116  trusted network or VPN; or protected with e.g., `stunnel` and client SSL
   117  certificates. You can also secure them with [HTTPS and
   118  certificates](/articles/https/).
   119  
   120  The daemon is also potentially vulnerable to other inputs, such as image
   121  loading from either disk with 'docker load', or from the network with
   122  'docker pull'. This has been a focus of improvement in the community,
   123  especially for 'pull' security. While these overlap, it should be noted
   124  that 'docker load' is a mechanism for backup and restore and is not
   125  currently considered a secure mechanism for loading images. As of
   126  Docker 1.3.2, images are now extracted in a chrooted subprocess on
   127  Linux/Unix platforms, being the first-step in a wider effort toward
   128  privilege separation.
   129  
   130  Eventually, it is expected that the Docker daemon will run restricted
   131  privileges, delegating operations well-audited sub-processes,
   132  each with its own (very limited) scope of Linux capabilities, 
   133  virtual network setup, filesystem management, etc. That is, most likely,
   134  pieces of the Docker engine itself will run inside of containers.
   135  
   136  Finally, if you run Docker on a server, it is recommended to run
   137  exclusively Docker in the server, and move all other services within
   138  containers controlled by Docker. Of course, it is fine to keep your
   139  favorite admin tools (probably at least an SSH server), as well as
   140  existing monitoring/supervision processes (e.g., NRPE, collectd, etc).
   141  
   142  ## Linux kernel capabilities
   143  
   144  By default, Docker starts containers with a restricted set of
   145  capabilities. What does that mean?
   146  
   147  Capabilities turn the binary "root/non-root" dichotomy into a
   148  fine-grained access control system. Processes (like web servers) that
   149  just need to bind on a port below 1024 do not have to run as root: they
   150  can just be granted the `net_bind_service` capability instead. And there
   151  are many other capabilities, for almost all the specific areas where root
   152  privileges are usually needed.
   153  
   154  This means a lot for container security; let's see why!
   155  
   156  Your average server (bare metal or virtual machine) needs to run a bunch
   157  of processes as root. Those typically include SSH, cron, syslogd;
   158  hardware management tools (e.g., load modules), network configuration
   159  tools (e.g., to handle DHCP, WPA, or VPNs), and much more. A container is
   160  very different, because almost all of those tasks are handled by the
   161  infrastructure around the container:
   162  
   163   - SSH access will typically be managed by a single server running on
   164     the Docker host;
   165   - `cron`, when necessary, should run as a user
   166     process, dedicated and tailored for the app that needs its
   167     scheduling service, rather than as a platform-wide facility;
   168   - log management will also typically be handed to Docker, or by
   169     third-party services like Loggly or Splunk;
   170   - hardware management is irrelevant, meaning that you never need to
   171     run `udevd` or equivalent daemons within
   172     containers;
   173   - network management happens outside of the containers, enforcing
   174     separation of concerns as much as possible, meaning that a container
   175     should never need to perform `ifconfig`,
   176     `route`, or ip commands (except when a container
   177     is specifically engineered to behave like a router or firewall, of
   178     course).
   179  
   180  This means that in most cases, containers will not need "real" root
   181  privileges *at all*. And therefore, containers can run with a reduced
   182  capability set; meaning that "root" within a container has much less
   183  privileges than the real "root". For instance, it is possible to:
   184  
   185   - deny all "mount" operations;
   186   - deny access to raw sockets (to prevent packet spoofing);
   187   - deny access to some filesystem operations, like creating new device
   188     nodes, changing the owner of files, or altering attributes (including
   189     the immutable flag);
   190   - deny module loading;
   191   - and many others.
   192  
   193  This means that even if an intruder manages to escalate to root within a
   194  container, it will be much harder to do serious damage, or to escalate
   195  to the host.
   196  
   197  This won't affect regular web apps; but malicious users will find that
   198  the arsenal at their disposal has shrunk considerably! By default Docker
   199  drops all capabilities except [those
   200  needed](https://github.com/docker/docker/blob/master/daemon/execdriver/native/template/default_template.go),
   201  a whitelist instead of a blacklist approach. You can see a full list of
   202  available capabilities in [Linux
   203  manpages](http://man7.org/linux/man-pages/man7/capabilities.7.html).
   204  
   205  One primary risk with running Docker containers is that the default set
   206  of capabilities and mounts given to a container may provide incomplete
   207  isolation, either independently, or when used in combination with
   208  kernel vulnerabilities.
   209  
   210  Docker supports the addition and removal of capabilities, allowing use
   211  of a non-default profile. This may make Docker more secure through
   212  capability removal, or less secure through the addition of capabilities.
   213  The best practice for users would be to remove all capabilities except
   214  those explicitly required for their processes.
   215  
   216  ## Other kernel security features
   217  
   218  Capabilities are just one of the many security features provided by
   219  modern Linux kernels. It is also possible to leverage existing,
   220  well-known systems like TOMOYO, AppArmor, SELinux, GRSEC, etc. with
   221  Docker.
   222  
   223  While Docker currently only enables capabilities, it doesn't interfere
   224  with the other systems. This means that there are many different ways to
   225  harden a Docker host. Here are a few examples.
   226  
   227   - You can run a kernel with GRSEC and PAX. This will add many safety
   228     checks, both at compile-time and run-time; it will also defeat many
   229     exploits, thanks to techniques like address randomization. It doesn't
   230     require Docker-specific configuration, since those security features
   231     apply system-wide, independent of containers.
   232   - If your distribution comes with security model templates for
   233     Docker containers, you can use them out of the box. For instance, we
   234     ship a template that works with AppArmor and Red Hat comes with SELinux
   235     policies for Docker. These templates provide an extra safety net (even
   236     though it overlaps greatly with capabilities).
   237   - You can define your own policies using your favorite access control
   238     mechanism.
   239  
   240  Just like there are many third-party tools to augment Docker containers
   241  with e.g., special network topologies or shared filesystems, you can
   242  expect to see tools to harden existing Docker containers without
   243  affecting Docker's core.
   244  
   245  Recent improvements in Linux namespaces will soon allow to run
   246  full-featured containers without root privileges, thanks to the new user
   247  namespace. This is covered in detail [here](
   248  http://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/).
   249  Moreover, this will solve the problem caused by sharing filesystems
   250  between host and guest, since the user namespace allows users within
   251  containers (including the root user) to be mapped to other users in the
   252  host system.
   253  
   254  Today, Docker does not directly support user namespaces, but they
   255  may still be utilized by Docker containers on supported kernels,
   256  by directly using the clone syscall, or utilizing the 'unshare'
   257  utility. Using this, some users may find it possible to drop
   258  more capabilities from their process as user namespaces provide
   259  an artificial capabilities set. Likewise, however, this artificial
   260  capabilities set may require use of 'capsh' to restrict the
   261  user-namespace capabilities set when using 'unshare'.
   262  
   263  Eventually, it is expected that Docker will have direct, native support
   264  for user-namespaces, simplifying the process of hardening containers.
   265  
   266  ## Conclusions
   267  
   268  Docker containers are, by default, quite secure; especially if you take
   269  care of running your processes inside the containers as non-privileged
   270  users (i.e., non-`root`).
   271  
   272  You can add an extra layer of safety by enabling AppArmor, SELinux,
   273  GRSEC, or your favorite hardening solution.
   274  
   275  Last but not least, if you see interesting security features in other
   276  containerization systems, these are simply kernels features that may
   277  be implemented in Docker as well. We welcome users to submit issues,
   278  pull requests, and communicate via the mailing list.
   279  
   280  References:
   281  * [Docker Containers: How Secure Are They? (2013)](
   282  http://blog.docker.com/2013/08/containers-docker-how-secure-are-they/).
   283  * [On the Security of Containers (2014)](https://medium.com/@ewindisch/on-the-security-of-containers-2c60ffe25a9e).