07 | Docker Security: How to ensure the security of the weak isolation system based on the kernel?
Docker implements resource isolation based on the Namespace technology of the Linux kernel, and all containers share the host's kernel. In fact, there are still many differences between this and the cloud computing era represented by virtual machines. For example, virtual machines have better isolation and security, while containers have relatively weak isolation and security.
Before discussing the security of containers, let us first understand the difference between containers and virtual machines, which can help us better understand the security risks of containers and how to strengthen container security.
[External link image transfer failed. The source site may have an anti-leech link mechanism. It is recommended to save the image and upload it directly (img-xDdMEhwU-1602235014371)(./img/The difference between virtual machine and container.jpeg)]
You can see from Figure 1 The virtual machine simulates hardware such as CPU, memory, and network through the management system (Hypervisor), and then creates a guest kernel and operating system on these simulated hardware. The advantage of this is that the virtual machine has its own kernel and operating system, and the hardware is simulated by the virtual machine management system. The user program cannot directly use the operating system and hardware resources of the host. Therefore, the virtual machine is also resistant to isolation and Security is better guaranteed.
The Docker container implements the isolation of file systems, processes, devices, and networks through the Linux kernel's Namespace technology, and then uses Cgroups to limit resources such as CPU and memory, and finally realizes that the containers are not affected by each other. The isolation of the container is only provided by the kernel, so the isolation of the container is far weaker than that of the virtual machine.
You may ask, since virtual machines are so secure, why do we still use containers? This is because the performance loss of the container is very small compared with the virtual machine, and the image is also very small, and in today's rapid business development and iteration, the container's second-level start-up and other characteristics also match the business scenario of rapid business iteration.
Since we want to use the advantages of containers, is there any way to make up for the security shortcomings of weak isolation of containers as much as possible? To understand how to solve the security problems of containers, we first need to understand the current security problems of containers.
