I support docker in its efforts. However, docker is too cute, too hyped, and too rapidly developed to trust with your security as yet. Quite frankly, you have to understand a bit more than how to call an API to have faith in your infrastructure's inherent security.<p>For example, in this article the author links to the 'list of dropped capabilities in the Docker code'. As it happens, I wrote that list quite some time ago, and wrote it for <i>lxc-gentoo</i>, a guest-generation script for raw LXC against an earlier kernel version with an earlier LXC userspace. Not only is the list now out of date, it's no longer using the preferred approach. Why is this? Instead of explicit drop ("allow all, deny some") after some months of raising the issue one of the LXC devs finally added the 'lxc.keep' (ie. "deny all, allow some") which is architecturally more secure against things like kernel upgrades which add or modify kernel capabilities.<p>Furthermore, the docker people only included this when I added <a href="https://github.com/dotcloud/docker/commits/v0.5.0/lxc_template.go?author=globalcitizen" rel="nofollow">https://github.com/dotcloud/docker/commits/v0.5.0/lxc_templa...</a> ... things as important as <i>WARNING: procfs is a known attack vector and should probably be disabled if your userspace allows it. eg. see</i> <a href="http://blog.zx2c4.com/749" rel="nofollow">http://blog.zx2c4.com/749</a> and <i>WARNING: sysfs is a known attack vector and should probably be disabled if your userspace allows it. eg. see</i> <a href="http://bit.ly/T9CkqJ" rel="nofollow">http://bit.ly/T9CkqJ</a><p>Again, I fully support docker's efforts but the article is ... misleading at best.
Good post, except that it's extremely misleading to use Solaris as the canonical example of non-Linux containers and then say that non-Linux containers "haven't had as much exposure" and "the source code isn't always available for peer review and auditing". Solaris containers (in Solaris first, and then illumos when Solaris became closed-source again) have been open source since 2005 and running in hostile production environments that whole time.
By the way, if anyone knows of a documented exploit for LXC, I would love to hear about it. People (generally advocating VMs, zones, jails, OpenVZ...) will often say that "containers are not secure", but once you've taken some basic steps (like locking down kernel caps and device access) it becomes difficult to find an actual threat.
<i>>Finally, if you run Docker on a server, it is recommended to run exclusively Docker in the server, and move all other services within containers controlled by Docker.</i><p>This looks like what CoreOS is providing, a stripped down barebones host, with all other services not strictly necessary in the host moved to the containers.<p><i>>Capabilities turn the binary “root/non-root” dichotomy into a fine-grained access control system. Processes (like web servers) that just need to bind on a port below 1024 do not have to run as root: they can just be granted the net_bind_service capability instead. And there are many other capabilities, for almost all the specific areas where root privileges are usually needed.</i><p>This is awesome, has been a personal pain point in the past, trying to get JVM running as non-root in ubuntu server. Theoretically it's easy with IPTABLEs, but in practice it can be tricky to get working exactly right.
I'm very interested in all those things, but I clearly lack a trajectory for learning them. Is there a reference I could read or a 'name' for that domain? How does one become educated on these things?<p>So far I've grabbed knowledge by reading paper on operating systems (and misunderstanding 80% of their content), reading man pages, reading Tanenbaum's textbooks, etc. But still I don't feel like I know or understand.<p>They say a lack of words for things render one blinds of their ignorance. Sometimes it's also that you just don't know what needs to be learnt.