Docker security

Currently reading
Docker security

239
112
NAS
DS218+ 8GB RAM, DS212
Operating system
  1. Windows
Mobile operating system
  1. Android
  2. iOS
One of the reasons I updated to a new NAS (DS218+) was the possibility of running a Docker container to provide some of my SmartHome functionality that I currently run from a Pi (non-Docker setup).

I'm new to Docker, so I am looking at the Docker Primer material from this thread (Info - A Docker Primer...) for general Docker education.

Since security is always an issue, I searched in this Docker forurm on "security" and "exploit" to find out what known issues might be under discussion here, but I didn't come up with anything.

Are things on Synology relatively safe/serene as long as you're doing the basics like strong passwords and other security I'll learn as I learn about Docker? Any Synology-specific security issues/actions that I should be aware of?

Thanks very much!
 
That's a very good question.

Specifically there're a few different questions here because you can consider:
  • the security of the Docker implementation itself: what does it do? how does it do it? what level of host permission does it require? ... what exposure does this lead to in the event of bugs?
  • the security of containers running in a well implemented Docker environment: what exposure does a container create? what access to the host is enabled by default? what is the exposure for LAN devices?
A quick google gets Docker's own description.

The aim of Docker is similar to other virtualisation environments: share hardware resources through software abstraction and compartmentalise discrete operating environments. Basically, to make these discrete environments behave as other devices, from a software point-of-view. The virtualisation provides management of physical resources (memory, peripheral devices, networking, etc) and ability to bridge or map to the physical environment, where necessary.

That means that a container is a running device, analogous to your R-Pi, an IoT, or whatever.

Assuming the Docker environment and software protects the host by not having exploitable bug (yes, this is an ideal world but the only protection against this is not to run Docker) then it should be able to restrict any container from maliciously attacking the host and LAN, unless you allow it.
  • The container has restricted host access in that it is told which host filesystem resources it can use (either assigned by Docker or explicitly by you).
  • Some containers take host UID/GID parameters so I'd be careful not to use a NAS admin on the off-chance something does go wrong.
  • Since the containers will have LAN access you should consider them in the same way that you would any other device ... when using an image you should consider who is creating it: how reputable is the developer?

A long way to say just be careful and enable the least privilege to allow a container to run :)
 
Feel free to take a look at the CVE Vulnerabilities for Docker: Docker Docker : List of security vulnerabilities

The number of vulnerabilites is not that high, and most of them are either closed, do not affect us, require unlikely situations or requires that the user enables something on the docker engine without understanding the security implications.

If you bind the docker daemon to a tcp port (by default it is not bound), make sure to not expose it to the internet. If you map the host's docker.sock into a container, make sure to not expose it to the internet or at least closly follow for known vulnerabilites for the application on CVE and instantly apply the suggested mitigation.

Make sure to not expose any containers that require privilged mode to the internet - if the application they contain has exploits that allow an attacker to gain root privliges in the container, they can leverage this to break out of the container. By definition a privileg mode container can not guaranteed to be secure. This is why in Kubernetes usualy privileg mode is only used for initContainers and the main container is started in restricted ("normal") mode.

Actualy Synology could shift to rootless docker or use userns mapping, which would by definition prevent docker from running with root priviliges. Though, both setups are not realy beginner friendly and would result in a lot of Dockerhub images not to work anymore. The average Joe would not stop to complain why Docker on Synology doesn't work as expected.

I will still say that exposing an application in a container, has less risks than exposing the same application on the host directly.

That means that a container is a running device, analogous to your R-Pi, an IoT, or whatever.

A container is nothing else that a process running in isolated namespace (which again can create sub processes in the same namespace) on the hosts kernel . The same is true for its network usage were usualy a namespaced virtual interface is used. By default, for a containerized process it appears that it is the root of the world - without beeing able to know that it is just a subprocess in the hosts process tree.
 
A container is nothing else that a process running in isolated namespace (which again can create sub processes in the same namespace) on the hosts kernel .
Indeed, that's what I was addressing as the Docker implementation/environment.

I was meaning what it appears to be to other devices: the jobs it's doing; services offered; access it has. An R-Pi running Apache web server can be described by it's physical and logical implementation but other devices will see just a web server. That web server could be running in Docker, public cloud, Dell server, etc but the client device doesn't really care. That's the point I was trying to make: there's the security of Docker itself (which I think you are better at addressing) but also the risk to your LAN/data of running stuff whether a containerised 'device' or physical device.
I will still say that exposing an application in a container, has less risks than exposing the same application on the host directly.
I'd agree with that. Plus doesn't require adding or modifying the host to run additional software services.
 
Thanks very much for the info/replies, very helpful. I'm enjoying reading up on Docker, and since I've about finished w/my new backup setup for my new NAS, I need something else to do besides obsessively follow the news. ;-)

Unfortunately I had a DOH! moment last night when I was thinking about this as I was about to go to sleep. Kind of a double DOH moment. I remembered that updates I recently made to my network to isolate relatively much less secure iOT devices from my personal devices:

- Edgerouter
  • VLAN1/AP1: Personal - laptops, phones, NAS
  • VLAN2/AP2: iOT - Google Homes, Alexa, Ring doorbell/cams, R-Pi, SmartThings hub, HUE hub, Sheild TV, Roku, Smart TVs, etc.
  • OpenVPN on Edgerouter for remote access to my network (goodbye Quickconnect, port-forwarding for Synology, etc.)
So since I've isolated my iOT devices and NAS/computers on separate VLANs, I can't use Docker on my NAS (ttachedt to my personal VLAN to work w/my iOT devices attached to my iOT VLAN.

So I have to will go back to my original plan to install Docker on the R-Pi and do things from there. Oh well, was looking foward to playing more w/the newest toy (DS218+), but home network security is the first priority.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Thank you all for your replies! So taking all that into account, there aren't more risks, e.g. to host a...
Replies
4
Views
2,753
I can’t find any option to restore just the settings. 1710356648 Phew, managed to fix it. Within the...
Replies
4
Views
389
Good to hear. Deluge has not been updated for almost two years now as an app, nevertheless. But it gives...
Replies
12
Views
958
  • Question
Open an issue on that GitHub page. The developers will be glad to assist. OP has posted two threads on...
Replies
5
Views
959
I'm happy with email notifications but in v0.3.3 of dockcheck the author added apprise notifications...
Replies
4
Views
1,040
I am also trying to setup a Z-wave USB dongle and am getting stuck after following the same steps as...
Replies
1
Views
1,029
How did you create the Portainer container in first place? As in exact docker run commands or in case...
Replies
7
Views
1,235

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top