The open source Docker container application virtualization technology is becoming increasingly popular with organizations of all sizes. But what about container security?
Rather than thinking about Docker security as an afterthought, Docker Inc., the lead commercial sponsor behind the Docker open source effort, is advancing multiple integrated efforts to harden security.
In a session at this week's Dockercon EU conference in Barcelona, Nathan McCauley, director of security at Docker, detailed recent efforts to improve Docker container security and offered insight on innovations yet to come.
Docker already has the open source Notary project and Docker Content Trust efforts, which bring signed application images and a mechanism to protect users from man-in-the-middle attacks against signed image updates.
Project Nautilus and More
At Dockercon EU, Docker announced a new scanning effort called Project Nautilus that is examining and validating images on the Docker Hub repository. The application scanning is intended to help identify vulnerabilities that exist in Dockerized applications. Going a step further, Docker also announced support for a security capability known as user namespaces. With user namespaces, security controls can be enforced on application processes running inside of a Docker engine.
Looking beyond what Docker has already formally announced, McCauley said that work is under way to support Linux seccomp. Seccomp provides an additional layer of protection for Docker.
"Seccomp is basically a system call firewall," McCauley explained. "What seccomp allows you to do is to limit what runs inside the containers."
Seccomp is a complex technology, however, and setting up policy for it is not a trivial task. Docker developers are striving to build a basic security policy that will enable users to get the extra security that seccomp provides without too much hassle.
Another ongoing effort aims to improve authentication and authorization inside of Docker. The goal is to enable robust support for common authentication mechanisms, including Kerberos, LDAP and Microsoft Active Directory as well as SASL (simple authentication and security layer). Work is also under way on developing an authorization plugin framework that intercepts requests and allows authorization plugins to decide what to allow, based on policy.
"Daemons and containers need to start up with an identity," McCauley said. "Right now they just exist and do things, but it would be really good if they started up with some cryptographic identity attached to the container and to the daemon, then more interest access control can be built on top."
Work is also ongoing for handling "secrets" such as passwords and other types of access tokens and credentials inside of Docker.
"We want to have a first class ability to provide secrets inside of Docker," McCauley said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.