Docker To Defang Root Privilege Access - InformationWeek
IoT
IoT
Software // Enterprise Applications
News
6/24/2015
01:07 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Docker To Defang Root Privilege Access

Docker's upcoming 1.8 release will answer security concerns by separating a running container's root privilege from that of its owner to avoid the owner becoming a "Superuser."

COBOL Leads Us Back To The Future
COBOL Leads Us Back To The Future
(Click image for larger view and slideshow.)

Docker announced at its DockerCon users event Tuesday that, with its upcoming 1.8 release, it's taking steps to close perceived security gaps in its container system.

Docker containers are still dogged by worries about their security, even though Google has been safely running containers internally for 10 years. Still, no one is sure what mischief might be caused if an active agent were unleashed in a Docker container on a host with many shared resources.

"Security is the thread that needs to cut across all of the Docker projects," said Nathan McCauley, Docker's director of security, during a session at DockerCon 2015 Tuesday at the San Francisco Marriott.

The basic facts of container isolation -- how it's restricted to a certain amount of defined memory and what operating system services it may tap -- are determined by the Linux kernel's controls over those resources. Docker Inc., the firm, and Docker.org, the open source project, can do little about those controls other than hope they work as advertised.

The main drawback is one that will be corrected in the near future: A Docker container owner has root privileges on the server to allow him to have access to and manage his container. That container shares a directory with the Docker host, and a root privilege owner is a Superuser, who can give himself access to all files, among other things. Root privilege "allows you to [share a directory] without limiting the access rights of the container ... this sounds crazy?" according to information on the Docker website. No question mark is needed. It sounds crazy from a secure systems point of view.

[Want to learn more about container security? See Joyent Ready To Run Multi-Tenant Containers Without VMs.]

That's too much power to be passed out uniformly when you don't know everybody in the crowd. (Joyent, for example, routinely runs 400 containers per server.) Containers, like US presidents, have protective measures in place, but even presidents have had their assassins.

The release of Docker Platform 1.8 will separate the root privilege assigned to the container from the root privilege of any outside user. Owners will still be able to access their containers, but the new assigned root privilege inside will be masked from the container's administrator so that it doesn't allow it to pivot from the container's intended purpose into something else, such as accessing another container's files.

In the future, "the root inside the container may not be the root of any outside user. This is a big win for security in the upcoming release of 1.8," said McCauley.

In addition to the work being done to restrain root privileges, Docker officials cited other new security measures. One is the Center for Internet Security's benchmark for the 1.6 (and the current 1.7) release of Docker, which provides a long list of best practices to follow when implementing containers. The benchmark can be used to inspect an implementation, and it issues a report on whether those practices were followed and where errors or shortcoming may be found.

In addition, Scott Johnson, senior VP of product management, announced Tuesday that Docker Trusted Registry is now generally available for installation on premises as a secure place to store Docker images. With a secure registry, applications that have been Dockerized may be pulled from storage and initiated with the assurance that they haven't been tampered with.

Trusted Registry is an on-premises version of Docker's own Hub Registry, used to guarantee the integrity of thousands of Docker projects and application offerings. Trusted Registry was announced in December at DockerCon Europe and has been in a beta test period since February with 800 organizations, Johnson said. Half of those beta users are members of the Fortune 500, including CapitalOne, Disney, and GE, he said.

Docker's premier customer, however, is "customer number one, the US government's General Services Administration, responsible for processing trillions of dollars" in government contracts and purchases, Johnson said.

The registry offers role-based access controls, audit logs, and integration with ActiveDirectory and LDAP directories already used inside the enterprise. The registry is available with commercial support and 10 certified copies of the Docker Engine for $150 a month.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jries921
50%
50%
jries921,
User Rank: Ninja
6/25/2015 | 3:23:57 PM
Why isn't a container running under the owner's account?
That is the time-honored means in the UNIX world of insuring that non-administrative users can't escalate their privileges.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
6/24/2015 | 2:54:52 PM
Trusted Registry is Docker's first monetized product
I think Trusted Registry is the first effort by Docker Inc. to monetize its strong position as a supplier of container platform. More of course to follow. But Docker isn't just a bit of open source code doing one thing, for which all the world can be grateful. It's merging into and changing a central workflow that provides new software for the business. When it reaches the production stage, it needs to be commercially supported and have a strong commercial company behind it. Go, Docker.
Register for InformationWeek Newsletters
White Papers
Current Issue
Cybersecurity Strategies for the Digital Era
At its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll