Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 19)
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
See all Unit 42 Threat Research
Table of Contents
Cloud Security

What Is Docker?

5 min. read
Table of Contents

Docker is a tool that speeds up the process of creating, testing, and deploying applications by using containers. It packages an application into a container, which contains all the necessary elements for the application to operate. This container can then be run on any system, making it highly versatile. Docker is offered as free, open-source software and as a paid, commercial product.

Docker Explained

Docker provides a speedy and flexible environment for developing applications. Developers can wrap their applications in containers, which are like standard packages equipped with everything the application needs to run, such as the code, runtime environment, libraries, and system tools. These containers can work anywhere, from a developer's computer to cloud-based servers in a datacenter, making it easy to deploy applications consistently across different platforms.

Understanding Docker Containers

Docker is built around containers, which offer a streamlined and efficient alternative to older approaches that rely on virtual machines (VMs), each needing its own operating system for every application.

These Docker containers are separated from both the host system and each other. They use the host's core operating system functions while running in their own isolated spaces.

By using Docker for containerization, the processes of developing, testing, and deploying applications become more efficient. This approach also boosts performance, enhances the ability to scale, and ensures applications can be easily moved and securely run anywhere. Additionally, it makes better use of system resources and simplifies the workflow for developers.

Core Components of Docker

The Docker architecture comprises various components that help developers create, verify, and manage containers.

Docker Engine

The Docker Engine facilitates application containerization. It's designed for creating containers, operating them, and managing their orchestration. It consists of three primary parts.

1. Docker Daemon

A server-side component, dockerd creates, runs, and manages Docker containers. The Docker daemon responds to Docker API requests and handles Docker objects (e.g., Docker images, containers, networks, and volumes).

2. Docker Engine API

The Docker Engine API is a RESTful API served by the Docker Engine that the Docker client uses to communicate with the Docker Engine. The API specifies interfaces that applications can use to send instructions to the Docker daemon.

3. Docker Client

The Docker client is the command-line interface (CLI) that is used to send commands to dockerd via the Docker API.

Docker Swarm

Docker Swarm supports cluster load balancing for Docker. It transforms a pool of Docker hosts into a single virtual host, which is key for high availability and scalability. Swarm leverages a distributed consensus algorithm to manage cluster state and orchestrate container deployment across nodes using declarative configurations, while its compatibility with standard Docker API endpoints ensures seamless integration with existing Docker tools and applications.

Dockerfiles

The Dockerfile details the steps to construct Docker images. It specifies the base image, commands, and file copy operations required to assemble the application environment. Dockerfiles ensure reproducibility and version control in the development lifecycle.

Docker Container

A Docker container is a lightweight runnable instance of Docker images. It encapsulates the application, its environment, and the dependencies to run the application isolated from the underlying system, such as code, runtime, system tools, libraries, and settings. Docker containers can be started, stopped, moved, and deleted.

Docker Images

Docker images specify the commands and steps needed to build Docker containers. They include the application or service, dependencies, libraries, and other binaries required to run the application. Docker images are stored in a registry.

Docker Registries

A Docker registry is a repository that centrally stores and distributes Docker images. The default public registry is the Docker Hub, but users can create private registries.

Docker Volumes

Docker volumes ensure that data generated by and used by Docker containers persists across container restarts and rebuilds. Docker manages Docker Volumes and they remain independent rather than persisting data in a container’s writable layer.

Docker Networks

Docker comes with network drivers that help containers talk to each other and connect to the internet or different networks. These Docker networks create safe, separate paths for communication between containers, ensuring the security of applications running inside them.

Docker Compose

Docker Compose allows developers to deploy services, networks, and volumes for multi-container Docker applications. With a YAML file to configure the application’s services, networks, and volumes, Docker Compose allows for a simplified deployment process by executing a single command to spin up the full stack.

What Platforms and Environments Does Docker Support?

Docker is platform-agnostic. It supports a number of operating systems and environments for developing, shipping, and running containerized applications.

Docker Supported Operating Systems

  • Linux: Ubuntu, CentOS, and Red Hat Enterprise Linux
  • Windows: Windows 10 and Windows Server 2016 and newer versions
  • macOS

Docker mainly relies on containerization to separate and operate applications using the built-in features of the Linux kernel. For systems not based on Linux or when extra separation is needed, Docker uses a hypervisor.

Cloud and Virtualization Platforms

  • Amazon Web Services (AWS): Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)
  • Microsoft: Azure Container Instances (ACI) and Azure Kubernetes Service (AKS)
  • Google Cloud Platform (GCP): Google Kubernetes Engine (GKE) and Cloud Run
  • VMware: VMware virtual machines (VMs) and VMware’s Tanzu portfolio
  • Oracle Cloud: Oracle Cloud Infrastructure (OCI), Oracle Container Engine for Kubernetes (OKE), and Oracle Cloud Infrastructure Registry

Development Environments

  • Integrated Development Environments (IDEs): Visual Studio Code, IntelliJ IDEA, and Eclipse
  • CI/CD Tools: GitLab CI and GitHub Actions

How Does Docker Work?

The following is a step-by-step overview of how a developer would work with Docker.

  • Install Docker Engine on a host machine.
  • Create a Dockerfile to define how an application’s container should be built.
  • Build a Docker image from the Dockerfile.
  • Store and share Docker images in a registry.
  • Start an application using the Docker CLI to launch a container from an image.
  • Manage Docker containers’ lifecycles, including starting, stopping, restarting, and removing containers.
  • Configure Docker networks to isolate containers, link them together, or expose them to the host network.
  • Use Docker volumes and bind mounts to persist data outside of the container’s writable layer.
  • Use Docker Compose to define and run complex applications that require multiple containers.
  • Monitor logs of container performance, resource usage, and health.

It's essential to implement appropriate security measures when using Docker, including:

  • Apply resource limits to prevent denial-of-service attacks.
  • Avoid running containers as root.
  • Enable logging and monitoring for unusual activities.
  • Implement network segmentation and firewall rules to control traffic.
  • Keep Docker hosts updated.
  • Limit container privileges with cgroups.
  • Minimize installed packages.
  • Provide process and network isolation using namespaces.
  • Run the Docker daemon with restricted privileges and protect its socket.
  • Update the Docker Engine and container dependencies.
  • Use official or trusted Docker images and scan them for vulnerabilities.

Related Article: Container Security

Docker Tools

Docker Desktop

Docker Desktop serves as the primary platform for developers to build, test, and deploy Docker containers on Mac and Windows. It integrates Docker Engine, providing a local environment consistent with production servers. The tool includes Kubernetes for orchestration, enabling developers to simulate clustered deployments.

Docker Hub

Docker Hub is a cloud-based repository service where users can store, share, and manage Docker container images. It provides automated build capabilities, version control, and integration with GitHub and Bitbucket, supporting both public and private repositories and facilitating collaboration and pipeline automation.

Docker Trusted Registry

Docker Trusted Registry is Docker's enterprise-grade image storage solution that allows corporations to securely store and manage the images used in their Docker environments. It offers image signing for security, fine-grained access control, and the ability to run behind an organization's firewall, integrating with existing user authentication systems.

Docker Machine

Docker Machine automates the provisioning of Docker hosts on local machines, cloud providers, or inside your datacenter. It simplifies the process of managing Dockerized environments on a variety of platforms, including virtual machines, physical servers, and cloud instances, by providing a unified command-line interface.

Docker Engine: Community Edition (CE)

Docker Engine CE is the free, open-source version of Docker Engine, designed for developers and DIY enthusiasts interested in experimenting with containerized applications. Docker Engine CE is lightweight and offers developers the essentials to build, ship, and run distributed applications on a wide range of platforms. It includes the full Docker platform, supporting all the tools and functionalities necessary to build, share, and run Docker containers.

Docker Engine: Enterprise Edition (EE)

Docker Engine EE is designed for enterprise development and IT teams who build, ship, and run business-critical applications in production at scale. Docker Engine EE includes enterprise-grade features such as image signing and verification, long-term support, and certified plugins, providing a more secure, scalable, and supported platform.

Docker Security Scanning

Docker Security Scanning is an integrated feature within Docker Hub and Docker Trusted Registry that provides a detailed security assessment of Docker images by scanning for known vulnerabilities. It compiles comprehensive reports and notifies developers, enabling them to identify and address security issues before deployment.

Docker Bench for Security

Docker Bench for Security is a script that checks for dozens of common best practices around deploying Docker containers in production. The tool audits a Docker host against the security standards defined in the Center for Internet Security (CIS) Docker Community Edition Benchmark, offering insights and recommendations for securing Docker environments.

Docker Datacenter

Docker Datacenter, now a component of Docker Enterprise, offers an integrated platform for container management and deployment. It provides a container as a service (CaaS) solution for IT and development teams to provision, operate, and secure Docker environments with role-based access control, image signing, and policy-driven automation.

Docker Notary

Docker Notary ensures the integrity of Docker images by providing a framework to publish and verify content. Leveraging The Update Framework (TUF), Notary offers cryptographic signatures to secure the software supply chain, allowing users to sign and then verify the authenticity and integrity of container images.

Docker Use Cases and Benefits

CI/CD Pipeline

Docker's container-based approach greatly enhances CI/CD pipelines, making it quicker to deploy applications. Automated testing tools within Docker help maintain high code quality by spotting problems early in the development process.

Compliance

With Docker, compliance requirements compliance and security policies can be defined as code using Dockerfiles and configuration management tools. This helps enforce compliance with policies consistently across all containerized applications, reducing manual oversight and human error.

Legacy Application Migration

Legacy applications can be migrated to Docker, ensuring that legacy applications run consistently across development, testing, and production environments. This reduces compatibility issues and streamlines deployment processes.

Microservices

By supporting microservices, Docker enables the independent deployment and delivery of services. This allows services to scale quickly based on demand, reduces the impact of failures by isolating them within specific services, and facilitates rapid iteration and updates to speed development processes.

Vulnerability Management

Docker-integrated tools can be used to scan container images for known vulnerabilities during development and before deployment to identify and remediate vulnerabilities early. This enhances vulnerability management, reducing the risk of exploitation in production environments.

Docker FAQ

Docker runs applications in separate, isolated spaces on a host's main operating system (OS) using containerization. Virtualization involves creating complete VMs, each with its own operating system. This makes Docker containers more efficient than virtual machines because they are lighter, boot up quicker, consume less of the host's resources, and can be scaled more easily.
Docker containers are lightweight, standalone, executable packages that include everything needed to run a piece of software, including the code, runtime, system tools, libraries, and settings. Containers isolate software from its environment and ensure that it works uniformly despite differences for instance between development and staging.
Docker images are immutable files that serve as the source code for containers. They contain a snapshot of a Docker container's filesystem, along with metadata about how to run a container based on the image. Images are layered, allowing for the reuse of files, minimizing disk usage and speeding up the build process.
Docker build is a command-line function that creates a Docker image from a Dockerfile and context. The build process compiles source code, includes dependencies, and configures the environment within the image. Developers use this command to package their applications into images ready for deployment.
Docker push uploads an image from the local system to a remote repository. Typically used with Docker Hub or self-hosted registries, this command enables sharing and distribution of container images across different environments or with other collaborators, effectively versioning and storing application images for deployment.
Docker pull fetches an image from a registry and saves it to the local system. This command allows users to download pre-built images to run containers locally or on a host in the cluster, ensuring that they can access and deploy the latest versions of the necessary images.
Docker run is a command that starts a container from a specified image. It initializes a writable layer on top of the image layers, sets up the network and storage, and begins execution of the application within the container environment as defined by the image's metadata.
A Dockerfile is a text document containing all the commands a user could call on the command line to assemble an image. Using docker build, developers can create an automated build that executes several command-line instructions in succession.
The Docker daemon is a persistent background service that manages Docker images, containers, networks, and storage volumes on a host machine. It processes requests from the Docker API, used by the Docker CLI or other Docker clients, to control Docker objects and services.
Docker volumes are persistent data stores for containers. Unlike the ephemeral filesystem of a container, volumes are managed by the Docker host and survive container rebuilds and restarts, enabling data to remain intact across container updates and allowing for data sharing between containers.
Docker networking enables standalone containers to communicate with each other and with other systems. It leverages network namespaces and virtual bridges to provide isolation and network connectivity, supporting multiple networking models including bridge, host, overlay, macvlan, and none, which dictate how containers connect with networks and each other.
A Docker registry is a stateless, highly scalable server-side application that stores and distributes Docker images. Registries come in two forms: public, like Docker Hub, which provides a centralized resource for container image discovery and distribution, and private, which secures proprietary images for internal use within an organization.
The Docker Command Line Interface (CLI) is a tool that allows users to interact with the Docker Daemon through commands. Users can execute various operations such as building, pulling, and running containers, managing images, containers, networks, and volumes using the CLI.
A Docker node refers to a physical or virtual machine that runs an instance of the Docker Engine and participates in the cluster. In the context of Docker Swarm, nodes can be either managers, responsible for orchestrating and scheduling containers, or workers, executing tasks and running containers.
Docker services are the scalable units in a Docker Swarm environment. They define the desired state of containerized applications, specifying the image to use, the commands to run, and the replicas required. Services enable high-level abstractions for deploying and managing containers across a distributed cluster.
A Docker stack is a group of interrelated services that share dependencies and are orchestrated and managed together. Defined in a Docker Compose file, stacks are deployed to manage more complex applications with multiple containers that work together, maintaining service definitions and network configurations in a single document.
Like Kubernetes secrets, Docker secrets are a secure way to store and manage sensitive data such as passwords and encryption keys in Docker Swarm. They prevent the direct exposure of sensitive data in stack definitions or source code, and are only accessible to services running on the Swarm that have been granted explicit access to them.
The Docker API provides a programmatic interface for controlling the Docker Daemon and manipulating Docker objects. It allows developers to build tools and applications that interact with Docker services, facilitating container management, image creation, and orchestration tasks through standardized HTTP requests.
Docker security encompasses the methods and tools used to protect Docker containers and the host system. It involves securing the Docker Daemon, managing container access controls, ensuring image integrity, and isolating container runtime environments using namespaces and cgroups to prevent unauthorized access and mitigate risks.
Immutable infrastructure is a paradigm where servers are never modified after deployment; any changes require redeploying a new instance. This model enhances consistency and reliability in environments, as changes are made through controlled processes, reducing the risk of configuration drift and ensuring that the infrastructure state remains consistent with the versioned configuration.
Docker namespaces provide isolation for containers, creating a layer of security by ensuring that each container has its own view of the operating system, including processes, network interfaces, and file systems. Namespaces restrict containers from seeing or affecting resources in other namespaces, an essential feature for multi-tenant environments.

Related content

Get the latest news, invites to events, and threat alerts