Docker 1.10 doubles down on container security

Docker 1.10 doubles down on container security

Docker Inc. pushed the latest version of its container engine technology late last week. Docker 1.10 comes with a strong focus on security, with the main updates being the addition of secure computing features and user namespace technology.

Secure Computing, called “seccomp” by Docker, is a new piece of code integrated into the Linux kernel that offers admins granular security control over their containerized applications. Docker runs atop of Linux, and version 1.10 adds a new default seccomp profile that should help to address some of the persistent security concerns that have dogged containers since they first started making waves in the enterprise.

Docker engineer Jessie Frazelle goes into some depth on what Seccomp Profiles are and what they can do in this blog post, saying that the technology should provide “an extra level of granularity in locking down the processes in your containers to only do what they need.”

Frazelle explains that Seccomp was initially conceived as a side project for a better way to write custom apparmor profiles. However, the project was so successful that it turned into a proposal to create native security profiles in the Docker Engine itself, as described here. Frazelle explains that Seccomp is still a work in progress, but that she “wanted to give a plug to my awesome tool”.

A second new security feature in the works is PIDS Control Group, which Frazelle says should be implemented by the time version 1.11 is rolled out.

“We decided to make this feature secure by default, meaning we are setting the PIDs Limit for the docker cgroup parent to 512 (actual number may change but something along these lines), more than enough for the average user, but not enough to do great harm,” Frazelle writes. “Of course if you need more you can override the default, or even set it as unlimited.”

Also new in version 1.10 is support for user namespaces. This particular technology has been available in preview since last November, and offers another approach to container control and visibility. Back when the technology was first announced, Docker explained that user namespaces provide more visibility and control for individual apps and processes running on Docker.

RELATED:  Brave ad-blocking browser raises $4.5 million in preparation for 1.0 launch

In addition, the new version of Docker comes with “incremental improvements” to Swarm 1.1, Docker’s native clustering technology, which include rescheduling of containers when a node fails.

Photo Credit: Catastrophic Plan via Compfight cc

Mike Wheatley

Mike Wheatley is a senior staff writer at SiliconANGLE. He loves to write about Big Data and the Internet of Things, and explore how these technologies are evolving and helping businesses to become more agile.

Before joining SiliconANGLE, Mike was an editor at Argophilia Travel News, an occassional contributer to The Epoch Times, and has also dabbled in SEO and social media marketing. He usually bases himself in Bangkok, Thailand, though he can often be found roaming through the jungles or chilling on a beach.

Got a news story or tip? Email Mike@SiliconANGLE.com.

SIGN UP FOR THE SiliconANGLE NEWSLETTER!

Join our mailing list to receive the latest news and updates from our team.

SIGN UP FOR THE SiliconANGLE NEWSLETTER!

Join our mailing list to receive the latest news and updates from our team.

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Share This

Share This

Share this post with your friends!