These tools are meant to make using containers safer without interrupting the usual developer workflow. They include support for hardware signing with a Yubico hardware key, and user namespaces support so Docker containers don’t need to have root access anymore. These two new features are now available in Docker’s experimental release channel.
The company also today announced that it will now regularly scan all the roughly 90 official repos in the Docker Hub to look for potential vulnerabilities and publish its findings.
During his DockerCon keynote, Docker founder and CTO Solomon Hykes stressed the importance of security, which too often is only considered as an afterthought. “These are things that need to be baked in from the start,” he noted. “You need to think about security from the beginning.”
As Docker’s VP of product Scott Johnston told me earlier this week, the team’s aim is to improve the Docker platform while still ensuring that developers won’t have to do “anything that’s unnatural to their usual workflow” (Hykes referred to this as a “nice and pleasant development flow”). The new hardware signing support, for example, builds on the recently launched Docker Content Trust framework which allows for the digital signing of containers.
Now, developers who own a YubiKey 4, which is also launching today, can automatically sign their containers to ensure the integrity of their apps throughout the pipeline. Docker worked with Yubico to build this touch-to-sign code signing system right into the Docker command line tools.
As Johnston stressed, Content Trust adds an extra layer of security but developers aren’t required to use it.
When it comes to containers and security, the fact that the Docker daemon and containers need root access to the machines they run on has long been a problem. Johnston acknowledged as much and noted that this was fine for early adopters and helped “get the market moving,” but it’s now becoming a problem as containers become increasingly popular.
In the new experimental release, admins can now separate container and Docker daemon-level privileges. The Docker daemon still needs root access — but the actual containers don’t. This should make running Docker containers safer, but as Docker notes, this also now allows IT to set granular access control rights by departments and teams, for example.
In many ways, though, container security starts with the applications that run inside the containers. To make some improvements here, Docker today announced that it will now start scanning the containers in the official Docker Hub repos for potential vulnerabilities (think Heartbleed, for example).
If that sounds familiar, it’s because you may have recently read that CoreOS is doing something very similar for containers in its registry. Like that company, Docker will publish the results of this content audit and as Johnston told me, it will work with the upstream ecosystem to ensure these issues get patches as soon as possible.
The 90 official repos, which are all signed with Docker Trust, too, account for about 20 percent of all downloads from the Docker Hub. As Hykes noted today, the service has actually been quietly protecting these repos for the last two months already as the team tested the services. The plan is to expand this tool to all images, including private images, in the future.