The announcements kick off DockerCon EU, taking place this week in Barcelona. This particular set of features isn’t exactly revolutionary, but it does indicate how Docker containers are being gussied up for enterprise IT use.
For all the publicity Docker has been getting, it’s worth remembering that deployments of Linux containers tend to be in test-and-development environments. Some large IT departments would like to use containers more widely in production but are skittish about issues such as security and scaling.
Docker Content Trust is a new hardware-based feature that lets a developer “sign” a container, verifying that she did, indeed create that container. It’s by no means a mandatory step, but it’s a way to provide an additional level of assurance to a container’s users.
The signature can be placed during development of a container and during code upgrades. It’s handled using a USB device called a YubiKey, which can plug into the laptop the developer is using.
Separately, Docker Inc. is launching a service to run security checks of the containers that are available for free through the Docker hub. Docker will scan the container images for vulnerabilities and notify software vendors when there’s a problem.
Both features aim to curb the unknown factors that can come with containers, especially if they’re grabbed from an official repository. Docker’s official repositories constitute 20 percent of all container downloads, says Scott Johnston, senior vice president of product management at Docker.
Finally, Docker is introducing user namespaces, which can be used to limit the privileges a container has. This is important because a host CPU can be running many containers, and someone who breaches security in one container can get root access to the host OS.
With user namespaces, Docker lets IT operators block this problem by denying root access to a container. “You might be running as root inside the container, but when you break out, you’re no longer root,” Johnston says.
Docker Content Trust and user namespaces are available in the experimental release of Docker 1.9. Docker Content Trust is also available in the 0.1 version of the Notary project.
The image scanning service is available for all official repositories on Docker Hub.