Security is one of the most important topics in the container ecosystem right now, and over the past year, our team and the community have been hard at work adding new security-focused features and improvements to the Docker platform.
Security should be part of the Platform
As companies transition more and more of their infrastructures to public and private clouds, they have started to realize that security simply can’t be bolted on as an afterthought, and instead must be fundamentally built into the platform.
We are incredibly happy that a year after the first Docker Security White Paper and the first CIS Benchmark for Docker 1.6, there continues to be strong industry validation of our efforts, most recently in the form of a new Docker 1.11 CIS Benchmark and a feature evaluation of the Docker Engine, as part of NCC Group’s whitepaper on hardening Linux containers.
“In this modern age, I believe that there is little excuse for not running a Linux application in some form of a Linux container, MAC or lightweight sandbox.”
– Aaron Grattafiori, author of NCC Group’s white paper
NCC Group also took a look at the security capabilities across LXC 2.0, Docker 1.11 and CoreOS Rkt 1.3 and examined more than 13 key features and the strength of these features across all three platforms.
Docker has been focused over the last year on addressing the three key areas of container security: secure access, secure content and secure platform. What you see in the chart above are the results of having these isolation and containment features not only built into the Docker Engine but also enabled out of the box. These features allow you to have trust over the origin of your content, reduce the attack surface area of the Linux kernel, improve the containment capabilities of the Docker Engine, and ultimately help you build, ship and run safer applications.
To recap all of the progress in the last year, here is a timeline that shows the security-focused features implemented in Docker over the past year.
- Content-addressable image identifiers by Andy Goldstein
- Daemon side ulimit configuration
- Imaging signing and verification using The Update Framework (TUF)
- Signed official images hosted on Docker Hub
- User-namespaces by Phil Estes
- Seccomp profiles with default whitelist by Jessie Frazelle
- Authorization plugins by Dima Stoppel, Liron Levin
- Content-addressable layer storage
- Hardware integration into Docker Content Trust
- Key delegation support in Docker Content Trust
- PID controls by Aleksa Sarai
Secure by Default
At Docker we believe in “Secure by Default.” When implementing these features, we have also included default configurations and policies out of the box, so anyone installing Docker Engine for the first time is safer to begin with. You don’t have to be a security expert to be safe. However if you have different requirements, you have the ability to easily change the policies and configurations.
We will continue charging ahead, delivering more and more features that benefit all of Docker’s users, but with Docker 1.11 and its strong security defaults, Docker is positioned as the most secure container Platform available today.
More Resources on Docker Security:
- Install Docker Engine and try these features today
- Try Docker Bench to check your Docker host configurations
- Get the NCC Group White Paper
- Watch our latest Online Meetup on Security
- Keep in touch on the Docker Security resource center
Learn More about Docker
- New to Docker? Try our 10 min online tutorial
- Share images, automate builds, and more with a free Docker Hub account
- Read the Docker 1.11 Release Notes
- Subscribe to Docker Weekly
- Sign up for upcoming Docker Online Meetups
- Attend upcoming Docker Meetups
- Register for DockerCon 2016
- Watch DockerCon EU 2015 videos
- Start contributing to Docker