I agree with containers do not improve security. It is a business solution quite useful for Cloud services, developers, and maybe in the future to isolate desktop apps like QubeOS with Xen, but is fairly new so it lacks certain security requirements. Imho this basically add more complexity to exploitation, but not a mitigation or a real solution.
However there are a interesting talk I attended in DevConf from Dan Walsh https://www.youtube.com/watch?v=725rsC7NS44. On Thu, Feb 26, 2015 at 8:53 AM, Sven Vermeulen <sven.vermeu...@siphos.be> wrote: > Security of docker is still a hot topic. Some people believe that the > fact that the application runs in a container adds a layer of security > that allows for a somewhat slower adoption of security patches. I > don't share that vision at all. The applications are running for a > reason - they might be processing customer data, hosting credential > information, ... which in case of vulnerabilities can still be > disclosed. > > So it is wise to first take a step back and see what you see under > security. > > There is the security of the underlying host, and the CIA > (Confidentiality, Integrity, Availability) concerns of all > applications (including docker containers) that are running on that > host. Hosts that support Docker containers will very much want to > harden the environment to provide at least resilience against attacks > and have some sort of protective measures so that problems on one > container cannot jeopardize other containers/customers. > > Then you have the security of the docker platform itself: mostly the > daemon, but also the processes that are involved. Running only trusted > containers, making sure the authentication/authorization aspects are > up to par, etc. > > Then there is the security of the container infrastructure > (namespaces, kernel itself, ...) which has to be closely followed up > on. > > And then finally you have the security of the applications running > inside the container. > > For a truly secure environment, all four areas need to be under > control. In most cases, containers do not improve security, because > they do not improve the controls that are in place on the application > level. And after all, docker containers are running applications > (possibly business applications) and it is vulnerabilities or > misconfigurations in those applications that are readily visible as a > "secure" versus "non-secure" setup. That it runs on Docker, or a > virtualization layer like VMWare or Xen or KVM, or on dedicated > systems, or somewhere in the cloud, has no bearings on that. > > My 2 cents, > > Sven Vermeulen > > On Wed, Feb 25, 2015 at 9:11 PM, Alex Efros <power...@powerman.name> > wrote: > > Hi! > > > > What is recommended way to update Docker containers with Gentoo? > > > > I mean, each container is supposed to be small and unique, having > > installed only packages needed for app which will run in this container. > > So, with 100 different apps we may have 100 different containers with > > Gentoo, each with custom set of packages, and even same packages may be > > built with different USE-flags or using different versions - that's the > > main point of Docker, provide each app with environment it needs. > > > > But Gentoo release updates every few hours, some of them are important > > security updates, so at a glance it looks like we'll have to rebuild and > > restart all containers every few hours/days, and we'll have to compile > all > > packages multiple times - once per each container - which isn't > acceptable > > at all because of too much CPU resources needed (but it should be > possible > > to mitigate this by using binary packages in cases when USE flags match > > and ccache to speedup other cases). > > > > Am I missing something, or only way to keep Docker containers secure is > > rebuild all containers each time I run `emerge --sync && emerge -uDN > world` > > on host? > > > > -- > > WBR, Alex. > > > > -- Francisco Alonso. http://twitter.com/revskills PGP: 0xE2E64DCA --
