This is a creation in Article, where the information may have evolved or changed.
"Editor's note" by reading online posts and browsing relevant information, you may have an illusion: Docker is not secure enough to be conservative in the Docker import production environment. But the reality is that while we need to be highly concerned about the security of the container, it can be a safe, efficient production system that is not less than the use of virtual machines or bare metal, as long as it is used properly.
Talk to us today about the safety and compliance of Docker.
Security, here we refer to information security, including data security and network security, mainly in the process of data processing, transmission, storage and other processes of security, it includes the information itself security and protection.
In terms of safety, there are strict standards in all walks of life, even national and international institutions:
Thanks to the relentless advertising of the consumer sector, we should all have heard of ISO9000 (Quality Management System) SO14000 (environmental management System), in terms of safety, the International Organization for Standardization also has information security standards ISO27000, of which ISO 27001 has a central role, The standard was released in 2005 and is currently the latest version of Iso27001:2013dis.
In this regard, the State also has information security level protection requirements, referred to as insurance; it has five levels, in many industries, such as the retention of rigid requirements, such as the internet finance industry at least to meet the fourth level of the insurance requirements.
Various industries have specific standards for safety, such as in the payment industry, there are internal card non-financial institutions to pay business facilities Technical certification jr/t1022-2014,jr/t0213-2014 and external card data security standards PCI_DSS v3.1
Having said so much, it is important to point out that the release and revision of the various standards basically only consider the technical standards of the virtualized environment. When it comes to virtual machines, many of the people I'm in touch with or are preparing to use Docker always prefer to compare containers with virtual machines, or use containers as virtual machines, hey! That's you, you're still using Docker commit instead of dockerfile!. Still using SSH to connect the container!
I personally prefer to liken a container to a sandbox: each application has its own storage space, and applications cannot turn over their walls to access the contents of other storage spaces, and the data requested by the application is checked by permission and will not be released if the condition is not met. Does it have déjà vu? In fact, our ISO application is implemented this way.
Back to the point, in fact, the standards contained in the current industry standards for virtualization technology has been adjusted for any enterprise that want to protect data can play a big role. The use of industry-specific standards for compliance audits can largely guarantee that information is under the protection of best security practices. A secure information environment is critical for businesses, customers, and employees alike.
Docker technology does not yet have a corresponding certification clause, because of the relatively new, in the data isolation can meet the requirements of uncertainty, Docker security is not strong enough, as long as the Docker permissions of users can do all the Docker container operation. This will undoubtedly increase the scope of audit and the uncertainty of the boundary.
In addition, Docker is in the current phase of the rapid release of the updated version, there are also incompatibilities, waiting for future versions and security issues may be resolved after the document to guide the compliance process. Currently I do not recommend that you use the authentication environment directly.
Fortunately, there is no change in the standard requirements in terms of the virtualization technology background of Docker, which can be evaluated by virtual technology. We can use Docker as one of the guidelines for using virtualization technology in business-related environments. For example, in the PCI DSS section 2nd 2.1, it is noted that a virtual system component or device can only achieve one major function, which is one of the characteristics of the container.
For non-certified production and non-production environments, here are some of the experience and experiences that Docker uses to share with you:
Kernel security: All processes run in the same kernel, and even if there are multiple containers, all system calls are handled through the host's kernel, so any security vulnerabilities that exist in the kernel can have a huge impact. If a container system causes the kernel to crash, this in turn causes all containers on the entire host to be destroyed. In virtual machines, the situation is much better: traditional virtual machines also have many operations that need to be handled by the kernel, but this is only the kernel of the virtual machine, not the host core. So in case of a problem, it only affects the virtual system itself. Of course, you can say first break hypervisor, then break SELinux, and then break the host host kernel can control all the VMS on the host, not to mention the development of the virtual machine for so many years there is a loophole, Optical virtual machine kernel →hypervisor→selinux→ the security and containment of the layers of the host core are not an order of magnitude. Therefore, we recommend that you pay close attention to kernel security. The requirements for virtual machines and containers are consistent across core security compliance, and we are fully compliant with current industry standards.
Denial of service attack: All containers share the same kernel resources. If a container has exclusive access to certain resources, other containers that are on the same host are likely to be unable to function properly due to resource scarcity. This is the principle of denial of service attacks (DDoS), where legitimate users cannot access some or all of the systems. In this regard, we can also refer to the experience of the virtual machine era, estimate the application of the resource consumption limit, design more cgroups, to control those who open too many files or too many sub-processes and other resources, the container resources, such as CPU utilization, memory limit, etc., although the isolation of the container is not as thorough as the virtual machine , but at least the continuity of the business can be ensured.
Mirroring security: There is also a part of the security that comes from the mirror itself. Because of the thousands of mirrors on the Docker hub, and even the mirrored warehouses provided by various PAAs cloud service companies in the country, if an attacker induces a user to download a carefully crafted image, the running host and data will be under threat. It is recommended that you use a reliable source or even an official image and check for tampering. Again, you need to make sure that you are running the latest version of the image and that it does not contain any software versions that have known security vulnerabilities.
User rights: If you have root privileges within the container, you will also have root status on the host. Non-root users in the system simply join the Docker user group and run the Docker command without using sudo. Similarly, a container that has the--privileged parameter added will also gain full control of the host. In this case, first of all, we recommend that you try not to use the--privileged parameter, if there is a business need, you can strictly control all the containers that need--privileged parameters in one or several hosts to isolate the other containers. Second, we recommend that you use sudo to increase the user's audit and logging capabilities, add the following in/ect/sudoers: User all= (All)/usr/bin/docker, so that user using Docker command requires password authentication, All operational logs are logged in the system for auditing.
File integrity: Some Linux system kernel file systems must be mount to the container environment, or the process in the container will strike. This is very handy for malicious processes, but most apps that run in containers don't actually need to write data to the file system. Based on this scenario, we recommend that you use read-only mode, such as –v/etc/localtime:/etc/localtime:ro, when you mount.
All in all, with a suitable and reinforced Docker container solution, commercial standards can be fully achieved in safety. It is possible that the technical requirements and thresholds for the implementation personnel are higher.
Today's share of the temporary here, thank you for listening, but also welcome a lot of exchanges. Thank you!
Q&a
Q: What are the similarities and differences between container security and virtual machine security?
A: The container can be in a finer granularity to protect the application, such as a physical machine like a building, virtual machine like a different room, the container is inside the tenant, the building and the room to protect the external security, if you do not believe the tenant tenants, you need to use containers to more strong isolation, this is 2 different angles of the problem.
Q: Mirror security, clair scan the reliable?
A:clair is an open source container vulnerability scanning Tool released by CoreOS. The tool can cross-check the operating system of the Docker image and whether any of the packages installed above match any known unsafe package version. The vulnerability is obtained from the General Vulnerability Disclosure (CVE) database of a specific operating system, which is biased towards static scanning, that is, mirroring security, the international container run-time security scheme is less involved, the domestic container cloud is a blank piece of security.
Q:docker There is a user namespace mechanism, does this isolation have a description in the formal security specification? Have you ever tried to use this mechanism to increase security?
A:docker safety standards are basically in the blank stage, we are groping, mainly practice accumulated. User namespace can enhance a certain degree of isolation, but also mentioned that: with the user namespace isolation, in fact, too many users will not use the operation log for late tracking and audit.
Q: Can you describe the difference between the sandbox and the container?
A: sandboxes and containers are similar in the way they work, but the underlying technology implementations are completely different from the code.
Q: How to effectively detect whether the downloaded image contains Trojans and other unsafe information? Mount to the directory in the container, how to give read-only permission, the subsequent database some information want to write to the host and how to implement?
A: Mirror scan there are still some products in the world, such as the Clair that a classmate mentioned just now. Mount to the container directory can be set by the RO parameter read-only permissions, but need to write directory mount only read-only permission program is not run, so that the host file security, I believe that the host security products and solutions, is now a lot, no longer described.
Q: Trojan detection involves feature code library, detection is more difficult?
A: Trojan detection is actually based on the current technology, but the number of containers can be far greater than the virtual machine, so that the performance and timeliness of detection has a higher demand.
Q: I've been asked about security recently, but considering whether security has been unable to meet the distributed computing environment from a single machine perspective, should we revisit Docker's security standards from the scale effects and self-healing mechanisms that distributed computing brings to us? I would like to ask guests how to view the whole and part of distributed computing, and the security relationship between them, thank you.
A: Distributed is also composed of nodes, single-machine security is the foundation, if the single-machine security can not be met, distributed security even more impossible to talk about. Of course, the distribution of large-scale effect, the node more attention is the data processing and storage security, after meeting the node security, distributed more should consider the security of data transmission between nodes, especially across the public network (VPN Tunnel is also a cross-public network transmission of a). Self-healing mechanism should be considered as a way to guarantee business continuity, and of course, it can be classified as a safe one.
Q: Will rancher be able to achieve tenant isolation in addition to the use of "environment"?
A: You can use the host tag + container policy to isolate different users from a virtual machine or a physical machine. As far as rancher is concerned, different environments are better isolation schemes.
Q: I wonder if the guest's security advice is applicable to CoreOS's Docker OS, or does this kind of OS have better compliance capabilities?
A:coreos This system is indeed more suitable for containers, and it also has fewer functions to carry, and fewer points for compliance. However, it is not ruled out that certain compliance requirements are not met, which needs to be judged according to the actual situation.
Q: In addition to the mirror scan, what are some of the container security needs to be noted, and what are the mature solutions?
A: In addition to mirror scanning, also need to focus on container runtime security, such as network security, application vulnerabilities, to prevent attacks, security policies, etc. I believe that the next Appsafe products will not let people down.
Q: Does the security scheme for virtual machines also apply to containers?
A: It should be part of the fit, just mentioned that the container and the virtual machine focus is not the same. Virtual machines are more system security + application security, the main focus of the container or application security, such as code vulnerabilities, software vulnerabilities and so on.
Q: How can I evaluate the TLS authentication that comes with swarm mode in Docker 1.12?
A: We all know that the previous period of painstaking efforts, we also know that the current situation of the Internet environment, in fact, the TLS certification has been a lot of environmental requirements, and even the version number of TLS is strict requirements, for example, some industries must use more than TLS1.2 version to comply. The TLS authentication that comes with Swarm mode is believed to be based on such requirements.
The above content is organized according to the July 19, 2016 night group sharing content. Share people
Hingalong, a cloud senior consultant, an IT veteran, has been involved in storage, triple network integration, multi-screen interaction, smart wear, third-party payment, Docker and other industries over the past decade, and has experienced testing, operations, and implementation of all aspects of the destruction of all positions, still active in the technology of the limelight. Previously shared the old driver lead | Continuous integration of silky smooth with Docker。 Dockone Weekly will organize the technology to share, welcome interested students add: Liyingjiesz, into group participation, you want to listen to the topic or want to share the topic can give us a message.
To tell everyone the good news secretly
Container Safety Products with PTZ Appsafe will be on the line soon!
Enterprise-class, lightweight, cloud-scale, distributed
Secure container static resources and run-time security
Want to know more about the news?
Sign up for PTZ's Docker live-time offline exchange program.
July 31 We meet in Beijing
Learn more about stamping here
The Docker Live ERA | Chat Container Eco-line series-Beijing station
For direct registration please click here
↓↓↓
Http://www.youruncloud.com/vid ... start
Warm Tips
Friends interested in the implementation of Docker container technology or container production are welcome to Dabigatran discussion. We bring together Docker container technology floor implementation Team elite and industry technology experts, online to share Docker technology dry. Our aim is to have a more professional platform to exchange Docker combat technology, we will regularly invite guests to do all kinds of topic sharing and review, joint practice research Docker container ecosystem.
Add Group Method:
1. Follow the "cloud" public number
2. Message "I want to add a group"
QQ Group No.: 454565480
