Banjot Chanana

Docker Security Update: CVE-2019-5736 and Container Security Best Practices

On Monday, February 11, Docker released an update to fix a privilege escalation vulnerability (CVE-2019-5736) in runC, the Open Container Initiative (OCI) runtime specification used in Docker Engine and containerd. This vulnerability makes it possible for a malicious actor that has created a specially-crafted container image to gain administrative privileges on the host. Docker engineering worked with runC maintainers on the OCI to issue a patch for this vulnerability. Docker recommends immediately applying the update to avoid any potential security threats. For Docker Engine-Community, this means updating to 18.09.2 or 18.06.3. For Docker Engine- Enterprise, this means updating to 18.09.2, 18.03.1-ee-6, or 17.06.2-ee-19. Read the release notes before applying the update due to specific instructions for Ubuntu and RHEL operating systems. For Docker Desktop, users should download the update for Mac or Windows. Summary of the Docker Engine versions that address the vulnerability:   Continue reading…

Michael Crosby

What is containerd ?

We have done a few talks in the past on different features of containerd, how it was designed, and some of the problems that we have fixed along the way.  Containerd is used by Docker, Kubernetes CRI, and a few other projects but this is a post for people who may not know what containerd actually does within these platforms.  I would like to do more posts on the featureset and design of containerd in the future but for now, we will start with the basics. I think the container ecosystem can be confusing at times. Especially with the terminology that we use. Whats this? A runtime. And this? A runtime…  containerd as the name implies, not contain nerd as some would like to troll me with, is a container daemon.  It was originally built as an integration point for OCI Continue reading…

Victor Coisne

Moby Summit LA alongside Open Source Summit North America

Since the Moby Project introduction at DockerCon 2017 in Austin last April, the Moby Community has been hard at work to further define the Moby project, improve its components (runC, containerd, LinuxKit, InfraKit, SwarmKit, Libnetwork and Notary) and fine processes and clear communication channels. All project maintainers are developing these aspects in the open with the support of the community. Contributors are getting involved on GitHub, giving feedback on the Moby Project Discourse forum and asking questions on Slack. Special Interest Groups (SIGs) for the Moby Project components have been formed based on the Kubernetes model for Open Source collaboration. These SIGs ensure a high level of transparency and synchronization between project maintainers and a community of heterogeneous contributors. In addition to these online channels and meetings, the Moby community hosts regular meetups and summits. Check out the videos and slides from the last Continue reading…

Patrick Chanezon

Moby Summit June 2017 Recap

On June 19 2017, 90 members of the Moby community gathered at Docker headquarter in San Francisco for the second Moby Summit.  This was an opportunity for the community to discuss the progress and future of the Moby project, two months after it was announced. We started the day with an introduction by Solomon Hykes, and a look at the website redesign: the Moby project website now has a blog, an event calendar, a list of projects, and a community page with links to various community resources. The website code is open source, issues and PRs to make it better are welcome. Then each team gave an update on their progress: Linuxkit, containerd, InfraKit, SwarmKit and LibNetwork, as well as the three new Moby Special Interest Groups, Linuxkit Security, Security Scanning & Notary and Orchestration Security. All these talks have been Continue reading…

Get the Latest Docker News by Email

Docker Weekly is a newsletter with the latest content on Docker and the agenda for the upcoming weeks.

Victor Coisne

containerd livestream recap

In case you missed it last month, we announced that Docker is extracting a key component of its container platform, a part of the engine plumbing called containerd – a core container runtime – and committed to donating it to an open foundation. You can find up-to-date roadmap, architecture and API definitions in the Github repository, and more details about the project in our engineering team’s blog post. You can also watch the following video recording of the containerd online meetup, for a summary and Q&A with Arnaud Porterie, Michael Crosby, Stephen Day, Patrick Chanezon and Solomon Hykes from the Docker team: Here is the list of top questions we got following this announcement: Q. Are you planning to run docker without runC ? A. Although runC is the default runtime, as of  Docker 1.12, it can be replaced by any other OCI-compliant implementation. Docker will be Continue reading…

Solomon Hykes

containerd – a core container runtime project for the industry

Today Docker is spinning out its core container runtime functionality into a standalone component, incorporating it into a separate project called containerd, and will be donating it to a neutral foundation early next year. This is the latest chapter in a multi-year effort to break up the Docker platform into a more modular architecture of loosely coupled components. Over the past 3 years, as Docker adoption skyrocketed, it grew into a complete platform to build, ship and run distributed applications, covering many functional areas from infrastructure to orchestration, the core container runtime being just a piece of it. For millions of developers and IT pros, a complete platform is exactly what they need. But many platform builders and operators are looking for “boring infrastructure”: a basic component that provides the robust primitives for running containers on their system, bundled in Continue reading…

Arnaud Porterie

Docker 1.11: The first runtime built on containerd and based on OCI technology

We are excited to introduce Docker Engine 1.11, our first release built on runC ™ and containerd ™. With this release, Docker is the first to ship a runtime based on OCI technology, demonstrating the progress the team has made since donating our industry-standard container format and runtime under the Linux Foundation in June of 2015. Over the last year, Docker has helped advance the work of the OCI to make it more readily available to more users. It started in December 2015, when we introduced containerd ™, a daemon to control runC. This was part of our effort to break out Docker into small reusable components. With this release, Docker Engine is now built on containerd, so everyone who is using Docker is now using OCI. We’re proud of the progress we’ve made on the OCI with the 40+ members to continue the work to standardize container Continue reading…

Michael Crosby

Progress Report: Open Container Initiative

Last June, we launched the Open Container Initiative, under the auspices of the Linux Foundation. The OCI was designed to collaborate on an open, standard container format and runtime in order to preserve that portability and interoperability for users. We’re very happy with the progress OCI has made, and we wanted to share that with you.