Docker Engine Hardened with Secure Computing Nodes and User Namespaces
Enterprise systems need enterprise-grade security. With this in mind, Docker Inc. has updated its core container engine with some potentially powerful security measures.
Docker Inc. has described this release as “huge leap forward for container security.” The company also added a plethora of networking enhancements to Docker 1.10, released Thursday.
Perhaps the two most notable security-related additions are the addition of secure computing mode (seccomp), which is a Linux kernel feature, and the ability for containers to recognize user namespaces.
Seccomp restricts the actions available within the container, by allowing the system administrator to filter what system calls the containers use. This reduces the attack surface area exposed by the kernel.
The work on seccomp should also pave the way for developing native security profiles for Docker Engine, which will relieve administrators from the considerable work of writing out all the system calls to block by hand.
Support for user namespaces simply means that Docker containers can recognize multiple user roles, binding them to the appropriate security policies. Now, someone with root privileges inside of the container won’t automatically enjoy root privileges on the host machine.
Also to help limit unwarranted activity, administrators can now create “authorization plug-ins” to allow or block API requests to the host daemon.
Beyond security, Docker Inc. did a lot of work to boost Docker’s network connectivity options, building on the multi-host networking capabilities added late last year. For instance, containers can get custom IP addresses. Hostname lookups are now done through an external DNS server rather than by consulting the /etc/hosts files, an approach that could brick a container should the hosts file get corrupted.
Docker 1.10 is also the first edition to support the newly updated format for organizing container clusters, Docker Compose 1.6. Docker Compose can now be used to work with two additional abstractions, networks and volumes, providing a way for administrators to specify multiple network tiers and complex storage configurations.
Docker Swarm 1.1, an incremental update to the first full release in November, features automated container rescheduling for failed nodes. Docker Machine 0.6, part of the Docker Toolbox, is now much more stable when being used with VirtualBox and Windows.
Docker Registry 2.3 supports the new manifest format, making it possible for layers to be shared between different images.
Docker is a sponsor of The New Stack.