The open-source Docker container engine technology is set for a major boost this week. The expected release on Feb. 4 of Docker 1.10 includes new features and a strong focus on security, particularly with the integration of secure computing (or seccomp) and user namespace technology.
Seccomp is a technology that is integrated into the mainline of the Linux kernel to provide granular security control. The Docker engine runs on top of Linux, and with Docker 1.10, there is now a default seccomp profile that will enable users to benefit from additional security.
Scott McCarty, Linux container evangelist at Red Hat, said that seccomp is a powerful method for limiting an application’s behavior. He explained that applications and processes, such as containers, communicate with the Linux kernel to get work done, such as opening a file, via a set of special functions dubbed system calls. In normal operations, without seccomp in place, an application can try and run any system call that the Linux kernel supports and the user can then keep trying any set of functions with any parameters that they want until they potentially find an exploit.
“With seccomp, the administrator can limit which system calls are permitted by an application similar to how a firewall limits which ports can be used,” McCarty told eWEEK. “This allows the administrator to profile an application and only allow it to do the things it should be doing.”
With Docker 1.10, there is now a default seccomp profile that helps improve security for the running processes of a container.
“The main challenge for seccomp moving forward, however, is knowing which system calls an application should or will need, with sysadmins left to figure that out by running the application,” McCarty added.
Seccomp now joins multiple other Linux security technologies that can help secure Docker containers, including SELinux (Security Enhanced Linux). Having multiple security tools helps create and support a layered approach to defending and securing container activity.
SELinux is the list of people you can talk to, while seccomp is the list of what words you can say, McCarty said. As an example, if a person could communicate with another person using only three or five words, it would very much limit what could be expressed and prevent most types of illicit activities, and applies in much the same way to Linux containers, he added.
“SELinux limits interaction of different data structures in the kernel such as files, processes, ports, allowing users to tag which objects can interact with each other, but those objects can freely interact,” McCarty explained. “With seccomp, administrators can completely limit which interactions are possible.”
Another security technology that is likely to debut in the Docker 1.10 release is full support for user namespaces. User namespace support has been in technology preview with Docker since November 2015, as another approach to container control and visibility.
In an interview with eWEEK when user Docker namespace support was first announced, Nathan McCauley, director of security at Docker, explained that with user namespaces, there is more visibility and control for individual applications and processes that run on Docker.
McCarty, however, noted that while some people view user namespaces as a security benefit, some view it as a risk.
“User namespaces allow better separation of applications/containers because each process/container has its own set of users,” McCarty said.
From a user perspective, McCarty explained that what the integration of user namespace means is that user “John” with an ID of 1002 in container A is different than user “John” with an ID of 1002 in container B, potentially allowing for better application of SELinux rules to each user.
The challenge and the controversial element of user namespaces is that it can potentially enable root system access privileges inside a container. The risk, according to McCarty, is that by enabling root access, a regular non-administrative Docker user could potentially find a bug in the underlying host operating system.
“With user namespaces, we can let people run things as root in the container, but we also let any user through Docker do this,” McCarty said. “I think user namespaces provides a lot of convenience for end users, but at the same time scariness for administrators if they let regular users use them.”