I. Introduction
There is no doubt that containers are one of the popular mainstream technologies of
cloud computing.
Docker solves the problems of deployment environment dependency by packaging the application runtime environment and application together; it eliminates the gap between compilation, packaging and deployment, and operation and maintenance, and helps improve application development and operation and maintenance efficiency: in short , It coincides with the DevOps concept and has been praised by many companies.
Of course, there are many security risks in the life cycle of Docker containers, such as the problems of the container itself, the problem of container mirroring, and the problems exposed by the container at runtime. Therefore, this article will discuss the security issues of the life cycle of Docker containers and the corresponding improvement methods. I hope that all readers will criticize and correct me!
Second, Docker container life cycle security issues
The non-production environment is strongly related to Dev (development), while the production environment is strongly related to Ops (operation and maintenance). The main control point in the non-production environment is image deep scanning. When container orchestration in the production environment, you need to pull and run Docker images from the non-production environment. Therefore, image operation control is also a main control point.
The main control points in the production environment are container system intrusion detection and protection and container network intrusion detection and protection. At the same time, compliance baseline issues should be taken as an important control point at all stages in the life cycle of Docker containers.
Starting from the main control points of Docker container security, the following lists some of the security issues they deal with.
1. Mirror Deep Scan
Security issues that should be paid attention to when doing mirror deep scanning include but are not limited to:
The operating system packages and application dependencies in the image contain known CVE vulnerabilities
The mirrored application directory is implanted in the Webshell
Mirroring sensitive information leakage
Mirror integrity check problem
There is an insecure way of writing in Dockerfile (Dockerfile is the build script of Docker image)
2. Mirror operation control
When performing mirroring operation control, security issues that should be paid attention to include but not limited to:
Mirror integrity check problem
Privileged mode sharing root permissions
Memory quota is not restricted
CPU priority is not restricted
Storage quota is not restricted
Use Host network mode when enabling containers
3. Container system intrusion detection and protection
When doing container system intrusion detection and protection, security issues that should be paid attention to include but not limited to:
Unquarantined file system
Call vulnerable system kernel functions
Denial of service attack
4. Container network intrusion detection and protection
When doing container network intrusion detection and protection, security issues that should be paid attention to include but not limited to:
LAN attacks between containers
Remote API interface security
Docker flawed architecture and security mechanism flaws
Microservice architecture web application security issues
5. Security compliance baseline
In order to deal with Docker security issues, security issues that should be paid attention to include but not limited to:
Kernel level
Network level
Mirror level
Container level
File limit
Capacity limitation
6. Vulnerabilities in Docker and its supporting software
When using Docker and its supporting software, security issues that should be paid attention to include but not limited to:
Docker's own vulnerabilities
Vulnerabilities in orchestration applications such as K8S (Kubernetes)
Vulnerabilities in the mirror warehouse itself
Note: The vulnerabilities in Docker and its supporting software have a deep impact on the security of Docker containers, so they are independent as a control point. "The version of Docker and its supporting software used is not affected by known vulnerabilities" can be regarded as a "security compliance baseline".
Three, talk about how to improve the security status of Docker containers
Faced with the challenges of Docker container security, you can "divide and conquer" and control the security control points of each stage. When implementing management and control, you can also prioritize, give priority to more important control points, and postpone consideration of less important control points (for example, "mirror operation control" control points are largely related to how users use Docker. Yes. In security products, users are warned of dangerous operations, but not necessarily blocked. Docker container security products should focus on defending against security problems caused by users' unsafe usage).
