Docker versus Vagrant

There are many, many comparisons out there on the Internet of Docker versus Vagrant. Usability, scalability, portability, you-name-it-ability.

This blogpost is about some different security aspects about the current implementation of Docker versus Vagrant. It's a high, high-level comparison of the security impact for the host system.

Can you compare the two ? Not really, they're being used for completely different reasons. Docker is wildly popular for medium to large scale production webserver deployments and microservices, where each service has its own process, or container. Vagrant is more being used during design and development by individual developers, or in teams at companies.

So, having said that, let's compare the security differences in high-level:

Docker

  • Partial isolation from the host
  • Shares the kernel with the host.
  • Resources aren't guaranteed, they're shared.
  • Uses runC/libcontainer as runtime (before version 1.8 it used linux containers (lxc) under the hood, then libcontainer, and since the inception of the Open Container Initiative it uses runC which abstracts even further away from libcontainer). System resources can be allocated using control groups (cgroups): block devices (blkio), CPU (cpu), CPU accounting (cpuacct), individual CPU and memory nodes (cpuset), devices, task management (freezer), memory usage (memory), network packets (net_cls), network priority (net_prio), namespaces (ns) and performace analysis (perf_event).
  • Implements network isolation, each Docker container has its own network stack (zero or more network interfaces).
  • Uses namespaces to isolate processes and therefore containers.
  • Secures the host, and each of the containers running on the host using apparmor.
  • Vulnerabilities in the container will not affect the host.
  • Vulnerabilities in Docker directly affect the host.

Vagrant

  • Full isolation from the host
  • Runs its own kernel on top of the virtual machine environment.
  • Resources are guaranteed in advance.
  • Vulnerabilities in the host operating system will not affect the host.
  • Vulnerabilities in the virtual machine environment could affect the host.

Docker seems to give systems administrators a much more fine-grained control set to tune the security. And that's exactly what I personally think still, in 2017, is currently the weak spot: There are simply too much locations that a DevOps engineer or systems administrator needs to think of to properly secure the host from the container(s).

When something is easy to do, and is enabled by default, people will use it. At the moment, configuring and hardening Docker is much easier than it was, but still - not easy. The same reason why (unfortunately) SELinux isn't widely deployed. It's too complex - and complexity is the enemy of security.


Comments

comments powered by Disqus