Some have asked about the use of docker as a security feature. Docker isn’t meant to be, and currently is not, a security sandbox.
Docker container breakout? | Hacker News (top comment)
Docker security | Docker Documentation
Anyone remember that website that said they were going to build a secure OS around containers? Last I checked they were just fancy graphics. A “desktop CoreOS” is a neat idea, but I have no clue how they’re planning to implement it.
Some people think that docker’s increasing focus on security + kernel hardening will be enough. Only time can tell. Here’s an interesting project that is trying to bring this to the desktop (for any distro):
http://subuser.org
Think of it as a more powerful (and possibly easier to use) apparmor. We’ll see. It’s still in alpha right now and has a long way to go (with security at least).
So, two docker-related research TODOs:
- The place of subuser in Whonix
– One very interesting use is having debian wheezy (or whatever) as your stable OS, but inside the container run a distro/userspace with more up-to-date repos. This might solve our “what do we do when we want to have a recommended app preinstalled, but Debian only has an outdated, pre-forked, embarrassingly bad version (or none at all)” problem. - The suitability of docker to implement HulaHoop’s “one-click hidden service” idea. (ie Wordpress docker image + with tor wiring; easily enabled/disabled/deleted/installed)
Here is one users notes around docker security:
http://www.jann.cc/2014/09/06/sandboxing_proprietary_applications_with_docker.html