Secure computing features to fend off the challenge fromi CoreOS’ Rocket
Containerized software leader Docker has delivered version 1.10 of its software, with an emphasis on security, just as CoreOS delivers version 1.0 of its rival container platform, Rocket.
The new version of Docker has secure computing features, in particular using the “seccomp” feature integrated in the Linux kernel to provide Docker users with a default secure profile. The announcement is timely as CoreOS, once a staunch Docker ally, has delivered the competing Rocket (rkt) engine, having claimed in 2014 that Docker is not sufficiently secure.
Granular container security
Seccomp provides granular security control in Linux, and the new Docker engine version makes use of this. Seccomp allows administrators to limit which system functions can be used by any application, now including those running on a Docker implementation.
CoreOS has taken a slightly different approach in its Rocket (rkt) container engine, making use of open source Clear Container technology created by Intel.
Other Linux security features include Security Enhanced Linux (SELinux), which is used in distributions including Red Hat to improve container security.
Docker 1.1 will also support user namespaces, that improve visibility of applications and processes in the system.
More to come
“We’ve got a load of security updates in this release,” the Docker blog announcement says, listing “user namespacing for isolating system users, seccomp profiles for filtering syscalls, and an authorization plugin system for restricting access to Engine features.”
“The seccomp profiles mentioned above are just the start of something even better,” says Jessie Frazelle in, a developer on Docker’s core team, on a separate post about the new security measures. ”What started as a side project for a better way to write custom apparmor profiles, [called bane], has turned into a proposal for native security profiles in Docker Engine. Now this is still being worked on but I wanted to give a teaser of what is to come – and of course give a plug to my awesome tool :)”.
Docker’’s blog announcements also continue the company’s emphasis on ease of use however - a goal which can sometimes conflict with security issues - mentioning the improvements to Docker Compose.
”It’s now much easier to define and run complex distributed apps with Docker Compose,” says the blog. “The power that Compose brought to orchestrating containers is now available for setting up networks and volumes.”
Docker’s security lead Dioga Monica provided a Youtube video on best practises for secure containers, embedded below.