Docker Desktop is a popular tool for developers working with containers on Windows, Linux and macOS. But as containerized applications become more prevalent, so does the need for robust security. This is where Enhanced Container Isolation (ECI) and Rootless Docker come into play. Both offer security benefits, but they work in different ways. Let’s break down the key differences:
Rootless Docker: Running Lean on Linux
Imagine a scenario where you want to leverage Docker on a bare-metal Linux machine. Rootless Docker allows you to do just that. It essentially strips Docker Engine of its root privileges, enabling regular users to install and manage containers without needing administrative access. This enhances security by minimizing the attack surface.
However, Rootless Docker has limitations. It’s not currently supported within Docker Desktop because Docker Desktop already virtualizes the Docker Engine, providing a layer of isolation. Additionally, Rootless Docker might encounter restrictions on certain functionalities that require elevated privileges.
Enhanced Container Isolation: Fortifying Docker Desktop
ECI takes a different approach. It focuses on isolating the containers themselves, not the Docker Engine. When enabled in Docker Desktop, ECI ensures that containers run within a Linux User Namespace. This creates a stronger barrier between the containers and the underlying Docker Desktop Linux VM.
Think of it like this: ECI prevents a containerized application from reaching outside its designated space and potentially tampering with the virtual machine’s security settings. This is particularly valuable for developers who rely on Docker Desktop for development workflows and want an extra layer of protection.
Now, let’s delve deeper into the inner workings of ECI and discover the technology that fuels its power: Sysbox.
Sysbox: A Tailored Runtime for Enhanced Isolation
While Docker traditionally relies on the OCI runc runtime to manage containers, ECI leverages a customized version of Sysbox. Sysbox itself is a derivative of runc, but with key modifications designed to elevate container isolation standards and optimize workload execution. This customized version, included in Docker Desktop since version 4.13, acts as the backbone for ECI’s security enhancements.
Seamless Transition for Users: Sysbox Runs Under the Hood
The beauty of ECI lies in its user-friendliness. When enabled, containers launched through familiar commands like docker run or docker create automatically utilize Sysbox instead of the standard runc runtime. This happens behind the scenes, requiring no additional configuration from the user. Developers can continue working with containers as usual, while ECI silently strengthens the security posture.
Taming the Privileged Beast: Secure Execution Even with “–privileged”
Containers launched with the previously risky --privileged
flag can now be harnessed securely with ECI. This flag typically grants elevated privileges, posing a potential security threat. However, ECI effectively mitigates this risk by ensuring such containers cannot breach the Docker Desktop virtual machine (VM) or compromise other containers.
A Note on Compatibility and Differentiation
It’s important to remember that ECI is distinct from Docker Engine’s userns-remap mode and Rootless Docker. While they share the goal of improved security, they operate differently. We’ll explore these distinctions in more detail in a future post.
Sysbox serves as the invisible force behind ECI’s enhanced container isolation. It seamlessly integrates with Docker Desktop, offering robust security without compromising user experience. Stay tuned for further exploration of ECI’s unique approach compared to other security mechanisms.
How to enable ECI on Docker Desktop?
You need to ensure your organization has a Docker Business subscription.
- Log in to your organization in Docker Desktop. This will ensure the ECI feature is available to you in Docker Desktop’s Settings menu.
- Stop and remove all existing containers.
- Navigate to Settings > General in Docker Desktop.
- Next to Use Enhanced Container Isolation, select the checkbox.
- Select Apply and restart to save your settings.
Key Takeaways:
- Rootless Docker: Ideal for native Docker usage on Linux, offering improved security by running containers without root privileges.
- Enhanced Container Isolation: Designed specifically for Docker Desktop, strengthening the isolation between containers and the Docker Desktop Linux VM.
Choosing the Right Approach
The best option depends on your environment. If you’re using Docker natively on Linux and want a lightweight solution with improved security, Rootless Docker might be the way to go. But for developers leveraging Docker Desktop and seeking enhanced container isolation within the virtualized environment, ECI is the clear winner.
Remember, security is an ongoing process. Both ECI and Rootless Docker offer valuable security features, but they should be used in conjunction with other security best practices to ensure your containerized workflows remain safe and sound.
Want to try? Update your Docker Desktop to 4.30 now!