Once upon a time in a
galaxy container far, far away … We, a bunch or rebels Haufe-employees, entered the halls of container - wisdom: DockerCon EU 2015 in Barcelona, Spain. Hailing from different departments and locations (Freiburg AND Timisoira, CTO’s, ICT, DevOps, …), the common goal was to learn about the current state of Docker, the technology behind it and its evolving eco-system.
The unexpected high level catering (at least on the first day and the DockerCon Party in the Marine Museum) was asking for more activity than moving from one session to the next, but we had to bear that burden (poor us!).
We met with a couple of companies (Rancher Labs, SysDig, Zanlado and some more) to get a feeling what is already available on the market and how mature do the solutions feel?
Here’s what I found most important (no specific order and might be intermixed with other sessions or presentations, but you know that I’m deeply interested in security and stuff ;-)):
- Docker delivers “Enterprise” Features and is getting more mature:
- Docker Content Trust is getting stronger by hardware signing Since Docker 1.8, strong cryptographic guarantess over the content of an Docker image can be established by using signing procedures. From their Blog here an excerpt: […] Docker Engine uses the publisher’s public key to verify that the image you are about to run is exactly what the publisher created, has not been tampered with and is up to date. […]. At DockerConEU 2015, the support of Hardware Signing via Yubi Key was announced that strengthens the signing process even more. There’s an elaborate article available.
- Security scans for Images: Project Nautilus Trusting an image is good and well, but what if the binaries (or packages) used image are vulnarable? Usually, distribution-maintainers provide information and updates for packages. But what about a Dockerfile that installs its artifacts without using a package-manager? Project Nautilus takes care about this situation but not only checking “all” of the vulnerability databases, but by scanning the files of an image. There’s not much public information (link :-)) available yet, but it’s a promising approach.
No more exception from isolation: User namespaces (available in Docker 1.10 “dev”) Almost everything in Docker is isolated / abstracted from the Host-OS. One crucial exception was still present: Userids were used “as is”. For example, this would allow the root user of a container to modify a readonly mounted file (by “volume” command) that is owned by the root user of the host. In future, this will not be possible anymore, because the userids will be “mapped” and the rootid “0” inside the container will be effectively treated as “xxxx + 0” outside the container.
SecComp Seccomp is a filter technology to restrict the set of systemcalls available for processes. You could imagine a container being corrupted and the docker-engine would simply not allow a process inside a container to execute “unwanted” systemcalls. Setting the system (host) time? Modifying swap params? Such calls (and more) can be “eliminated”.
- Security made easy This is mentioned in the recording of Day 1 General Session. Basically it says: If security is hard to do, nobody will do it … Docker tries to ease the “security pain” and I ask you to look/search for that small mentioning in the session. Maybe you agree to the points mentioned there :-)
- Does it (Docker) scale?
- Live scale testing wasn’t something I was really looking forward to see, but it was impressive anyway.
- Managing containers
- I DO like Rancher, I’d love to have something even more powerfull … and there comes “Docker UCP (Universal Control Plane) Beta”. The UCP and the Docker trusted registry are two of the “commercial” products I’ve seen from Docker. Hopefully, the basic tools are staying on the “Forces light side” of free opensource - at least for developers and private users.
- Using Docker in production
- At Haufe, sometimes we seem to be lagging behind new technologies. Some of the presentations at Dockercon put a pretty strong emphasis on being carefull and preserve successfull processes (esp. dev, ops and security). A quick compilation of presentation links and topics will follow.
In the meantime have a look at the great overview what happened during both days with links to all/most of the presentations, slides or videos to be found a .
… were quite interesting, too. We met with some guys from Zalando (yes, the guys who’re screeming a lot in their adverts), who were explaining how they are using some home-brewn (git-available) facade (or tool if you like) to ease the pain with running a custom PaaS on AWS. The project STUPS uses a plethora of Docker-containers and is to be found on its own web-page and github .
(To be continued :-))