People love Docker's ability to let them run more applications on a single server than any virtualization program. But, many of them are wary of Docker's security. In this latest release, Docker 1.3 starts assuring companies that Docker application images can be deployed safely.
In a blog posting, Docker, the popular open-source container company, announced that it is finally adding digital signature verification to Docker images. This will assure you when you download a containerized application from an official Docker repository that you're getting the real thing rather than a version that's been pre-hacked.
According to Docker:
First up, in this release, the Docker Engine will now automatically verify the provenance and integrity of all Official Repos using digital signatures. Official Repos are Docker images curated and optimized by the Docker community to be the best building blocks for assembling distributed applications. A valid signature provides an added level of trust by indicating that the Official Repo image has not been tampered with.
Oddly enough, only one out of five downloaded Docker application images comes from Official Repos that are being tracked in the Docker Hub Registry. Even without this new digital signature feature I would assume security-minded system administrators would only download and use "official" containers.
Unfortunately, this feature, with its new cryptographic verified signatures, "Is still work in progress: for now, if an official image is corrupted or tampered with, Docker will issue a warning but will not prevent it from running." And, of course, non-official images are not verified. Docker will improve this in future versions as they "harden the code and iron out the inevitable usability quirks. Until then, please don’t rely on this feature for serious security, just yet."
Docker 1.3's other new features include a new debugging tool docker exec. This enables developers to spawn a process inside their Docker container via the Docker application programming interface (API) and command line interface (CLI).
So, for example…
$ docker exec ubuntu_bash -it bash
will create a new Bash session inside the container ubuntu_bash.
Docker asserts that this does not represent a fundamental change in its approach of one application per container. Instead, they're "responding to users who’ve told us they sometimes need helper processes around the app."
Another new addition for the shell is the command: "docker create." The older "docker run <image name>" would both create a container and spawn the process to run it. With docker create you can make a container but not run it.
The program also now has a new CLI flag: --security-opt. With this you can set up custom SELinux or AppArmor security settings to specific containers. This is a major step forward in locking down containers for better security.
Finally, Docker has improved how the program runs on Mac OS X by incorporating boot2docker and fixing how it works with directories.
Taken all-in-all, this release is a major step forward for both Docker users, with its improved, albeit still not perfect, security, and for developers with its new tools.