Docker Container Security: Signed, Sealed and Delivered from Vulnerabilities
Aiming to address some of the security issues with containers, Docker has added three new enhancements aimed at preserving developer agility while safeguarding and protecting Dockerized distributed applications.
The company has added the capability to sign container images using a hardware device, to scan container images for vulnerabilities, and to set up separate user namespaces to isolate environments. Collectively, these features could help make containers more feasible in environments where security and policy compliance is essential.
The company unveiled these features at the Dockercon EU conference, being held this week in Barcelona.
Docker has introduced hardware signing of container images, based on Docker Content Trust, which the company introduced in June. It’s basically Docker’s own branded implementation of Notary, an open source system for certifying the validity of the sources of Docker images pushed to public repositories and encrypting the contents of those images.
The aim of the digital signature technology is to deploy a signing and encryption system so reliable on both ends of the network that the security of the network in between is not an issue.
Based on open source project begun in 2009, called simply The Update Framework (TUF), the idea is that that no key used to encrypt files that are exchanged online should be stored anywhere where they may be made accessible online.
Only the original publisher should have access to the key authorized to sign images for that repository. If that malicious actor attempts to inject an altered image at any point in the exchange with the repository, modifications to the file or to its signature will be detected as invalid.
The company has struck up a partnership with Yubico, which will provide the YubiKey 4, a USB plug-in device containing the root key and that will generate a per-repository key used to digitally sign Docker images for a particular repository. The YubiKey 4 can then be locked away in a safe or elsewhere while the per-repository key “is the key going forward as you update that content. Any future signings are done through that repository key,” explained David Messina, Docker vice president for enterprise marketing.
“The individual developer or development teams are establishing themselves as the publisher and from an operations standpoint, depending on which team generated that content, they can set up policies around that to determine which content can be used in which environment.”
To help developers get started on the technology, Docker gave each Dockercon attendee a YubiKey that can be used to sign their own images.
Docker has also launched image scanning and vulnerability detection capabilities. A fully scanned analysis at every layer of a container image is executed, allowing Docker to work with users to make decisions on which content to use based on their security policies. Docker is also sharing results with independent software vendors (ISVs) and working to get vulnerabilities fixed, Messina said.
It’s working with an unnamed third-party to scan at the code level and run a battery of tests at every image layer. It’s doing comparisons against Common Vulnerabilities and Exposures (CVEs), as well as executing other vulnerability scanning techniques, then going back to the originator to advise them about vulnerabilities.
“All software has some level of vulnerability; that’s the nature of software. Our job is to present information to our consumers, those using DockerHub, so they can make a decision about where or when they want to run these images,” he said.
At the conference, Docker Engine creator Solomon Hykes stressed that CVEs being scanned for were not limited to those compiled for specific Linux distributions, such as Red Hat or Ubuntu.
“You do not need to lock yourself into a Linux distribution to secure your containers,” Hykes said.
The 1.9 Experimental release of the Docker Engine features support of user namespaces giving IT operations the ability to separate container and Docker daemon-level privileges to assign privileges for each container by user group.
This is one of the most-requested features from the Docker community, Messina said.
“Namespaces provide a view of the system that makes it look like you have all the resources. When you’re inside a container you don’t even have a notion that anything outside the container even exists,” said Nathan McCauley, Docker director of security, speaking at a Dockercon EU session.
IT operations can establish at a user-group level a set of privileges any container can have. Individual containers do not have access to root on the host, only the Docker daemon does. You can set up containers that have different levels of access to compute, network and storage. And IT operations can lock down hosts to a restricted group of sysadmins per security best practices.
Container security is a hot area of interest for investment, Steve Herrod, managing director at venture capital firm General Catalyst, recently told The New Stack.
Docker’s “broken security model” was behind CoreOS’s big rant when it introduced its alternative rkt container runtime.
Intel has come out with Clear Containers, a technology designed to mix the security benefits of full virtual machines (VMs) with the deployment ease of containers
Red Hat has a container certification program with ISVs and container registry of certified images. It also recently announced a partnership with security firm Black Duck, which scans for known, malicious code by way of signatures, with the aim of identifying code that may be in need of replacement with newer, and more secure, versions.
A new company, Twistlock, is a rule-based access control policy system for Docker and Kubernetes containers that also handles image scanning.
Docker also promised better security with its Docker Trusted Registry, launched in June.
Asked about Docker’s latest measures, 451 Research analyst Jay Lyman said they help, “but it’s important to keep in mind how immature application container software and products are, particularly for large enterprises, so there is still a long way to go toward bringing some container parity with VMs.”
Hardware-level container image signing; image scanning and vulnerability detection; and auditing and governance capabilities are features intended mainly for enterprise IT operations teams and less for developers, which speaks to Docker’s interface with more enterprises interested in compliance and security, he said.
Docker is a sponsor of The New Stack.
Images: Docker creator Solomon Hykes, at Dockercon EU 2015.