The Container Hype is Real, but so is the Security Nightmare

Let’s be honest with each other. We are all running docker run in our dev environments and feeling like wizards. The ability to spin up a LEMP stack in seconds is addictive. But I’ve been seeing a terrifying trend in the Norwegian tech scene lately: developers pushing those exact same unchecked containers into production on bare metal.

Here is the cold, hard reality check for August 2015: Containers are not Virtual Machines.

When you crash a VM, the hypervisor isolates the damage. When you panic a kernel in a container, or worse, when an attacker executes a breakout exploit, they are staring directly at your host OS. With the VENOM vulnerability (CVE-2015-3456) still fresh in our minds from May, trusting a shared kernel blindly is professional suicide.

If you are deploying microservices in Oslo or hosting critical data covered by the Personopplysningsloven, you need to harden your runtime. Here is how we lock it down.

1. Stop Running as Root (Seriously)

By default, the process inside your Docker container runs as root. If a process breaks out of the cgroup jail, it has root privileges on your host server. That is a game over scenario.

You might wait for user namespaces to mature in the upstream kernel, but right now, the pragmatic fix is strictly defining users in your Dockerfile.

If you must run a service that requires binding to port 80 (which needs root), use a reverse proxy like Nginx on the host, or map high ports. Do not give the container the keys to the castle.

2. Drop Capabilities Like They’re Hot

The Linux kernel divides root privileges into distinct units called 'capabilities'. A web server doesn't need to change system time or load kernel modules. Yet, Docker gives it those rights by default.

We need to operate on a whitelist basis. Drop everything, then add back only what is strictly necessary. Here is the command I use for most stateless web workers:

This renders a huge swath of kernel exploits useless because the process simply lacks the permission to execute the syscalls needed to trigger them.

3. The Filesystem Should Be Immutable

If your container gets hacked, the first thing an attacker does is download a payload or modify a binary. Make that impossible. Run your containers with a read-only filesystem.

Of course, your app needs to write logs or temp files. Mount those specifically as volumes. This forces a clean separation of code and state, which coincidentally makes your app 12-factor compliant. It is good architecture and good security.

4. The Host Architecture: KVM is Non-Negotiable

This is where infrastructure choice becomes a security feature. Many budget providers use OpenVZ or LXC to oversell resources. In those environments, you are already sharing a kernel with other customers. If you run Docker on top of that, you are nesting containers, and the isolation is paper-thin.

At CoolVDS, we don't play that game. We use KVM (Kernel-based Virtual Machine) for every single instance.

Pro Tip: When you spin up a CoolVDS instance, you get your own dedicated kernel. Even if your Docker container is compromised, the attacker is trapped inside your KVM slice. They cannot jump to the hypervisor or access other customers' data. For businesses dealing with sensitive Norwegian user data, this layer of hardware virtualization is mandatory.

5. Network Segmentation and Local Latency

Don't use the default bridge network for everything. Since Docker 1.9 isn't out yet, we are relying on legacy linking or tools like Weave, but you can still be smart with --icc=false (Inter-Container Communication) in your daemon settings to prevent containers from talking to each other unless explicitly linked.

Furthermore, consider where your packets are physically traveling. If your target audience is in Scandinavia, hosting in US-based clouds adds 100ms+ latency and exposes you to the legal gray areas of the Safe Harbor agreement.

CoolVDS infrastructure is physically located in data centers with direct peering to NIX (Norwegian Internet Exchange). We offer low latency and keep your data within European legal jurisdictions, keeping the Datatilsynet happy.

Summary

Docker is revolutionizing how we ship code, but it requires a disciplined operator to run it safely. Don't be the admin who explains a breach to the CTO because you left the default settings on.

Lock down your capabilities, make your filesystem immutable, and run your clusters on true KVM virtualization.

Need a sandbox to test these flags? Deploy a high-performance KVM VPS on CoolVDS today. We accept Bitcoin and deliver root access in under 55 seconds.