Disclosure of Authorization-Bypass on the Docker Hub

Following the postmortem of a previous vulnerability announced on June 30th, the Docker team conducted a thorough audit of the platform code base and hired an outside consultancy to investigate the security of the Docker Registry and the Docker Hub. On the morning of 8/22 (all times PST), the security firm contacted our Security Team: 8/22 – Morning: Our Security Team was contacted regarding vulnerabilities that could be exploited to allow an attacker to bypass authorization constraints and modify container image tags stored on the Docker Hub Registry. Even though the reporting firm was unable to immediately provide a working proof of concept, our Security Team began to investigate. 8/22 – Afternoon: Our team confirms the vulnerabilities and begins preparing a fix. 8/22 – Evening: We roll out a hotfix release to production. Additional penetration tests are performed to assure Continue reading…

OpenStack – Icehouse Release Update

Today, we expect the release of OpenStack Icehouse. In March, we reminded readers that Docker will continue to have OpenStack integration in Icehouse through our integration with Heat. Of course, that remains true.  Since then, however, much has happened to warrant an update. Since our last post, we’ve received great feedback from the community on their efforts in using OpenStack Heat to automate their Docker workloads. We’ve also seen great contributions to the Nova driver, including the addition of Neutron support. Additionally, we’ve also seen a fabulous effort from Brint O’Hearn of Rackspace in showing how to drive Heat workloads without our Heat plugin and Docker being more deeply embedded in OpenCrowbar. Heat From those using the Heat plugin, we’ve received positive feedback on the example we provided in our last posting, but users noted we missed important details such as installation Continue reading…

Docker will be in OpenStack Icehouse

The preferred mechanism orchestrating Docker in OpenStack is via Heat, rather than treating Docker as a form of hypervisor in OpenStack Nova. Our initial path towards enabling the use of Docker in OpenStack was to create a driver for Docker in OpenStack Compute (Nova), which enabled a Docker container to be used as if it were a virtual machine. However, the OpenStack conference in Hong Kong, it became clear that there were disadvantages to this approach. For instance, the standard API extensions expect certain VM-specific functionality, not all of which makes sense in a Docker or container context. Furthermore, using Docker as a VM in Nova also makes it difficult to expose some of the more useful Docker functionality, such as linking containers. For these reasons, we have begun to apply Heat as a better alternative. OpenStack Orchestration (Heat) is Continue reading…