Docker reduces security?
- running Docker containers -> running the Docker daemon (source)
- more daemons/services/processes -> larger attack surface (source)
- larger attack surface -> lower security (source)
This means by logical transitivity: running Docker containers -> lower security.
But before jumping to conclusions, we should ask at least five whys:
- Why do you need Docker?
- Why do you need containers?
- Why do you need isolation?
- Why do you need multiple containers on the same host?
- Why do you need security?
Docker simplifies many tasks and has many features, but as everything it comes with a cost. So, is it possible to remove this Docker daemon from the equation to increase security? There are many alternatives, but each of them has different trade-offs. Some of the tools just shift the security risk, so choose carefully. Here is a very limited subset of possibilities in no particular order:
- Podman is a deamon-less Docker replacement which is more secure and uses the same backend (runc).
- systemd-nspawn supports OCI runtime bundles
- LXC supports OCI images (lxc-create -t oci)
- Use runc directly (source)
- Run the “container” with raw linux kernel features (source)
- Transform the Docker container to a disk image and run it on “bare-metal” (e.g. docker-to-linux)
- Run the container directly on “bare-metal” (e.g. Kerla)
- Nsjail focuses on the security isolation with namespaces (same as Docker)
- Firecracker uses minimal virtual machines (KVM)
- Solaris Containers built-in feature of Solaris
- FreeBSD Jails built-in feature of FreeBSD
- Bocker an alternative implementation which shows how simple it can get
- Nanos
- Kaniko doesn’t depend on a Docker daemon
- …
For the sake of security, just keep in mind:
“Security engineers working on Virtualization Security should push for as much attack surface reduction as possible” (source)
Additional links: