Diogo Mónica

A Look Back at One Year of Docker Security

Diogo Mónica

Security is one of the most important topics in the container ecosystem right now, and over the past year, our team and the community have been hard at work adding new security-focused features and improvements to the Docker platform.


Security should be part of the Platform

As companies transition more and more of their infrastructures to public and private clouds, they have started to realize that security simply can’t be bolted on as an afterthought, and instead must be fundamentally built into the platform.

We are incredibly happy that a year after the first Docker Security White Paper and the first CIS Benchmark for Docker 1.6, there continues to be strong industry validation of our efforts, most recently in the form of a new Docker 1.11 CIS Benchmark and a feature evaluation of the Docker Engine, as part of NCC Group’s whitepaper on hardening Linux containers.

“In this modern age, I believe that there is little excuse for not running a Linux application in some form of a Linux container, MAC or lightweight sandbox.”
– Aaron Grattafiori, author of NCC Group’s white paper

NCC Group also took a look at the security capabilities across LXC 2.0, Docker 1.11 and CoreOS Rkt 1.3 and examined more than 13 key features and the strength of these features across all three platforms.


Docker has been focused over the last year on addressing the three key areas of container security: secure access, secure content and secure platform. What you see in the chart above are the results of having these isolation and containment features not only built into the Docker Engine but also enabled out of the box. These features allow you to have trust over the origin of your content, reduce the attack surface area of the Linux kernel, improve the containment capabilities of the Docker Engine, and ultimately help you build, ship and run safer applications.

To recap all of the progress in the last year, here is a timeline that shows the security-focused features implemented in Docker over the past year.

Docker 1.6

  • Content-addressable image identifiers by Andy Goldstein
  • Daemon side ulimit configuration

Docker Bench: tool introduced based on CIS Benchmark

Docker 1.8: Docker Content Trust

Docker 1.10

Docker 1.11


Secure by Default

At Docker we believe in “Secure by Default.” When implementing these features, we have also included default configurations and policies out of the box, so anyone installing Docker Engine for the first time is safer to begin with. You don’t have to be a security expert to be safe. However if you have different requirements, you have the ability to easily change the policies and configurations.

We will continue charging ahead, delivering more and more features that benefit all of Docker’s users, but with Docker 1.11 and its strong security defaults, Docker is positioned as the most secure container Platform available today.

More Resources on Docker Security:


Learn More about Docker


One thought on “A Look Back at One Year of Docker Security

  1. Haven't read the whitepaper.
    But the defaults overview is strongly misleading.
    I.e. LXC 2.0
    As the containers run in a user namespace anyway. Dropping capabilities is kinda silly. (And so on)

Leave a Reply