Skip to content


The Docker exploit and the security of containers

We normally only cover news and information directly related to Xen in this channel, but we thought it might be useful to briefly expand our scope a bit to mention the recent discussion about the Docker security exploit.

What’s the news?

Well to begin with, a few weeks ago Docker 1.0 was released, just in time for DockerCon.

Then last week, with timing that seems rather spiteful, someone released an exploit that allows a process running as root within a Docker container to break out of a Docker container.

I say it was a bit spiteful, because as the post-mortem on Docker’s site demonstrates, it exploits a vulnerability which was only present until Docker 0.11; it was fixed in Docker 0.12, which eventually became Docker 1.0.

Nonetheless, this kicked off a bit of a discussion about Docker, Linux containers, and security in several places, including Hacker News, the Register, seclists.org, and the OSv blog.

There is a lot of interesting discussion there. I recommend skimming through the Hacker News discussion in particular, if you have the time. But I think the comment on the Hacker News discussion by Solomon Hykes from Docker, puts it best:

As others already indicated this doesn’t work on 1.0. But it could have. Please remember that at this time, we don’t claim Docker out-of-the-box is suitable for containing untrusted programs with root privileges. So if you’re thinking “pfew, good thing we upgraded to 1.0 or we were toast”, you need to change your underlying configuration now. Add apparmor or selinux containment, map trust groups to separate machines, or ideally don’t grant root access to the application.

I’ve played around with Docker a little bit, and it seems like an excellent tool for packaging and deploying applications. Using containers to separate an application from the rest of the user-space of your distribution, exposing it only to the very forward-compatible Linux API is a really clever idea.

However, using containers for security isolation is not a good idea. In a blog last August, one of Docker’s engineers expressed optimism that containers would eventually catch up to virtual machines from a security standpoint. But in a presentation given in January, the same engineer said that the only way to have real isolation with Docker was to either run one Docker per host, or one Docker per VM. (Or, as Solomon Hykes says here, to use Dockers that trust each other in the same host or the same VM.)

We would concur with that assessment.


Be Sociable and Share!

Posted in Community.

Tagged with , , .


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. jpetazzo says

    Hi! I’m the one who said that containers would eventually catch up on VMs, and also that the only way to achieve perfect isolation is to run one container per VM or per host. There is no contradiction.

    I think containers will eventually catch up. It will take time, just like it took time for VMs to be as secure as they are today. Of course, the attack surface of containers is huge, compared to type 1 hypervisors like Xen; so it will certainly take longer. There is also a huge difference: containerization has been added after the fact, so there are tons of things that need to be namespaced, isolated, etc.; while Xen has been designed very early to provide strong isolation.

    So, in the future: great news for containers. For now: “it depends!”

    In my presentation earlier this year, I was trying to explain that *for now*, if you need full root access, you will need the strong isolation that only a real hypervisor can provide. However, there are plenty of applications where you don’t need full root access (actually, most apps and databases!) and where you can achieve strong isolation anyway.

    The bottom line, in my humble opinion, is that security is made with layers; and the more you care about security, the more layers you need. In that model of thought, both containers and VMs complement each other nicely. In that spirit, the work done on features like driver domains and FLASK is extremely valuable!

Continuing the Discussion

  1. The Docker exploit and the security of containe... linked to this post on June 25, 2014

    [...] We normally only cover news and information directly related to Xen in this channel, but we thought it might be useful to briefly expand our scope a bit to mention the recent discussion about the Docker security exploit.  [...]

You must be logged in to post a comment.