What is a Docker?
Docker for Linux
Docker is something like a virtual machine.
However, a virtual machine provides a virtual operating system but Docker for Linux, allows applications to use the same Linux kernel as the system for running applications.
Several applications can thus share one kernel, reducing both resource and management, while remaining isolated from one another.
Docker for Windows
Docker for Windows Containers is available for Windows 10 and Windows Server 2016.
There are two types of Windows Containers:
• Windows Server Containers
• Hyper-V Isolation
Windows Server containers do not provide strong security that is why it is good to avoid.
Hyper-V isolation first creates a virtual machine, and then one or more containers can be deployed onto the operating system installed in the VM.
A docker container is a lightweight, stand-alone, executable package of a piece of software that includes everything needed to run: code, runtime, system tools, system libraries, settings.
A developer can create, start, stop, move, or delete a container using the Docker API.
The PostgreSQL object-relational database system provides reliability and data integrity.
Docker container provides various advantages to run PostgreSQL database.
• Ease of upgrades and packaging extensions.
• Easily separate out alternate applications.
• Automate the process of backups and replicas creation.
• Setup and distribution for developer environments
Docker container has few disadvantages to run PostgreSQL database.
• Admin has to understand thoroughly and choose the right storage options.
• Configure individual database specification and user access
What are the docker advantages?
Docker provides a platform and tools for building, distributing and deploying applications using Docker container.
It is designed for both developers and system administrators, making it a part of many DevOps (developers + operations).
Developers can focus on writing code using Docker container without worrying about the system. Docker reduces the number of systems needed.
Developers write code locally and share their work with their colleagues using Docker containers.
How Docker communicates?
Docker uses a client-server architecture.
The Docker client talks to the Docker daemon, which does the heavy lifting of the building, running and distributing Docker containers.
The Docker client and daemon can run on the same system, or you can connect a Docker client to a remote Docker daemon also.
Docker Security for Linux
1. Host security
The Docker host OS must be patched regularly.
Install “Grsecurity” and “Pax” security patches to the hardened kernel. “Grsecurity” provides address space protection, enhanced auditing, and process control. “PaX” provides least privilege protections for memory pages.
Configure the Security-Enhanced Linux (SELinux) module. It is a Linux kernel security module that provides a mechanism for supporting access control security policies, including the United States Department of Defense– style mandatory access controls.
Segregate containers by considering data sensitivity.
Update the Docker software on daily basis.
2. Image provenance
Running a malicious image could compromise the infrastructure. Verifying container integrity is particularly important when images are transferred over an untrusted network. Image signing provides protection against any container tampering that could happen in transport. Enable DOCKER_CONTENT_TRUST environment variable, so that only signed images are allowed.
Root key and repository key should be protected from unauthorized access, securely backed up stored offline, use strong passphrases, rotate and expire old keys.
Use Unique “digest” hash value to ensure that the image is not changed or corrupted in transit.
3. Container monitoring
Logging and monitoring should be maintained to identify and investigate security incidents.
Configure to capture the logs of the host, infrastructure, and container.
For the container, make sure log-level is set to INFO.
4. Container privilege level
The root user of the container has the privilege of becoming the root user of the host system also. If the container has, any vulnerability then host also become vulnerable. That’s why apps in the container should be run as a non-privileged user. If apps must run as root user, use Docker user Namespace feature to re-map to a non-privileged user on the host.
Access to the Docker daemon should be limited. Any user with access to the Docker group can access container and host both.
To prevent privilege escalation vulnerability, Setuid and Setgid binaries should be removed from images.
5. Data security in container
Sensitive data stored inside of an image can be accessed by anyone that pulls the image from the registry.
Sensitive information stored in environment variables are accessible to all container processes. These secrets may then be leaked in logs and can be visible using Docker inspect command.
Choose best secret management solution provider to store sensitive data.
Sensitive data should be rotated frequently.
6. Image security
Make sure images have up-to-date software.
Signatures should be verified to ensure there is no tampering or corruption in transit.
Base images should be updated regularly with all security patches.
Run image scanning on daily basis.
7. Container resource restrictions
If container number grows, one vulnerable application can lead to DOS attack for other containers.
Docker provides the capability to limit the resources. This limit is applicable to memory, CPU, disk IOPS, plus processes and open file descriptors.
File system access can be limited by mounting file systems read-only where possible; this prevents data overwrite, as well as injection of malicious code into the system.
Restrict network access.
Docker is very helpful to save and share server environments using containers. Containers also offer advantages in security. Docker is a user-friendly solution.