The benefits of container technology -- lightweight resource demands, faster deployment, vast scalability -- have...
attracted significant attention from the IT industry. But the most popular container engine, a Linux-based platform from Docker, struggles to address important security issues.
The problem with Docker security stems from a lack of isolation between container instances. In the simplest terms, every container shares the same host OS kernel, libraries and binaries. If a malware attack or other security event is able to break out of a container and access the root OS, it is possible to compromise the underlying OS and affect every container running on it. A container can already talk to the host kernel when it runs, and Linux doesn't namespace major kernel subsystems or devices to separate or protect them. This means if you can communicate with the kernel or devices, it's possible to compromise the whole system.
While Docker promises future security improvements, there are some tactics that protect Hyper-V container.
1. Restrict containers to workloads that you know and trust from trusted parties -- avoid random workloads, such as interesting tools or other "stuff" you find on the Internet.
2. Test and apply Linux patches and security updates diligently. Trusted OS support like the kind supported by Red Hat Enterprise Linux can help to find and fix vulnerabilities.
3. Run containers as non-root whenever possible, and drop root privileges as soon as you can. No matter what, always consider root privileges in a container to be the same as root privileges outside of the container.
Hyper-V containers in Windows Server 2016 use Hyper-V to first create a VM for isolation. Once a VM is available, Linux can be installed as the OS and an engine such as Docker can run to support containers. This is a form of nested virtualization. If the container and underlying Linux OS is compromised, the entire security event should remain contained within the Hyper-V VM.
While the concept of containers has existed for years, the Docker engine spawned a renewed interest in this technology. Microsoft hopes its Windows Server 2016 will move containers from Linux deployments to Windows environments by supporting native containers and nested virtualization.
Windows Server 2016 also promises streamlined management and improved isolation for container instances, helping organizations embrace and expand container deployment. IT staff should soon be able to experiment with Hyper-V containers in Technology Preview versions of the OS and make plans for container adoption under Windows and Docker.
How do Windows Server containers affect applications?
Following the evolution of Hyper-V
Related Q&A from Stephen J. Bigelow
Understand and work around one of the more common Docker for Windows errors -- permissions for shared volumes -- to read, write and execute to the ... Continue Reading
IT administrators should familiarize themselves with the benefits and limitations of using nested virtualization to run containers in VMs before ... Continue Reading
Many issues cause VMs to become unresponsive, including invoking particular tasks, such as snapshots or migrations, resource configuration and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.