The logical resource boundaries established in Docker containers are almost as secure as those established by the Linux operating system or by a virtual machine, according to a report by Gartner analyst Joerg Fritsch.
However, Docker and Linux containers in general fall short when it comes to container management and administration, Fritsch said in his report, "Security properties of containers managed by Docker." That is, while a container ensures secure use of compute resources, the more mature system and administrative controls represented by a Xen, KVM, or VMware management system offer guarantees beyond proper compute resource utilization. The systems management that can be applied to virtual machines and operating systems grants visibility into operations, tracks changes, and can require proper authorization for certain actions.
The absence of such controls in today's container systems means container operations security can't be guaranteed. In that sense, VMware's warnings that the only safe container is one operating in a virtual machine still applies. But the Gartner study suggests that somewhere in the not too distant future, that dictum may no longer prove true.
[Want to learn more about how Amazon sees Docker containers? See Amazon's Container Strategy Examined.]
Fritsch's key finding: "Containers managed by Docker are effective in resource isolation. They are almost on par with the Linux OS and hypervisors in secure operations management and configuration governance."
Another way of saying that is the server memory allocated to one container won't end up inadvertently being used by another container, and the same goes for other resources. That is, if the container formatting system sets logical limits and boundaries, they will be enforced by the Docker system.
At the same time, Fritsch added this warning: Docker containers "disappoint when it comes to secure administration and management and to support for common controls for confidentiality, integrity, and availability."
That didn't prevent Fritsch from concluding that Docker containers are suitable for multi-tenant, platform-as-a-service type operations. PaaS is usually a development and test environment in the cloud used by developers from different and sometimes competing companies. Fritsch stopped short of saying containers were suitable in multi-tenant, infrastructure-as-a-service operations. In such a setting, it's understood that one competitor's production applications and confidential data may be operating alongside a competitor's, and containers don't offer enough assurance that malicious code in one system won't be able to intrude on the operations of another.
"Linux containers are mature enough to be used as private and public PaaS," Fritsch wrote. But he added the warning, "In mixed environments -- across multiple trust levels, security zones, or potentially hostile tenants -- additional safeguards such as SELinux should be configured." SELinux (security enhanced Linux) limits an application's access to files and network resources. It may only access the minimum required to do its work and will be shut off from other resources if renegade code in the application instructs it to access them.
The Gartner report takes a step toward confirming that Linux containers in general, and Docker in particular, are not only lighter-weight forms of application isolation than virtual machines, but secure ones as well, as far as internal operations for a given operating system are concerned. They're lighter weight because they share the host server's operating system's kernel. In a virtual machine, each application is combined with its own operating system. As a result, powerful servers that can run dozens of virtual machines can run hundreds of containers, resulting in greater compute density.
Fritsch recommended that Docker users realize they're venturing onto new territory in large-scale container operations. "Recognize the inherent complexity and evolving art," he advised. Start with limited, basic deployments and let some de facto standards for container management emerge. Software-defined networking will also require standards for working with containers to ensure secure operations.
The Docker Platform, Google's Kubernetes open source project, and CoreOS's open source Rocket project may all contribute to future container administration and management, but they are also young initiatives.
In the meantime, container users can set boundaries on what tenants in a multi-tenant cloud environment might do while accessing a container host by relying on nsenter, a tool that limits interactions between a tenant and the tenant's containers. Currently, other methods are used as approximate ways of limiting tenant access, with varying drawbacks and results, wrote Fritsch.
Apache Mesos can be used for deploying and managing containers at scale, he said. Mesos is open source code for running a cluster hosting containers.
Container security remains a hot topic, as companies consider their potential for running production systems. The many shared resources, particularly the host operating systems that containers use, make any flaw in their operations a potentially great security exposure. In November, a flaw was discovered in previous versions of Docker that allowed malicious code to gain unassigned privileges and pull files it wasn't meant to see. The only way to correct the problem was to upgrade to the latest version of Docker.
Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio