Containers, in particular represented through the hype around Docker, get a greater share of attention of the IT world for the past year or two. And it happens for good reason. Just like other virtualization techniques, containers allow for easier deployment, for better maintainability, for improved management of applications, for better hardware utilization and for a reduced TCO altogether. And cost in particular is likely the biggest reason for the popularity of container technology in the realm of virtualization, because lightweight technology does not only touch hardware and infrastructure, but also development and operations.
On top of the euphoria for containerization really light weight virtualization, containerization is also in the center of debate about improving security. Linux containers isolate environments for users and applications, helping to introduce more transparency to software infrastructure. A more transparent software infrastructure has the great benefit of easier maintainability.
However, greater maintainability is not the argument that is used when arguing for virtualization as a means of improving security. The main argument typically is the isolation of software, which by itself only include uses a thin layer off added security, given that it is bought by an extra layer of complexity.
Still the software packaged up in a container has its own vulnerabilities, and in most cases even means of isolation. To make an example, database system like MySQL is perfectly capable of managing credentials for multiple databases along with multiple users. The approach with containerizing MySQL is to have multiple instances per multiple applications, typically using a default password, entirely omitting MySQL’s user management. A bug would also be replicated using multiple instances, that does not apply to the database system alone, but all containers of the same type.
Now lack of user management and bugs are a problem one wants to avoid. However multiple instances of the same software just replicate a software problem. As for user management, replication may even introduce increased overhead.
What Docker is really good at it is to automate deployment of services and infrastructure, making it a really great tool for DevOps. And even though Docker has Docker Security options, these are to secure the container infrastructure.
Containers make a really great tool to develop replicable processes, they are substantial for DevOps processes. Having all services described in github.com repository is just a great option for development. But containers are not security tool by itself containers an extra layer of complexity that makes it easy to forget about application security.
— Pete Cheslock (@petecheslock) May 5, 2015