Chapter 2. Building and Securing Containers
This chapter describes security concerns involving the building and distribution of Docker containers.
Docker’s Unsigned Binary
Docker’s official binary installation is not signed.
The Dangers of Untrusted Content
The process of installing RPMs involves two phases: (1) the retrieval phase, and (2) the istallation phase. This separation between retrieval and installation does not exist in the Docker workflow. There are a number of CVEs related to this issue. Docker images are stored as tars, and they can escape the docker daemon without your knowing it.
- docker pull is an active process - unlike RPMs, there is no separation between the retrieval phase of installation and the installation phase
- docker containers run as root - you should run Docker content that has originated only from trusted vendors