Photo by Hacker Noon on Unsplash

What is Docker and why is it being used?

Before we actually dive into the technical part, let’s imagine that you work for a company which has two departments concerned with the development and the deployment of services, products, etc.

They are called the production team and the operations team. After countless hours of discussions and meetings it is finally decided what the company needs on their website. The requirements are sent to the development team. It is now their time to work on the website. As you and I know, the more features and functionalities that need to be incorporated into a website, the more libraries and packages will be imported. Suppose they are working on NodeJS, with an express framework and MongoDB as the server. When the website is finally complete, they will check on their end if it’s working fine on their end, on a development server, before sending it to the Operations team, whose work is to deploy it on the production server.

Did it occur to you that the versions of node, express and other libraries that were used when the website was actually developed, on the development server, could be different than the one which is installed on the production server.

What will be the outcome? When the website is deployed, there are good odds that it will throw errors on the production server. The production server might have deprecated libraries, versions installed, configuration issues or the development server could have deprecated libraries, versions installed. Either way it is a losing situation because the end result is that the website couldn’t be installed.

Source

Now consider a different scenario. The development team makes the website, but now instead of sending the raw code directly to the operations team, what they do is make a container and keep it inside a container. Consider this container as a type of sandbox. It’ll have the code, the database, along with their configuration files and the team can install all the dependencies they want to include in the container. Now all that the operations team has to do is to connect the container to the network and then run this container to bring the website to live. This is docker in short. All the dependencies, artefacts and configurations can be saved in the container. This container will run separately, without interfering with the other packages, dependencies, etc. just like a sandbox or a virtual machine.

Why Docker Installation Becomes Vulnerable?

Source

Container technology isn’t new, but for many of us it is. To prevent it from being exploited by the adversaries, it is extremely necessary to follow best practises.

Following are the scenarios in which your docker installation could become vulnerable.

1. Some users might not have any idea about the latest release and therefore might install an outdated version of the docker engine and the underlying host OS which have some of the known vulnerabilities, it might also be possible that they will install some of the outdated dependencies..
2. Docker daemon are the brain and heart of any docker. It listens for docker API requests, creates and manages your docker objects such as images, containers, networks and volumes. By default, it is owned by the root user. If anyone else obtains access to the socket, they will have root privileges which is something that you would never want. It is also possible for you to make your docker container available remotely by binding the daemon to a network interface.
3. Running the docker in root mode is something which the teams do. When we configure a website, we make a new user and assign him minimum privileges necessary to complete his day to day task. We don’t just keep the site running with the privileges of a root user. But we often forget this in case of docker.
4. Installing base images with unnecessary components. If you have components installed in your base image that are unnecessary and something that you don’t understand, would increase the attack surface.
5. Leaking Sensitive information is one of the major concerns. Docker, for its normal operations, requires TLS certificates, SSH keys, credentials, etc. Exposing them in the docker file itself is like giving your house keys to your enemy itself.
6. Installing vulnerable open-source libraries. Believe it or not. When it comes to a particular piece of software which can solve our problems fairly easily, we install it at the click of a button. What’s more is that it’s totally free of cost. But since they are open-source, they don’t have a team dedicated to them 24×7. So, they can have vulnerabilities and many might not be patched.
7. Allowing users to run system commands. You can leave users to run system commands on a freshly installed docker container.

What can we do to secure the installation?

Source: Docker

Now that we are aware of some of the ways in which we can make our docker installations vulnerable, let’s go through some of the ways in which we can make them secure.

1. Keep track of the docker engine. If you find a vulnerability that can compromise your security, try to patch it asap. This won’t keep you up at night.
2. Take special care while binding the daemon to the network interface. It can not only make your docker accessible remotely to you, but also to your adversaries. If you have to make it accessible, use Docker’s encrypted HTTP Socket as it supports authentication.
3. API is something which docker uses, you can secure your containers by configuring the API in a way that prevents them from being accessible to the public. Or by enforcing certificate-based authentication, for example, it is possible to enforce encrypted communication.
4. We know that running the docker with elevated privileges can be harmful. Docker provides a “rootless mode”. To run in rootless mode:

docker context use rootlessdocker run –d –p 8080:80 nginx

To check if the container is running in privileges mode,

docker inspect –format = ‘ ‘ [container_id]

If it returns true, then it is running in privileged mode. If it throws an error, it is not.

5. Leaking Sensitive information using docker files can lead to the attacker quickly compromising your container. Container orchestrators like Kubernetes and Docker Swarn provide secret management capability which can solve the problem of leaking sensitive information using docker files.

6. Try to use base images with minimum components. Even if you have some components installed, it is important that you understand them well. Because if you do, it will definitely add to the attack surface.

7. Allowing system calls can be used by the user to escalate privileges. You can choose to allow or deny system calls. Additionally, just like in Linux you can obtain the list of commands made using the .bash_history file, you can also monitor the system command made.

Docker has made it really simple and effective for Developers to develop and Operations team to deploy them in production servers. It might look simple from the outside, and it is, but overlooking security implications can be quite easy. Therefore, before you deploy your docker container, it is important that you consider the security implications. You can start off by considering the above security measures.