Recent high-profile security breaches have illustrated the importance of good IT security. Perhaps nowhere is this more true than in the world of containers. Unlike virtual machines, which have their own OS and run on top of a hypervisor, containers are entirely dependent on a host operating system. Vulnerabilities within the host OS could very well allow containers running on the host to be compromised. As such, it is critically important to make sure that the host OS container is configured in a secure manner.
The host OS has one job, and one job only—to provide the basic infrastructure required for running containers. As such, the host OS should contain only those components that are required by the container environment, nothing more, nothing less. Allowing unnecessary services or components on a container host effectively increases the host OS’s attack surface, and potentially also increases the chances that the host OS container will contain an exploitable vulnerability. On the other hand, eliminating unnecessary overhead from the host OS container not only improves security, but can also help the OS to run more efficiently, and may even reduce the patch management burden.
For existing container hosts, the best approach to paring down the host OS is to compare the container requirements to what is actually installed on the server, and then eliminate anything that is not necessary. For new container hosts, however, you might consider using a Linux distribution that can help you achieve your security objectives.
Keep it Simple
As previously noted, one of the most effective ways to improve host OS container security is to uninstall all unnecessary components in an effort to reduce the operating system’s attack surface. Rather than deploying a really heavy Linux build and trying to pare it down, it may be more effective to deploy a super-lightweight Linux distribution instead.
If your goal is to keep the host OS as small as possible, then you might consider using Alpine Linux. Alpine Linux was specifically designed to be as lightweight as possible. A minimal deployment only consumes about 130 MB of disk space, and containers are only about 8 MB in size.
Alpine Linux allows for granular control of the binary packages that are installed, and userland binaries are compiled as Position Independent Executables with stack smashing protection, in an effort to keep the operating system secure.
A Special Purpose Host OS
Although using a lightweight, no-nonsense Linux distribution is one of the best ways of ensuring container security, it isn’t the only technique. Another really great option involves using a purpose-built Linux distribution that has been engineered specifically for use as a container host. Perhaps the best example of such an operating system is RancherOS.
RancherOS includes only those services which are required for running Docker. That means that like Alpine Linux, RancherOS is really small. However, RancherOS takes things a step further.
RancherOS uses containers to separate the user space from the system space. The operating system works by launching two containers on top of a lightweight host kernel. The first of these containers is the System Docker container.
Typically, Linux distributions use Systemd as their default init system. In RancherOS, Systemd is replaced by the System Docker instance. All of the system services run within containers on top of the System Docker instance. RancherOS is designed to run the minimal required system services, but it is possible to add additional containerized system services. To find out which services are available, just enter the following command:
ros service list
The second Docker instance that runs on RancherOS is called User Docker. The User Docker container is where you would run your containerized applications.
In creating RancherOS, Rancher has leveraged the concept of nested containers. The User Docker container is itself a container. The System Docker instance runs system services inside of containers. One of the containers that runs on System Docker is named Docker. This Docker container is what makes up User Docker. In other words, containerized applications run on top of User Docker, which is a Docker instance running in a container named Docker on top of System Docker. This architecture establishes a logical separation between the user space and the system space, and ensures that user-level activities cannot impact the underlying system resources.
One of the best ways of ensuring the security and operational efficiency of your containers is to run a lean host OS. You can accomplish this by manually removing services from a traditional Linux build, using one of the minimal Linux builds such as Alpine Linux, or by using a purpose-built OS such as RancherOS.
Get regular updates on cloud native and container security by signing up for our newsletter, or contact us for a demo today.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
Safer Software with Twistlock and Google’s Binary Authorization for GKERead the Blog
Announcing Our Series C FundingRead the Blog
Real Time View of Your Cloud Native Applications: Radar v3Read the Blog
AWS Fargate Security: Runtime Defense with Twistlock 2.5Read the Blog
Cloud Native Forensics: Security Incident Response in Twistlock 2.5Read the Blog