BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Docker Introduces Hardened Desktop for Business Users

Docker Introduces Hardened Desktop for Business Users

Bookmarks

The latest release of Docker Desktop introduces a new security model to help sys admins to secure their organizations' supply chains. Dubbed Hardened Desktop and available only to business customers, the new model includes Settings Management and Enhanced Container Isolation.

Hardened Desktop is a security model for Docker Desktop. It’s designed to provide admins with a simple and powerful way to improve their organization’s security posture for containerized development, without impacting the developer experience that Docker Desktop offers.

Settings Management is a feature meant for organizations that do not allow their developers to get root access to their machines. It makes it possible to specify and lock Docker Desktop configuration parameters across the organization by providing a common admin-settings.json file. This file lists for each supported option whether it is locked or unlocked, and which value should be used for it. For example, you can control Linux VM and Docker Engine options, whether analytics are enabled or not, whether automatic update is enabled or disabled, and so on.

Enhanced Container Isolation aims to harden container isolation by applying a number of techniques, including running all containers unprivileged through the Linux user-namespace, isolating critical system call to prevent containers escapes, and preventing console access to the Docker Desktop VM.

When using Enhanced Container Isolation, for example, the container root user maps to an unprivileged VM user, thus preventing it from modifying configuration files in the Docker Desktop VM or mounting sensitive VM directories. Likewise, privileged containers work only within the container’s Linux User Namespace.

According to Docker, Enhanced Container Isolation helps prevent container attacks and reduce vulnerabilities. In fact, the company says, Enhanced Container Isolation improves on the two previously existing security-aimed modes: Userns-Remap Mode and Rootless Docker. Compared to Userns-Remap Mode, Enhanced Container Isolation assigns exclusive user-namespace mappings per container automatically. It also bypasses the limitations of Rootless Desktop while granting a stronger boundary between the containers and the Docker Engine.

Hardened Desktop is available for business users in Docker Desktop 4.13.0.

About the Author

Rate this Article

Adoption
Style

BT