Docker containers are not vm's... I am sure plenty of blog post and stack overflow posts cover the differences in depth already, so I am going to skip it..
The biggest problem that commes to mind are unmaintaned images. An image is a point in time snapshot of the "main" service, its dependencies, configurations and usualy a more or less clever entrypoint script. The further this point in time is in the past, the more likely it is an image has vulnerabilities...
While you'd patch a vm the same way you would patch a baremetal system, with docker, you don't patch your container, you usualy build a new image and re-create the container based on the new image. You don't patch the container, because it's ephemeral: once the container is deleted the patches are gone and you start over with the "current state of the image".
Stay away from images that are not frequently updated and/or lack a proper description. Images from linuxserver and bitnami are constantly released and always close to the recent patch levels. They are sometimes even more up to date than the official images.
Prefer images based on minimal alpine, rather than based on debian, ubuntu, centos, rhel, ... Usualy the other distributions provide packages and libraries you don't need, but still can contain vulnerabilites.
Try to avoid --privileged
and --network host
if possible. Even though these flags might make live easier, they introduce additional attack vectors and weaken the isolation of containers. I find --network host
less problematic than --privileged
.
Do I think apps in docker containers are safe? It depends if:
- the (containerized) application does not have known vulnerabilites in general
- the images for the application are activly maintained and frequently updated
- the image does not require privileged mode
- containers are immediatly re-created based on the recent image version.