Docker 1.10 doubles down on container security


Docker Inc. pushed the latest version of its container engine technology late last week. Docker 1.10 comes with a strong focus on security, with the main updates being the addition of secure computing features and user namespace technology.

Secure Computing, called “seccomp” by Docker, is a new piece of code integrated into the Linux kernel that offers admins granular security control over their containerized applications. Docker runs atop of Linux, and version 1.10 adds a new default seccomp profile that should help to address some of the persistent security concerns that have dogged containers since they first started making waves in the enterprise.

Docker engineer Jessie Frazelle goes into some depth on what Seccomp Profiles are and what they can do in this blog post, saying that the technology should provide “an extra level of granularity in locking down the processes in your containers to only do what they need.”

Frazelle explains that Seccomp was initially conceived as a side project for a better way to write custom apparmor profiles. However, the project was so successful that it turned into a proposal to create native security profiles in the Docker Engine itself, as described here. Frazelle explains that Seccomp is still a work in progress, but that she “wanted to give a plug to my awesome tool”.

A second new security feature in the works is PIDS Control Group, which Frazelle says should be implemented by the time version 1.11 is rolled out.

“We decided to make this feature secure by default, meaning we are setting the PIDs Limit for the docker cgroup parent to 512 (actual number may change but something along these lines), more than enough for the average user, but not enough to do great harm,” Frazelle writes. “Of course if you need more you can override the default, or even set it as unlimited.”

Also new in version 1.10 is support for user namespaces. This particular technology has been available in preview since last November, and offers another approach to container control and visibility. Back when the technology was first announced, Docker explained that user namespaces provide more visibility and control for individual apps and processes running on Docker.

In addition, the new version of Docker comes with “incremental improvements” to Swarm 1.1, Docker’s native clustering technology, which include rescheduling of containers when a node fails.

Photo Credit: Catastrophic Plan via Compfight cc