Docker Inc. has announced a new set of security enhancements at DockerCon EU, celebrated in Barcelona on 16-17th/Nov. Changes includes hardware signing of container images, content auditing through image scanning and vulnerability detection and granular access control policies with user namespaces.
Three months ago Docker introduced Docker Content Trust together with announcement of Docker Engine 1.8. During DockerCon EU, Docker announced support for hardware signing on Docker Content Trust framework through Yubico’s YubiKey. Together, Docker and Yubico have developed a touch-to-sign physical key which ensures human interaction when singing an image. The result is that Docker developers, sysadmin and third-party ISVs can now digitally sign code during initial development and through subsequent updates.
Docker also announced at DockerCon EU the availability of user namespaces for containers, allowing differentiation between container and Docker daemon-level privileges. This means that containers themselves do not have access to root on the host, only Docker daemon does.
Docker concludes that IT ops have now the possibility of establishing more granular access control rights for each Dockerized service. Another outcome of this feature is that it prevents one organization of having control over another organization’s application service, Docker explained in the press note.
Third major announcement on security is ‘Docker image scanning and vulnerability detection’. Today all official repos have been signed and scanned by Docker Inc and the company has now the ability to present the results to ISVs and Docker users. Consequently ISVs can fix any vulnerabilities to upgrade the security profile while Docker users are able to establish integrity of the image content. Docker stressed out in different security talks the importance of having a curated repository for Docker images.
Docker image signing and namespaces are features available at Docker Experimental and Notary 0.1, while image scanning and vulnerability detection is already part of all official repos at Docker Hub.
Nathan McCauley, Director of Security at Docker, delivered the presentation Understanding Docker Security where he explained in more depth the four main lines that they are following at Docker regarding security: containment, provenance, auth and vulnerabilities.
Within the opening session at DockerCon EU on Monday, Docker delivered a Yubico’s Yubikey to each participant. Docker also published in its blog a short tutorial on how to sign Docker images with Docker Content Trust framework.