Docker can efficiently create, ship and run containers. A container wraps an application’s software into an invisible box with everything it needs to run. This includes the operating system, application code, runtime, system tools and libraries.
Docker containers are built off of Docker images, which are lightweight, portable and allow developers to build, transfer and run distributed applications efficiently. In addition, it allows for an application to be packed and moved easily, increasing the simplicity of infrastructure. Docker also provides reduced boot times, which improves the utilisation of resources. However, as containers continue to evolve, the concern for security grows larger.
Containers are less isolated from one another than virtual machines. The job of a container is to package and distribute applications, but not all available on the web can be trusted and not all libraries and components included in the containers are patched and up to date. A recent study showed that 67 per cent of organisations plan to begin using containers over the next two years, but 60 per cent say that they are concerned about security issues.
- Kernel exploits: Unlike a virtual machine, the kernel is shared among all containers and the host. If a container causes a kernel to panic, it will take down the whole host.
- Denial-of-service attacks: Containers share kernel resources, so if one container is able to monopolise the access to certain resources, it can starve out other containers on the host. This results in a denial-of-service (DoS). Users are then unable to access part or all of the system.
- Container breakouts: Be aware of potential privilege escalation attacks, where a user gains elevated privileges through a bug in application code that must run with extra privileges. While unlikely, breakouts are possible and should be considered when developing a continuity plan.
- Poisoned images: If an attacker can trick you into running their image, the host and data are at risk. In addition, make sure that the images that are running are up to date.
- Compromising secrets: When a container accesses a database or service it will require a secret, like an API key or username and password. An attacker that gains access to the secret will also have access to the service.
While Docker containers may be efficient and provide flexibility, it is critical to assess the above prior to implementation.
What containers mean for IT and development
Forrester analyst, Dave Bartoletti, thinks that only ten per cent of enterprises currently use containers in production now, but up to a third are testing them. To put it into context; Docker was able to generate $762 million in revenue in 2016. Containers will transform the IT world because they use shared operating systems. A move like this could save a data centre or cloud provider tens of millions of dollars annually in power, but it is all about the risk an organisation is willing to take.
There are, however, some concerns surrounding the assurance that developers still have the freedom to innovate while using containers. Developers must be able to pick and choose which tools and frameworks they would like to use and rarely ask for permission. Using a container could potentially stifle a developer’s creativity.
The choice is ultimately up to an organisation on whether to invest in containers. With pros and cons weighing evenly, it all comes down to risk appetite.
Does your organisation use containers in production? If not, are you testing them? Let us know by tweeting @KrollOntrackUK