Docker, Addressing Security Concerns, Hardens Its Containers

Addressing lingering concerns about container security, Docker has hardened its container-tech platform with a release that also adds several commercial features to ease enterprise deployments.

The San Francisco-based startup that sparked a revolution of sorts when it reintroduced Linux containers to enterprise IT delivered a number of advancements Thursday around container orchestration, networking and security with the release of Docker 1.10.

As Docker penetrates corporate data centers and clouds, the portfolio of new tools can be used to "build the kind of distributed applications that enterprises want to run in production," said David Messina, Docker's senior vice president of marketing.

[Related: Docker Steps Up Its Enterprise Game With New Container Software, Support]

Sponsored post

Docker, the commercial entity behind the open-source software, follows a steady release cadence -- the software is usually updated every two months.

A key component of the latest release is Docker Compose, a much-simplified method for defining storage and networking topologies.

Compose is "one of the big things to come out of this release, in the realm of orchestration, being the model for taking multi-container distributed apps and allowing developers to define, cluster and schedule those apps," Messina told CRN.

Developers can define a distributed application, comprising a set of containers, in one simple file that controls the entire application life cycle, he said.

"Previously you would have to do a lot of command line work, manual configuration," Messina said. "Now it's much easier to get an application up and running all the way from development to production."

Aater Suleman, CEO of Flux7, a systems integrator based in Austin, Texas, that specializes in Docker and DevOps methodology, told CRN the latest release adds controls that will facilitate the onboarding of new users and pave a wider path to enterprise adoption.

But it's the upgrades around security that are especially vital and timely, he said.

"With Docker Enterprise adoption increasing, we are seeing more and more scrutiny of its security controls from our customers," Suleman told CRN.

User Namespaces, a security feature that allows configuration of privileges for containers, fixes a longstanding issue with containers being able to access the root on the host, Suleman said.

"This specific concern has in fact been brought up by InfoSec gurus to our customers," Suleman told CRN of the root access problem. "Version 1.10 provides a good answer."

Content addressable container IDs is another innovation important to highly regulated industries like health care, where artifacts must be tracked at every step of the way, Suleman told CRN.

"Last year, we had to implement this control for a Fortune 100 health-care client," Suleman said. "We had to develop it from scratch ourselves using container tags and a series of controls to avoid tainting the IDs as the containers progressed in the code promotion pipelines."

In addition to security, 1.10 greatly enhances usability of the commercial product, Suleman said. One of the most interesting capabilities is an embedded DNS server.

Flux7 started using Docker in 2013, when container discovery was not a well-studied problem.

The company created a solution for -- presented at DockerCon 2014 -- that achieved the same effect that the new embedded DNS server will provide out of the box.

"As someone who has seen Docker evolve from Day 1, we welcome this change. It may not be technically miraculous but it eases some common use cases," Suleman said.

That greater ease is true for other new features, like the networking enhancements, the ability to assign IPs to containers, and internal networks, he added.

Around 40 percent of Docker users are running applications in production environments, Messina told CRN.

Many of them, especially government institutions and large banks, were clamoring for more features around security and networking topology.

In version 1.9, Docker networking became generally available, he said. But the latest release enhances the functionality with flexible configurations, greater scalability and integration.

The 1.9 release also included a Universal Control Plane that, despite still being in a beta preview, is already widely used by several Fortune 500 firms, Messina told CRN.