Last week I wrote an article explaining virtual machines and containers, and the pros and cons of the two. Today I want to focus specifically on containers and container security. Because containers share resources with the host and other containers on the host, they offer security risks that are not seen with virtual machines.
Application containers run on the same kernel as their host, meaning if the kernel is accessed through the container, it will affect every other container on the host, as well as the host itself. Virtual machines do not have this problem, since every individual VM, as well as their hypervisor, all have distinct kernels from the host and each other.
Containers Docker, the most commonly used container engine, does not have users be namespaced by default, meaning a process will act the same way inside a container as its host. The problem is that a user with, for example, root privileges in a container will have those same privileges on the host, meaning a harmful process may potentially be injected into a container, and then escape into the host to compromise the machine.
Containers do offer a security benefit that is not seen on VMs, which is that they usually have a smaller vulnerability surface. What I mean by that is this: when you’re running a VM, you’re essentially working on a completely different machine with potentially a different operating system and library/binary files. And as any computer, it’s going to have fluff that isn’t always useful; code that’s just sitting there, waiting to be taken advantage of maliciously. With containers, the only dependencies that are used are the ones that are given in the container’s Dockerfile, restricting the amount of possible points of entry that a hacker can use.
All-in-all, although container technology does have its share of vulnerabilities, it’s important to remember that the cons of container security are very much outweighed by the pros of container functionality, and it’s good to know that containers seem to be progressing in a way that will help bring the IT field to its fullest potential.