What Is Docker and How It Can Shape Your Business

By CIOReview | Friday, March 31, 2017

Anybody in a data center or cloud IT circles would recognize containers, ‘Docker’ in particular, as it is one of the leading software container platforms. The wildly successful Linux-based open source platform enables many different applications to run concurrently on top of a single OS instance, either deployed directly onto a physical server or as a virtual machine (VM). The specialty with Docker is that it virtualizes applications within the Linux operating system and doesn’t require the addition of a hypervisor. Enterprises today use Docker to streamline software delivery, providing them an efficient and fast way to move pieces of software around in the cloud, more securely and with confidence for both Linux and Windows Server apps.

How Storage Works in Docker

Like with any container technology, as far as the program is concerned, Docker is equipped with its own file system, storage, RAM, CPU, and so on. When a Docker container is started, it uses a feature known as an overlay file system that takes the read-only image and adds a read-write layer on the top. If the running container modifies an existing file, it stores the updated information to the root file system of a container, onto the top-most layer compared to the original image. These changes are lost if the container is subsequently deleted from the system—relaunching the image will start a fresh container. A container, therefore, does not have persistent storage by default.

However, Docker provides two features that enable access to more persistent storage resources—Docker volumes and data containers. Docker came up with the concept of volumes that permits data to be stored in a container outside of the default Union File System (but within the root file system) and exists as normal directories and files on the host file system. A container can be created with one or more volumes and the data in any volume can be browsed and edited by the host operating system (standard permissions apply). However, the use of volumes has its own pros and cons. Because the data is stored inside a standard file system, it can be copied, backed up or moved in and out by the operating system.

Another option to manage data in Docker is by using a Docker data container. The advantage of this particular method of access to data is that it fetches the location of the original data, making the data container a logical mount point. It also allows the "application" containers accessing data container volumes to be created and abolished while keeping the data persistent in a dedicated container.

Challenges with Protecting Docker Container Data

Docker containers don't depend on a hypervisor and its data container protection is simply not as mature or sophisticated today as hypervisor VM data protection.

There is an architectural structure difference between the Docker container data backup and VM’s backup style. Backup applications protect the configuration file in VM and extract the contents of the VHD (Virtual Hard Disks). Unlike depending on VHDs, Docker follows a layered approach. A container layer sits above the platform image and stores configuration data.

One prime factor that makes the protection the container layer toilsome is the possible existence of multiple container layers. A single Docker application shall not contain a platform image, a container and an unknown number of layered images. For example, if a set of write operations need to be run in a way that makes them permanent, the container is converted into a layered image and a fresh read/write container is created above it. This can give rise to security threats that compromises data or resources used by different containers.

In another scenario, there’s a risk of privilege escalation via containers. To exemplify, if an attacker could successfully get root inside a containerized app, it can be a stepping stone for them to gain root access to the host system.

Ways to Secure Docker Containers

There is incoherence of thoughts in the market nowadays raising concerns about the security of Docker containers. However, the introduction of essential security tools elsewhere in the container ecosystem is making it much easier to secure Docker containers. Below are the steps once can follow to protect Docker containers:

• The first and basic approach toward improving security is to make sure to start Docker containers with the -u flag. It will run as an ordinary user instead of root.
• Removing SUID (Set User ID) flags from container images will make privilege escalation more arduous.
• Apply a habit of using namespaces in Docker to isolate containers from each other. Namespaces assure that a user or any process running inside one container can’t affect those in other containers.
• Prefer using container security scanner from recognized vendors to validate containers from registries. It is better if it can be used to scan images locally or run directly from public registry services that are supported.