Docker Trusted Registry Goes On-Prem, Promises Better Security
Docker on Tuesday announced general availability of its Docker Trusted Registry (DTR), which offers an option for an on-premises registry for Docker container images.
A beta program launched in February attracted more than 800 organizations, more than half of them from the Fortune 500, offering valuable feedback to the registry, according to the company.
It’s bundling the registry with its commercial products and support services with subscriptions starting at $150 per month. The solutions are immediately available from Docker, Amazon Web Services, IBM, and Microsoft.
Docker polled 1,000 users to determine what they’d like to see from the company, and support and the option for an on-prem registry were the top two services users cited, David Messina, Docker vice president of enterprise marketing, told The New Stack.
The Docker Hub has been available since June 2014, but critics have complained that images found there can be buggy and contain vulnerabilities. The startup BanyanOps, in fact, has made a business out of scanning images, claiming more than 30 percent of images in official repositories are vulnerable to security attacks such as Shellshock, Heartbleed and Poodle.
In a recent report, Gartner analyst Joerg Fritsch wrote that Docker is secure enough for multi-tenant, platform-as-a-service type operations, but more controls may be required for Linux containers used across multiple trust levels, security zones, or potentially hostile tenants.
With Docker Hub nearing 100 million pulls per month, Docker announced Registry 2.0 in April, after rewriting it from scratch using Google’s Go programming language. The core technology of the Docker Hub, it’s a central server for pushing and pulling images for testing and production.
Addressing some security concerns, it uses the TLS (Transport Layer Security) protocol to encrypt containers between the repository and the end user. The software also provides Webhook notification that can let administrators or external workflow engines know whenever someone downloads an image.
The Docker Trusted Registry server provides Lightweight Directory Access Protocol (LDAP) and Active Directory integration with existing authentication systems. It also offers role-based access-control (RBAC) and audit logs for authorization and compliance for authorization and compliance.
The Google Container Registry, unveiled in January, also has emerged from beta. Container images stored there are encrypted at rest, and the access is authenticated using Google Cloud Platform OAuth, and transmitted over SSL. Images now also can be stored in Asia and Europe. Users pay only Google Cloud Storage costs.
SUSE on Monday also announced closer ties with Docker in connection with SUSE Linux Enterprise Server 12, including verified pre-built images enabling customers to build a private on-premise registry using Portus, an open source front-end and authorization tool.
And Red Hat has a created a container certification program with independent software vendors (ISVs) to confirm that a specific containerized application is secure, free of known vulnerabilities, unmodified, draws from known content sources and works as intended on Red Hat infrastructure. The Red Hat Container Registry will house only certified container images. It also eventually will enable partners and ISVs to host their own registries for Red Hat-certified containers
CoreOS in October announced a stand-alone Docker container registry for private deployments, through its acquisition if New York startup Quay.io. It recently said it’s revamping Quay.io to make it a more effective competitor against Docker Hub.
IBM previously offered a hosted private registry, as did Microsoft’s Azure and startups like Tutum.
At DockerCon on Tuesday, Microsoft demonstrated a multi-platform distributed container application across Windows Server and Linux as well as Visual Studio Online support for Docker and a new Azure Marketplace experience.
“We’re pleased that Docker Trusted Registry VM image is now available in the Azure Marketplace to provide organizations with a private repository of Docker images,” said John Gossman, architect for Microsoft Azure. “We also look forward to bringing to market the fruits of our joint efforts as we integrate Visual Studio Online with Docker Trusted Registry in the coming months.”
CoreOS, Docker and Red Hat are sponsors of The New Stack.
Feature image: “Sub Cash Register,” by Franck BLAIS, is licensed under CC BY-SA 2.0.
