Docker To Defang Root Privilege Access

Docker’s upcoming 1.8 release will answer security concerns by separating a running container's root privilege from that of its owner to avoid the owner becoming a "Superuser."

Charles Babcock, Editor at Large, Cloud

June 24, 2015

4 Min Read

COBOL Leads Us Back To The Future

COBOL Leads Us Back To The Future


COBOL Leads Us Back To The Future (Click image for larger view and slideshow.)

Docker announced at its DockerCon users event Tuesday that, with its upcoming 1.8 release, it's taking steps to close perceived security gaps in its container system.

Docker containers are still dogged by worries about their security, even though Google has been safely running containers internally for 10 years. Still, no one is sure what mischief might be caused if an active agent were unleashed in a Docker container on a host with many shared resources.

"Security is the thread that needs to cut across all of the Docker projects," said Nathan McCauley, Docker's director of security, during a session at DockerCon 2015 Tuesday at the San Francisco Marriott.

The basic facts of container isolation -- how it's restricted to a certain amount of defined memory and what operating system services it may tap -- are determined by the Linux kernel's controls over those resources. Docker Inc., the firm, and Docker.org, the open source project, can do little about those controls other than hope they work as advertised.

The main drawback is one that will be corrected in the near future: A Docker container owner has root privileges on the server to allow him to have access to and manage his container. That container shares a directory with the Docker host, and a root privilege owner is a Superuser, who can give himself access to all files, among other things. Root privilege "allows you to [share a directory] without limiting the access rights of the container ... this sounds crazy?" according to information on the Docker website. No question mark is needed. It sounds crazy from a secure systems point of view.

[Want to learn more about container security? See Joyent Ready To Run Multi-Tenant Containers Without VMs.]

That's too much power to be passed out uniformly when you don't know everybody in the crowd. (Joyent, for example, routinely runs 400 containers per server.) Containers, like US presidents, have protective measures in place, but even presidents have had their assassins.

The release of Docker Platform 1.8 will separate the root privilege assigned to the container from the root privilege of any outside user. Owners will still be able to access their containers, but the new assigned root privilege inside will be masked from the container's administrator so that it doesn't allow it to pivot from the container's intended purpose into something else, such as accessing another container's files.

In the future, "the root inside the container may not be the root of any outside user. This is a big win for security in the upcoming release of 1.8," said McCauley.

In addition to the work being done to restrain root privileges, Docker officials cited other new security measures. One is the Center for Internet Security's benchmark for the 1.6 (and the current 1.7) release of Docker, which provides a long list of best practices to follow when implementing containers. The benchmark can be used to inspect an implementation, and it issues a report on whether those practices were followed and where errors or shortcoming may be found.

In addition, Scott Johnson, senior VP of product management, announced Tuesday that Docker Trusted Registry is now generally available for installation on premises as a secure place to store Docker images. With a secure registry, applications that have been Dockerized may be pulled from storage and initiated with the assurance that they haven't been tampered with.

Trusted Registry is an on-premises version of Docker's own Hub Registry, used to guarantee the integrity of thousands of Docker projects and application offerings. Trusted Registry was announced in December at DockerCon Europe and has been in a beta test period since February with 800 organizations, Johnson said. Half of those beta users are members of the Fortune 500, including CapitalOne, Disney, and GE, he said.

Docker's premier customer, however, is "customer number one, the US government's General Services Administration, responsible for processing trillions of dollars" in government contracts and purchases, Johnson said.

The registry offers role-based access controls, audit logs, and integration with ActiveDirectory and LDAP directories already used inside the enterprise. The registry is available with commercial support and 10 certified copies of the Docker Engine for $150 a month.

About the Author

Charles Babcock

Editor at Large, Cloud

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive Week. He is a graduate of Syracuse University where he obtained a bachelor's degree in journalism. He joined the publication in 2003.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights