Security of docker is still a hot topic. Some people believe that the fact that the application runs in a container adds a layer of security that allows for a somewhat slower adoption of security patches. I don't share that vision at all. The applications are running for a reason - they might be processing customer data, hosting credential information, ... which in case of vulnerabilities can still be disclosed.
So it is wise to first take a step back and see what you see under security. There is the security of the underlying host, and the CIA (Confidentiality, Integrity, Availability) concerns of all applications (including docker containers) that are running on that host. Hosts that support Docker containers will very much want to harden the environment to provide at least resilience against attacks and have some sort of protective measures so that problems on one container cannot jeopardize other containers/customers. Then you have the security of the docker platform itself: mostly the daemon, but also the processes that are involved. Running only trusted containers, making sure the authentication/authorization aspects are up to par, etc. Then there is the security of the container infrastructure (namespaces, kernel itself, ...) which has to be closely followed up on. And then finally you have the security of the applications running inside the container. For a truly secure environment, all four areas need to be under control. In most cases, containers do not improve security, because they do not improve the controls that are in place on the application level. And after all, docker containers are running applications (possibly business applications) and it is vulnerabilities or misconfigurations in those applications that are readily visible as a "secure" versus "non-secure" setup. That it runs on Docker, or a virtualization layer like VMWare or Xen or KVM, or on dedicated systems, or somewhere in the cloud, has no bearings on that. My 2 cents, Sven Vermeulen On Wed, Feb 25, 2015 at 9:11 PM, Alex Efros <power...@powerman.name> wrote: > Hi! > > What is recommended way to update Docker containers with Gentoo? > > I mean, each container is supposed to be small and unique, having > installed only packages needed for app which will run in this container. > So, with 100 different apps we may have 100 different containers with > Gentoo, each with custom set of packages, and even same packages may be > built with different USE-flags or using different versions - that's the > main point of Docker, provide each app with environment it needs. > > But Gentoo release updates every few hours, some of them are important > security updates, so at a glance it looks like we'll have to rebuild and > restart all containers every few hours/days, and we'll have to compile all > packages multiple times - once per each container - which isn't acceptable > at all because of too much CPU resources needed (but it should be possible > to mitigate this by using binary packages in cases when USE flags match > and ccache to speedup other cases). > > Am I missing something, or only way to keep Docker containers secure is > rebuild all containers each time I run `emerge --sync && emerge -uDN world` > on host? > > -- > WBR, Alex. >
