Container Security

avatar
Created by
RetailTortoise38285

Subdecks (1)

Cards (63)

  • Containerization:
    • Containerization is the process of packaging an application and the necessary resources (such as libraries and packages) required into one package named a container. The process of packaging applications together makes applications considerably portable and hassle-free to run.
  • Containerization:
    Modern applications are often complex and usually depend on frameworks and libraries being installed on a device before the application can run. These dependencies can:
    • Be difficult to install depending on the environment the application is running
    • Create difficulty for developers to diagnose and replicate faults, as it could be a problem with the application's environment - not the application itself!
    • Can often conflict with each other. For example, having multiple versions of Python to run different applications
  • Containerization:
    • If the device supports the containerisation engine, a user will be able to run the application and have the same behaviours.
    • However, it is worth noting that containerisation platforms make use of the “namespace” feature of the kernel, which is a feature used so that processes can access resources of the operating system without being able to interact with other processes.
    • The isolation offered by namespaces adds a benefit of security because it means that if an application in the container is compromised, other containers are unaffected.
  • Docker
    • Docker is a relatively hassle-free, extensive and open source containerisation platform. The Docker ecosystem allows applications to be deployed, managed and shared with ease.
    • Working on Linux, Windows and MacOS, Docker is a smart choice for running applications. Applications can be published as “images” and shared with others. All that is required is pulling (downloading) the image and running it with Docker.
  • Docker:
    • Docker employs the same technology used in containerisation to isolate applications into containers called the Docker Engine. The Docker Engine is essentially an API that runs on the host operating system, that communicates between the operating system and containers to access the system’s hardware (such as CPU, RAM, networking and disk)
    Docker engine allows you to:
    1. Connect containers together (for example, a container running a web application and another container running a database)
    2. Export and import applications (images)
    3. Transfer files between the operating system and container
  • Docker:
    • The Docker engine allows containers to be orchestrated, meaning that multiple containers can be built as part of a group, allowing containers to communicate with each other (for example, one container running a web server and another container running a database can communicate). 
  • Docker:
    • Docker is Free: The Docker ecosystem is free to use and open-sourced. While business plans exist, you can completely download, use, create, run and share images.
    • Docker is Compatible: The Docker platform is compatible with Linux, macOS and Windows. Because of how containerisation works, if a device supports the Docker Engine, you can run any container, regardless of the application or dependencies.
  • Docker:
    • Docker is Efficient & Minimal: Docker is an efficient way to isolate applications in comparison to alternatives such as virtual machines. This is because the Docker Engine runs and interacts with the host operating system, and containers do not run a fully-fledged operating system for each container. For example, containers can share a minimal operating system image, meaning you only need to store it once.
  • Docker:
    • Docker is Easy to Share With Others: A significant benefit of Docker is its portability. Docker uses “images” to store instructions to dictate how the container should be built (just an instruction manual!).These “images” can be exported, shared and uploaded to both public and private repositories such as DockerHub and GitHub. The “image” can be run by anything that supports the Docker engine, as long as the syntax is valid.
  • Docker Images Allow For:
    • Containers to be built exactly how the developer wishes
    • Better security, knowing exactly what runs within a container can reduce the risk of unnecessary packages becoming vulnerable and posing a security risk.
    • Docker is Cheaper to Run: Running containers is usually a cheaper option than running virtual machines. This is especially noticeable in cloud environments, where CPU, RAM, and Disk space are expensive. 
  • Namespaces:
    • Namespaces essentially segregate system resources such as processes, files and memory away from other namespaces.
    Every process running on Linux will be assigned two things:
    • A namespace
    • A process identifier (PID)
    • Namespaces are how containerisation is achieved! Processes can only "see" other processes that are in the same namespace - no conflicts in theory. Take Docker, for example, every new container will be running as a new namespace, although the container may be running multiple applications (and in turn, processes).
  • Processes:
    • The process with an ID of 0 is the process that is started when the system boots. Process numbers increment and must be started by another process, so naturally, the next process ID will be #1. This process is the systems init , for example, the latest versions of Ubuntu use systemd. Any other process that runs will be controlled by systemd (process #1).
    • We can use process #1's namespace on an operating system to escalate our privileges. Whilst containers are designed to use these namespaces to isolate from each other, they can instead coincide with the host computer's processes