1: The difference between Docker and virtual machine

A VM uses a Hypervisor to simulate hardware such as cpus, memory, and networks, and then creates a kernel and operating system (OS) on the simulated hardware. The vm has its own kernel and operating system, so users cannot directly use the OS and hardware resources on the host. Therefore, virtual machines also have a better guarantee of isolation and security
Docker container is used to isolate resources through the Namespace of Linux, and then use Cgroups to limit resources, and finally achieve mutual non-influence between containers. Because the isolation of containers is only provided by the kernel, the isolation of containers is weaker than virtual machines

2:Docker container security issues

Docker’s own security
- Docker, as a container engine, also has some security vulnerabilities. CVE has recorded a number of docker-related security vulnerabilities, mainly including permission promotion and information leakage
Image security
- Since Docker needs an image to start, the security of the image directly affects the security of the container
- Image software has security vulnerabilities: Because the container needs to download some software packages, if the software package itself has problems, then someone will invade the container, affecting the security of other containers or hosts
- Warehouse vulnerability: Whether Docker official warehouse or their own private warehouse, it is possible to be hacked, and then modify your image file, when we use the image, will become the target of attackers
- User program vulnerability: Software packages built by users may have vulnerabilities implanted by malicious scripts, which may cause security of containers or hosts
The Linux kernel is not isolated enough
- Although the Namespace has provided many types of resource isolation, some key contents are not isolated, including some critical directories of the system (/sys,/proc), which may leak some critical information about the host
- However, the isolation of Namespace is not enough, because once the kernel Namespce is breached, the user can directly obtain the super permission of the host, thus affecting the host security
All containers share the host kernel
- Because all containers on the same host share the host kernel, attackers can use some special means to crash the host kernel, which in turn causes the host to go down and affect other services on the host

3. How to solve the security problem of container itself

Docker’s own security improvement: With the continuous improvement of Docker, great improvements have been made in the aspect of security. At present, Docker is safe enough under the default configuration and default behavior
Ensure the security of the image itself: We can install the image security scanning component in the private warehouse, once the image is found to have a vulnerability, promptly notify the user to prevent the image from being built and published
Strengthen kernel security and management: Since containers rely solely on the kernel to provide resource isolation, we need to update kernel vulnerabilities, use Capabilities to allocate permissions, use security hardening components, and resource limits
Use secure containers: Containers have the advantages of being light and quick to start, and virtual machines have the advantages of being securely isolated. Is there a technology that can combine the advantages of both to be lightweight and secure? The answer is yes, safe containers. A secure container is compared with a common container. The main difference between a secure container and a common container is that each container in a secure container runs in an independent mini-virtual, has an independent operating system and kernel, and has security isolation of the virtualization layer. The current recommended technical solution for secure Containers is Kata Containers. Kata Containers do not contain a complete operating system, only a compact version of Guest Kernel runs the application of the Container itself, and by reducing unnecessary memory, Share as much memory as possible to further reduce memory overhead. In addition, Kata Container implements the OCI specification and can directly start the Kata Container using the image of Docker, which has many advantages such as lower overhead, second startup, and security isolation.

4: There are so many problems with containers, so why choose containers instead of virtual machines

Containers have low performance costs compared to virtual machines, and the image is very small
Compared with virtual machines, features such as container startup in seconds are very suitable for business scenarios with rapid iterations

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Docker- How to guarantee security with weak kernel-based isolation

1: The difference between Docker and virtual machine

2:Docker container security issues

3. How to solve the security problem of container itself

4: There are so many problems with containers, so why choose containers instead of virtual machines

Docker- How to guarantee security with weak kernel-based isolation

1: The difference between Docker and virtual machine

2:Docker container security issues

3. How to solve the security problem of container itself

4: There are so many problems with containers, so why choose containers instead of virtual machines

Related Posts

Ali middle background UI solution – Fusion

Spring source code reading -IOC source code reading (1)

Lack of capital backing, life logistics fear will usher in “cold medicine” winter?