Docker research TODOs

Some have asked about the use of docker as a security feature. Docker isn’t meant to be, and currently is not, a security sandbox.

Docker container breakout? | Hacker News (top comment)
Docker security | Docker Documentation

Anyone remember that website that said they were going to build a secure OS around containers? Last I checked they were just fancy graphics. A “desktop CoreOS” is a neat idea, but I have no clue how they’re planning to implement it.

Some people think that docker’s increasing focus on security + kernel hardening will be enough. Only time can tell. Here’s an interesting project that is trying to bring this to the desktop (for any distro):

Think of it as a more powerful (and possibly easier to use) apparmor. We’ll see. It’s still in alpha right now and has a long way to go (with security at least).

So, two docker-related research TODOs:

  • The place of subuser in Whonix
    – One very interesting use is having debian wheezy (or whatever) as your stable OS, but inside the container run a distro/userspace with more up-to-date repos. This might solve our “what do we do when we want to have a recommended app preinstalled, but Debian only has an outdated, pre-forked, embarrassingly bad version (or none at all)” problem.
  • The suitability of docker to implement HulaHoop’s “one-click hidden service” idea. (ie Wordpress docker image + with tor wiring; easily enabled/disabled/deleted/installed)

Here is one users notes around docker security:

Just randomly found this:

1 Like

Looks interesting. That is useful for some really low end machines or a quick and dirty anonymous setup where no strong security is desired.

Should I reach out to him? Maybe we can adopt this as an official port with its script packaged into a .deb