TNS
VOXPOP
How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
0%
No change in plans, though we will keep an eye on the situation.
0%
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
0%
What recent turmoil?
0%
Containers

Docker Engine Hardened with Secure Computing Nodes and User Namespaces

Feb 5th, 2016 9:35am by
Featued image for: Docker Engine Hardened with Secure Computing Nodes and User Namespaces

Enterprise systems need enterprise-grade security. With this in mind, Docker Inc. has updated its core container engine with some potentially powerful security measures.

Docker Inc. has described this release as “huge leap forward for container security.” The company also added a plethora of networking enhancements to Docker 1.10, released Thursday.

Perhaps the two most notable security-related additions are the addition of secure computing mode (seccomp), which is a Linux kernel feature, and the ability for containers to recognize user namespaces.

Seccomp restricts the actions available within the container, by allowing the system administrator to filter what system calls the containers use. This reduces the attack surface area exposed  by the kernel.

The work on seccomp should also pave the way for developing native security profiles for Docker Engine, which will relieve administrators from the considerable work of writing out all the system calls to block by hand.

Support for user namespaces simply means that Docker containers can recognize multiple user roles, binding them to the appropriate security policies. Now, someone with root privileges inside of the container won’t automatically enjoy root privileges on the host machine.

Also to help limit unwarranted activity, administrators can now create “authorization plug-ins” to allow or block API  requests to the host daemon.

Beyond security, Docker Inc. did a lot of work to boost Docker’s network connectivity options, building on the multi-host networking capabilities added late last year. For instance, containers can get custom IP addresses. Hostname lookups are now done through an external DNS server rather than by consulting the /etc/hosts files, an approach that could brick a container should the hosts file get corrupted.

Docker 1.10 is also the first edition to support the newly updated format for organizing container clusters, Docker Compose 1.6. Docker Compose can now be used to work with two additional abstractions, networks and volumes, providing a way for administrators to specify multiple network tiers and complex storage configurations.

Docker Inc. warns that the upgrade process to Docker 1.10 can be considerable. So plan ahead. The company is also hosting a webinar on February 17 to discuss the new features in greater detail.

The company has also updated a number of adjoining tools as well, such as the Docker Swarm clustering tool, Docker Machine virtual hosting software and the Docker Registry.

Docker Swarm 1.1, an incremental update to the first full release in November, features automated container rescheduling for failed nodes. Docker Machine 0.6, part of the Docker Toolbox, is now much more stable when being used with VirtualBox and Windows.

Docker Registry 2.3 supports the new manifest format, making it possible for layers to be shared between different images.

Docker is a sponsor of The New Stack.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: The New Stack, Docker.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.