We love containers. They let us run many more server applications on the same hardware than virtual machines do. There's only one not so little problem with containers: Security. CoreOS's Clair addresses this concern by checking for software vulnerabilities in your containers.
CoreOS the makers of Linux for massive server deployments and a container power in its own right, launched an early version of Clair, an open source container image security analyzer late last year. Today, CoreOS released Clair version 1.0 and it's ready for production workloads.
Matthew Garrett, CoreOS's principal security software engineer, explained in an e-mail that "Vulnerabilities in software are an unfortunate fact of life, and it's vital that admins know about them as soon as possible and be able to apply fixes. Containers add additional security by strengthening the boundaries between applications, but existing ops tooling is frequently unaware of containers and unable to notify admins of potential issues."
Clair does this, Quentin Machu, a CoreOS software engineer, explained, by providing an "an API-driven analysis service [Quay Security Scanning] that provides insight into the current vulnerabilities in your containers." It does this by checking every container image "and provides a notification of vulnerabilities that may be a threat, based on the vulnerability databases Common Vulnerabilities and Exposures (CVE) maintained by Red Hat, Ubuntu, and Debian."
For DevOps teams, Clair delivers. Machu said it offers "useful and actionable information about the vulnerabilities that threaten containers. Community feedback guided many of the latest Clair features, including the ability not only to reveal whether a vulnerability is present, but also offer the available patch or update to correct it. Additionally, the 1.0 release improves performance and extensibility, empowering developers and operations professionals to implement their own services around the Clair analyzer."
With this version users can also add fixes and vulnerabilities. This is important because, a Clair-based analysis, indexed by CoreOS's Quay container registry determined that:
- More than 70% of detected vulnerabilities could be fixed simply by updating the installed packages in these container images.
- More than 80% of vulnerabilities rated High and Critical have known fixes that can be applied with a simple update to packages in these images.
Patching. It's that's simple.
As Machu observed, "Updating to the latest versions of installed software improves overall infrastructure security, which is why we deemed it important to analyze container images for security vulnerabilities as well as provide a clear path to updates mediating those issues that Clair uncovers. Container images are often infrequently updated, but with Clair security scanning, users can identify and update problematic images more easily."
Clair 1.0 includes both better performance and more features.
- Improved speed: By leveraging recursive queries, Clair emulates a graph-like database structure while maintaining the performance characteristics of a traditional SQL database. This has improved API responses in production by 3 orders of magnitude, from 30 seconds to 30 milliseconds.
- Better usability. The new RESTful JSON API has been generalized and is more useful to developers. The previous API was tightly coupled to integrating with container registries, so the new API should help the community better integrate Clair with other work-flows and systems.
- Name and version of the source package of the vulnerability.
- The feature version(s) that fix the vulnerability, if they exist.
- Metadata such as the Common Vulnerability Scoring System (CVSS). When available, CVSS metadata provides the fundamental characteristics of the vulnerability such as means of access, whether authentication is required, and the impacts to confidentiality, integrity, or availability.
- Flags the specific layer in the image that introduces the vulnerability to make applying patches even easier.
CoreOS is intent on making Clair a true open-source project. While the company welcomes contributions to the core Clair repository, it's extensible components mean any company can maintain its own Clair extensions. Huawei, for example, has already contributed an extension to support the ACI container image format.
If you're serious about container security, you seriously need to give Clair a try.