Operating system (OS) level virtualization is a method of virtualization that enables multiple isolated user-spaces instances (containers) within the same compute hardware environment to execute on a single host OS kernel. The host's OS kernel is shared with each container hosted on the system, enabling the containers to access and utilize compute resources (e.g. CPU, memory, storage, networking) concurrently. An application container is a software application that runs as a container in an operating system level virtualized environment. An application container executing in a virtual environment is known as “application containerization” or more simply as “containerization.” For example, the application container image file encapsulates the software binary and supporting software libraries all into one deployable image file package. The ability to package software in an application container enables a modular approach to software development and deployment, and eliminates software compatibility issues that can arise from discrepancies between application software library version requirements and installed OS software library version.
In the whitepaper “Understanding and Hardening Linux Containers” prepared by Aaron Grattafiori, application container security is defined as the ability to restrict access to other containers, prevent knowledge of other containers from intentionally or accidentally leaking to one another, control and account for memory, CPU, networking, and disk I/O, and the ability to detect and remove rouge processes. Historically, containerization has posed a greater security risk as compared to hardware or platform virtualization. The risk inherent in containerization stems from the OS kernel being shared between multiple application containers, and the lack of constraints to prevent containers from escaping their confinement and accessing the host environment and/or the other containers within the host environment. Attacks against an application container or host system can originate from compromised containers, applications within containers, maliciously deployed containers, and an assortment of other sources.
Current advancements to address the security of application containers have focused on kernel namespaces and control groups. Kernel namespaces have been developed to isolate the global resources of a host to an application container's set of processes that are a member of the namespace. While the scope of namespaces continues to expand, it is not all-inclusive. For example, the audit program and the file system are not addressed by namespaces. There are also security weaknesses in the Mount namespace as discussed in detail by Richard Guy Briggs at the 2016 Linux Security Summit. Control groups have been developed to limit application containers access to various host hardware resources. Although useful, control groups can only limit what they are configured to limit. Even with the development of these security measures, gaps continue to exist in application container security that are yet to be addressed.