Are Docker apps safe?

[CheapDad]

Forgive me if this is an overly simplistic question, but I love the idea of vm's running programs, which is what Docker means to me when I think of it. I've not implemented it yet, but a few months back there was a report that a significant number of Docker packages has security flaws. For me, that begs the question of whether using Docker is introducing security issues into my NAS. Can someone help me better understand whether this is a valid concern?

 

[one-eyed-king]

Docker containers are not vm's... I am sure plenty of blog post and stack overflow posts cover the differences in depth already, so I am going to skip it..

The biggest problem that commes to mind are unmaintaned images. An image is a point in time snapshot of the "main" service, its dependencies, configurations and usualy a more or less clever entrypoint script. The further this point in time is in the past, the more likely it is an image has vulnerabilities...

While you'd patch a vm the same way you would patch a baremetal system, with docker, you don't patch your container, you usualy build a new image and re-create the container based on the new image. You don't patch the container, because it's ephemeral: once the container is deleted the patches are gone and you start over with the "current state of the image".

Stay away from images that are not frequently updated and/or lack a proper description. Images from linuxserver and bitnami are constantly released and always close to the recent patch levels. They are sometimes even more up to date than the official images.

Prefer images based on minimal alpine, rather than based on debian, ubuntu, centos, rhel, ... Usualy the other distributions provide packages and libraries you don't need, but still can contain vulnerabilites.

Try to avoid --privileged and --network host if possible. Even though these flags might make live easier, they introduce additional attack vectors and weaken the isolation of containers. I find --network host less problematic than --privileged.

Do I think apps in docker containers are safe? It depends if:
- the (containerized) application does not have known vulnerabilites in general
- the images for the application are activly maintained and frequently updated
- the image does not require privileged mode
- containers are immediatly re-created based on the recent image version.

 

[CheapDad]

Thank you very much. I appreciate my vm analogy was not the best, but it was the best I could come up to reflect my rudimentary knowledge.

Is there a good source of docker packages that meet the criteria you list above?

 

[one-eyed-king]

Just search Docker Hub and be good

Hint: docker images are neither docker apps, nor docker packages. Containers are the runtime instances of images.