2014年7月8日 星期二

Security isolation and Docker

圖片來源:網路


根據Xen Community PH值還算沒有小於一的文章 The Docker exploit and the security of containers提到,Docker 的確是個不錯的工具,適合以下情境:
  • Excellent tool for packaging and deploying applications
  • Using containers to separate an application from the rest of the user-space of your distribution

也就是Docker 所要佈署的程式都,最好都是你trust 的program,並不適合類比成VM使用,因此在Hack new 上Docker 的作者也有跳出來說:

Please remember that at this time, we don't claim Docker out-of-the-box is suitable for containing untrusted programs with root privileges. So if you're thinking "pfew, good thing we upgraded to 1.0 or we were toast", you need to change your underlying configuration now. Add apparmor or selinux containment, map trust groups to separate machines, or ideally don't grant root access to the application.

Docker will soon support user namespaces, which is a great additional security layer but also not a silver bullet!

When we feel comfortable saying that Docker out-of-the-box can safely contain untrusted uid0 programs, we will say so clearly.
最後Xen Community 也有幾個建議:

However, using containers for security isolation is not a good idea. In a blog last August, one of Docker’s engineers expressed optimism that containers would eventually catch up to virtual machines from a security standpoint. But in a presentation given in January, the same engineer said that the only way to have real isolation with Docker was to either run one Docker per host, or one Docker per VM. (Or, as Solomon Hykes says here, to use Dockers that trust each other in the same host or the same VM.)
結論:

好的工具也是要用對地方,用對方法~:P

延伸閱讀:

[1] Docker Security
[2] Solomon Hykes Explains Docker

張貼留言