How Docker Changes Cloud Security?

Docker cloud security

Nowadays Cloud computing is thriving on its popularity as benefits of cloud adoption are countless, including better efficiency, reduced costs of virtual services, greater accessibility and flexibility. Today almost everything that includes information of individuals and companies is placed on cloud but moving applications to the cloud and acquiring the advantages means first evaluating specific data security and cloud security issues.

Docker and security

Docker brings certainty to application administration in shared surroundings, ensures the portability and increases the availability of application hence decreasing the overall risk. Docker containers are much more similar to LXC containers if you’re already aware of them or have worked on them in the past. Docker makes use of a layered security approach which is an exercise of integrating various mitigating security commands to preserve resource and data.

docker security

Docker uses many security barricades to stop break out. If situation emerges where there is a break out of one container mechanism then the issue is resolved by blocking the concerned containers with the next one. We know that Docker shares Linux kernel architecture and provide as many Linux security mechanisms as possible.

There are three main zones that are to be examined when evaluating Docker security:

1) Built-in safety of containers, as performed by kernel namespaces and c groups.
2) Docker daemon attack surface.
3) The freezing security characteristics of the kernel and how they reach out with containers.

Following are the security features provided by Docker in cloud:

1) Kernel Namespaces:

Namespaces provide the isolation workplace for the containers. Docker creates a set of namespaces for the container and each aspect of a container runs in its own namespace hence does not have access outside of it. Each container also gets its own network stack thus restricting the interfaces of another container.

Below is the list of namespaces that Docker uses:

  • The pid namespace: It is used for a series of actions or steps taken in order to achieve isolation (PID: Process ID).
  • The net namespace: It is used for having executive control over network interfaces (NET: Networking).
  • The ipc namespace: It is used for maintaining control over the access to IPC resources (IPC: InterProcess Communication).
  • The mnt namespace: It is used for managing mount-points (MNT: Mount).
  • The uts namespace: It is used for segregating kernel and version identifiers. (UTS: Unix Timesharing System).

2) Control Groups

Control Groups also called “cgroups” are another main element of containers. They implement resource accounting and limiting as key element to run applications. This mechanism helps in understanding and ensuring that containers are beneficial multi-tenant citizens on a host like public and private PaaS, to guarantee a consistent uptime as well as performance even when some applications start to misbehave. Control Groups supply sufficient functional standards and even limit the memory available to a specific container.

3) Docker Daemon Attack Surface

Applications and containers running with Docker initiate to run the “Docker daemon” that needs root benefits and runs on a host machine. The user does not directly interact with the daemon,instead through the Docker client.

Docker daemon should always be controlled by the faithful users. Docker gives you the permission to share a directory among the Docker host and a guest container, regardless of limiting the access rights of the container. This helps you to run a container where the host directory will be free to operate without any restrictions. Such a structure leads to very strong safety consequences. Let’s explain it through an example, if you are implementing Docker from a web server to provision containers through an API, you must make sure to avoid potential danger with variable examination. It helps in building a sentiment that no hostile user proceeds with crafted variable causing Docker to generate arbitrary containers.

For this particular reason, REST API endpoint found an answer to a problem by considering possible options of using Docker CLI to communicate with the Docker daemon. They now make use of a UNIX socket rather than TCP socket bound.

Upcoming advancements in Linux namespaces will promptly allow running of the full featured containers in the absence of root privileges and will also solve the problems that are caused by sharing of the namespaces between host and guests.

4) Linux Kernel Capabilities

Docker starts every container with a set of capabilities that are limited within bounds and Capabilities change the binary “root/non-root” separation into a fine grained access control system.
Removing these capabilities may lead to the breaking of the applications so it can be said that capabilities try to achieve serviceability, usability and security between Docker Containers. You always have the authority to enable extra capabilities if they are required. Below is the current list of capabilities that are used by Docker.

chown, dac_override, fowner, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, setfcap, and audit_write.

5) Other Kernel Security Features

It is also possible to control fully established systems like TOMOYO, AppArmor, SELinux, GRSEC, etc with Docker, though Docker only validates capabilities and doesn't interfere with different systems.

Following are few examples:

1) It is possible for you to run a kernel with GRSEC and PAX. Hence increasing a large number of security controls during compile time and run time thus defeating majority of exploits.
2) Docker containers can even be used out of the box if your distribution comes with security model templates. These templates help in providing a safety shield around Docker containers.
3) It helps you in describing your own approaches by using favourite access control techniques.

Bringing new security features to Docker

In addition to other security features there are new security attributes which are used by Docker for the file system protections and are explained below:

1) Read-only mount points

There are a few Linux kernel file systems that have to be mounted in a container environment otherwise process may fail to run. But luckily nearly all of these can be mounted as “read-only”. Most applications should never require to write to these file systems.

Docker mounts these file systems into the container as “read-only” mount points.
. /sys
. /proc/sys
. /proc/sysrq-trigger
. /proc/irq
. /proc/bus

Privileged container processes can never write to them as these file systems are mounted as read-only and cannot cause a change to the host system. It is even possible to remount the file systems as read/write and restrict the potential of the privileged container processes.

2) Copy-on-write file systems

Docker also makes use of the copy-on-write file systems which give them the power to use the same file system image as the base for the container. Whenever container writes any content to the image it always gets written to a container specific file system and thus prevents one container from noticing the changes of another container even if they write to the same file system image. One container cannot change the image content to affect the processes in another container.


With Docker it's possible to implement security features of the other containerization systems. The final aim of Docker is to fulfill and perform two supplemental security advancements:

1) Set intended actions to map the root user of a container to a non root user of the Docker host, to reduce the outcome of a container-to-host privilege escalation.

2) To grant Docker daemon to run without root privileges and delegate operations requiring those privileges to be well-audited sub-processes, each with its own scope: virtual network setup, file system management, etc.

By default, Docker containers are secure to great extent as they provide you with a mechanism to take care of running processes inside the containers. They give you privilege to add an extra layer of security by giving you an authority to enable Apparmor, SELinux, GRSEC or any of your favourite hardening resolutions.

By Sudhi Seshachala

CTO @Xervmon Inc Sudhi, a technology entrepreneur, brings 19+ years in software, cloud technologies, IT operations and management. Have led several global teams in HP, Sun/Oracle, SeeBeyond. He has built highly scalable and highly available products, systems management, monitoring and integrated SaaS and on-premise applications. He is a trusted advisor and consults with companies of all sizes to establish DevOps practices, implement docker based CI/CD or AWS deployments in a cost effective scale. His work and expert insight can be followed on CloudTweaks in 2015 as part of the 12/12 contributor program.


Established in 2009, CloudTweaks is recognized as one of the leading authorities in cloud connected technology information and consultancy services.

Are you a cloud services expert in a world of digital transformation? If so, contact us for information on how to become part of our growing cloud consultancy ecosystem.


Secure Business Agility

Why Security Practitioners Need To Apply The 80-20 Rules To Data Security

The 80-20 Rule For Security Practitioners  Everyday we learn about yet another egregious data security breach, exposure of customer data or ...
Your Office 365 Data Security - Is It Properly Protected?

Your Office 365 Data Security – Is It Properly Protected?

Office 365 Data Security As more and more people collaborate and access data from outside the office and across multiple ...
Three Factors For Choosing Your Long-term Cloud Strategy

Three Factors For Choosing Your Long-term Cloud Strategy

Choosing Your Long-term Cloud Strategy A few weeks ago I visited the global headquarters of a large multi-national company to ...
Digital Innovation Starts with a Digital Core

Digital Innovation Starts with a Digital Core

Digital Innovation A lot of times when the prevalent industry trends are discussed among industry folks, there are usually two ...
Financial Management Finds a Welcome Home in the Cloud

Financial Management Finds a Welcome Home in the Cloud

Cloud Based Financial Management The most cautious person in any organization is likely to be the CFO. After all, they’re ...
Living In A Post-Safe Harbor World: What Your Company Needs To Know

Living In A Post-Safe Harbor World: What Your Company Needs To Know

Living In A Post-Safe Harbor World With the striking down of the Safe Harbor agreement in October, we have seen ...


Where's Zuck? Facebook CEO silent as data harvesting scandal unfolds

Where’s Zuck? Facebook CEO silent as data harvesting scandal unfolds

Amid calls for investigation and a #DeleteFacebook campaign, company releases an official statement but its figurehead keeps quiet The chief executive of Facebook, Mark Zuckerberg, has remained silent over the more than 48 hours since ...
Lydia launches Lydia Premium

Lydia launches Lydia Premium

French startup Lydia announces two new things today. First, the company is launching a financial hub with multiple new products. Second, Lydia is announcing a new premium subscription to access those new features. “Today, we’re lucky enough to have ...
Demand for Augmented Reality/Virtual Reality Headsets Expected to Rebound in 2018, Says IDC

Demand for Augmented Reality/Virtual Reality Headsets Expected to Rebound in 2018, Says IDC

FRAMINGHAM, Mass., March 19, 2018 – Worldwide shipments for augmented reality (AR) and virtual reality (VR) headsets will grow to 68.9 million units in 2022 with a five-year compound annual growth rate (CAGR) of 52.5%, according ...
Uber said to be negotiating sale of self-driving tech to Toyota

Uber said to be negotiating sale of self-driving tech to Toyota

Uber  might begin selling its autonomous driving systems to outside companies, including major automakers, according to a new report from Japan’s Nikkei. The report claims that Uber has had talks with Toyota regarding supplying the automaker with ...
EU lawmakers to investigate alleged misuse of Facebook users' data

EU lawmakers to investigate alleged misuse of Facebook users’ data

BRUSSELS (Reuters) - EU lawmakers will investigate whether the data of more than 50 million Facebook users has been misused, the head of European Parliament said on Monday. Antonio Tajani urged the social media giant ...
Europe's New Privacy Law Will Change The Web

Europe’s New Privacy Law Will Change The Web

CONSUMERS HAVE LONG wondered just what Google and Facebook know about them, and who else can access their personal data. But internet giants have little incentive to give straight answers — even to simple questions ...