Docker Image Insecurity

I wish the author had not omitted this crucial paragraph in the announcement he quotes:<p><pre><code> Note that this feature is still work in progress: for now, if an official image is corrupted or tampered with, Docker will issue a warning but will not prevent it from running. And non-official images are not verified either. This will change in future versions as we harden the code and iron out the inevitable usability quirks. Until then, please don’t rely on this feature for serious security, just yet. </code></pre> So, we&#x27;ve made it pretty clear from the start that we&#x27;re <i>working</i> on ways to make image distribution more secure, but are not <i>claiming</i> that it&#x27;s more secure yet.

I keep hearing people ask &quot;why won&#x27;t they just get the core tech right instead of adding all these tangentially related features?&quot;.<p>If Docker was just an open source project, it could focus on getting the core tech right. But Docker is also a startup, and the startup can&#x27;t stay differentiated unless they keep adding bells &amp; whistles, all of which stay tightly integrated.<p>See also &quot;Why there is no Rails Inc&quot; (<a href="http://david.heinemeierhansson.com/posts/6-why-theres-no-rails-inc" rel="nofollow">http:&#x2F;&#x2F;david.heinemeierhansson.com&#x2F;posts&#x2F;6-why-theres-no-rai...</a>)

I don&#x27;t understand why the image distribution is so tightly tied into the main docker codebase. This is why rocket is a thing, because docker is the systemd of the container world. Please stop trying to do everything.

Hello, I&#x27;m the lead security engineer at Docker, Inc.<p>There is nothing particularly new in Jonathan&#x27;s post and I thank him for facilitating a conversation. Image security is of the upmost importance to us. For these reasons, we&#x27;ve concentrated efforts here in both auditing and engineering effort. Engineers here at Docker, our auditors, and community contributors alike have been evaluating this code to many of the same conclusions.<p>Last month, we released Docker 1.3.2 which included limited privilege separation and extending this paradigm has been discussed. I have explicitly called out the need for containerization of the &#x27;xz&#x27; process, and to run it in an unprivileged context. I thank Jonathan for reminding us of the need for this work and validating much of what is already in progress.<p>As the recently published CVEs describe, we are expending resources in discovering and fixing security issues in Docker. Yet, I agree the v1 registry has a flawed design and we&#x27;re aware of it. In September, I requested to become a maintainer of the tarsum code and have also made proposals and pushed PRs toward improving the v1 registry integration. This is not to replace the v2 effort, but to offer improved security for the design we have today.<p>We have a draft for a v2 registry and image format. This and the supporting libtrust library are in the process of being audited by a 3rd-party. This is something we had previously promised the community and are making good on. What code exists today is a technical preview.<p>Unlike the v1 registry and image format, the libtrust and v2 image format code has been designed for a decentralized model. However, as the libtrust and v2 image work, and subsequently, registry protocols are still in draft and security review, it is difficult for us to recommend that users yet attempt deploying these. This is why the developers of that code have not published clear instructions for its use, nor made such recommendations. As this work comes out of review and a specification is finalized, we should expect to see a much better experience and more secure image transport, along with stronger support for on-premises and 3rd-party registries.

I would really prefer when Docker, Inc would spend their time and effort in securing their core product rather than extending it all the time by adding more and more features like Machine, Swarm, etc.

The inevitable CVE&#x27;s coming from this report will definitely get their attention. Hopefully the adults in the room will help make sure that the Docker team addresses what up until now has been a really lax approach towards security.<p>Who is the architect in charge of this, and do they have any security chops? If not, it&#x27;s just a matter of $$$ to get a 3rd-party security review before every major release. I&#x27;ve done it before, and it&#x27;s really not a big deal.

It confuses me why they wouldn&#x27;t just verify the images since they have the signature in the manifest. Is this because they don&#x27;t want to wait for a complete image before the start streaming through the pipeline? Is this actually a significant time saver?

Particularly interesting given that some of these problems were pointed out to Docker folks ~4 months ago in the development of the feature. <a href="https://github.com/docker/docker/issues/8093#issuecomment-57138688" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;docker&#x2F;docker&#x2F;issues&#x2F;8093#issuecomment-57...</a>

Early on, I asked that images be signed similar to Debian packages, but was met with skepticism and resistance. To me, none of the Docker core devs had a handle on security implications of allowing anyone and everyone to share random bits without being able to prove end-to-end integrity and nonrepudiation.<p>I hope this has changed, Docker is a great app. But if not, Perhaps someone would like to teach them a security lesson? It seems the only way most people actually learn, sadly. :(

Reminds me of debian and ubuntu&#x27;s requirement that apt-get is run under root. There is simple ways to get apt-get to run on non-root, but it require giving permission to non-root account to modify important package signature files. But, they&#x27;re not as bad as docker. It&#x27;s becoming norm for these US&#x2F;Silicon companies to give very bad integrity on data.

As a non-security aware(not a security specialist) developer, this was one of the most instructional and concise little gem about security flaws i&#x27;ve read. You can learn very useful tricks just by reading this. Thank you