How to secure a docker host to not allow rooting

I am trying to make docker on a server more secure. The main problem is that most people say "if a person has access to docker, they can be root too" for an administrator point of few this is not something you would want.

To elaborate, they can use -v and mount /etc onto /mnt in the container and change the shadow file and gain access to the host. They can use -d, or privileged option to do more too.

So basically, there are a few things that i want to "try" and restrict.

  1. Volume bind mounts
  2. Privileged
  3. --add-cap
  4. -d (certain items?)

My ideas so far:

  • Alias to a bash script for docker, use sudo on it and regex all that they should not do.
  • Turn on remote api, secure it and perhaps reverse proxy it with nginx and regex in nginx the things they should not do.
  • Use other tools? Mesos/Marathon/Swarm/Shipyard/Whatever

Optional items would be to make containers on commit to git code, and let a "checker" verify the contents of the Dockerfile and create the image for them. Then sign that image and deploy it automatically. (but this would not give them much freedom anymore)

Also, removing the bind volume is not the nicest. Would be much simpler if we had a plugin for docker that says "you can only mount on /data, as user X" where the USER in the Dockerfile is that user X.

Something like docker-novolume-plugin is already a nice start for the volumes, doesn't restrict bind volumes though.

In the end the question would be, how can i let users build/pull/run docker images as their own user/docker and not be able to root the system. Doesn't have to be perfect as long as it works.


Solution 1:

Securing a docker engine requires paying attention to many different aspects, and defense in depth is always about layers of security.

One of the requirements you have listed, restricting what users can command the docker engine to do, is probably one of the most important, as, as of now, the docker engine does not implement an authorisation control.

Your alternatives include:

  • closed-source solutions like Twistlock, a project that implements RBAC and policy control to access the docker API

  • OpenShift Origin, an open source project that implements role-based access control in the form of security constraints and fine-grained authorisation policies. It's fairly easy to deploy and would greatly help to have an out-of-the-box solution.

I would also suggest to look into the different operating systems a docker engine can be deployed to, and would advise not to use a general purpose OS but a specialised one, such as Atomic. Both, Atomic and OpenShift together, will ensure that you also can:

  • Scan your images regularly.
  • Use a trusted registry
  • Define seccomp profiles for your containers. Improvements to this technology and its implementation is a work in progress in the docker world as a whole.
  • Drop capabilities that are not needed by the application in the container.
  • Use SELinux. Many of the other security measures listed have limitations, but SELinux works very well in providing a safe net when everything else fails. Some examples: it will help limiting access to the docker socket, it will control whether sharing file descriptors between containers is allowed, it can assign different MCS levels to each container/group of containers to isolate them from the host and from other containers.