Docker Community Forums

Share and learn in the Docker community.

Noob question: How is security assured with docker (wrt the source of the apps and OS)


(Cheetahgear) #1

Hi,

First, I apologize but didn’t see a help-specific sub-section in this forum, so I post this question in the general discussion forum. Let me know if I should have posted somewhere else.

This being said, I have limited experience with *nix systems, and even more limited experience with Docker. I’ve basically tried to install 6 different docker images on my Synology NAS and only managed to get 2 working (learning A LOT along the way).

Here is my very basic question regarding security: My understanding is that a docker image is similar to a VM in that it is a fresh OS install (often ubuntu, but can be any OS) on top of which we install various applications, often to accomplish one “simple” task.

That image is created from a docker file, which is a “recipe” on how to build the image. For example, the recipe could look something like:

  • Download and install Ubuntu version X with options x, y, z
  • Download and install uTorrent version X

I then create a container (a running version of the image) from that image.

My concern is as follow: Most noob like myself (and probably many intermediate users) will first start by looking for existing images from the docker registry instead of writing a docker file from scratch. Chances are, many other people wanted the same thing. However, what would prevent someone from taking a fresh Ubuntu image, adding a few keyloggers and backdoors, and then publish a docker file such as`

  • Download my custom Ubuntu with backdoor
  • Download uTorrent

Since I only get to access uTorrent from the webUI, I don’t even have the ability so SEE what is installed on the Ubuntu (and even if I did, it could easily be hidden).

My understanding is that the key to the security lies within the docker file itself, and I need to carefully review each line to make sure that the SOURCE of each downloaded application is indeed from a “reputable”/official sources.

Taking my uTorrent example, I see that amongst the 29 uTorrent repositories, one has been pulled 15600 times, so I assume it is “better” (what would stop an attacker from using a bot to “pull” his custom image thousands of times?).

From there, the docker file states:
1- FROM ubuntu
-> I must go see what is inside the Ubuntu package (this is simple, but if it said “FROM ubuntu-super-secure” one could assume it was a legitimate base-image but it wouldn’t.

2- ADD http://download-new.utorrent.com/endpoint/utserver/os/linux-x64-debian-6-0/track/beta/
–> Similar to phishing scams where a URL is mangled to look like a legitimate bank URL (for example), I must inspect the URL to make sure it is indeed from a legit domain (utorrent.com in this case) and avoid the typical traps such as “download.utorrent.com.myowndomainwithUTORRENTinthename.ru”, for example.

3- ADD http://launchpadlibrarian.net/103002189/libssl0.9.8_0.9.8o-7ubuntu3.1_amd64.deb /tmp/
–> Here, I am suspicious because I have no idea what launchpadlibrarian is. The “libssl” in the filename puts me at ease - I suppose uTorrent needs some kind of encryption library added… but is launchpadlibrarian just a github-like repository where someone could store a custom backdoored app?? I’m really wondering.

How are people making sure that the container they install are 100% secure and legit?

Thanks for your input.


(Cheetahgear) #2

@dockersupport1 : I see that 95% of the questions on this forum go unanswered… Is there another place to get support, or a way to send PM to users or the company to get our questions answered?

Thanks

PS: I get “badges” for editing my own post and reading the guidelines? I would prefer receive a reply to my post…


(Sabin Basyal) #3

Hi,

Although I may not be able to answer your question to the specific detail you wanted, I want you to look to our recent project “Nautilus”—an image scanning effort for Docker application images. Project Nautilus provides automated security analysis for images that are hosted on the Docker Hub image repository.

Nautilus has actually been running for the couple of months on Docker Hub to help protect a number of official application images. Nautilus has already helped to secure above 75 million downloads from the Docker Hub.

On top of that, Docker Content Trust makes use of the open-source Notary project, which aims to enable secure updating by way of authenticated and signed application images.

So, long story short, you can trust the Official images, which are being tested against all the security tools that does deep content analysis and can go beyond vulnerabilities that are already known and found in existing Linux distribution vulnerability databases. If you are unsure about other non-official Images, do not use them if the Dockerfile looks suspicious. Instead, use the Dockerfile and create your own image.

Regards,
Sabin