Docker's security gets a mainly clean bill of health in a new study - despite some reservations about the maturity of this aspect of the open-source container technology.
Depending on the use case and the controls required, Linux containers are mature enough to be used as a private and public platform-as-a-service, according to Gartner - even though in mixed environments, involving multiple trust levels, security zones, or potentially hostile tenants, additional safeguards such as SELinux will be needed.
Furthermore, containers managed by Docker are effective in isolating resources, almost on par with the controls offered by hypervisors and the Linux OS itself in secure operations management and configuration governance.
"[However] they disappoint when it comes to secure administration and management, and to support for common controls for confidentiality, integrity, and availability," report author and Gartner research director Joerg Fritsch said.
Against that criticism, Fritsch points out that containers can actually provide an additional level of virtualisation and security when they are running on top of virtualised systems, such as hypervisors or cloud infrastructure.
By automating the creation and deployment of apps in containers - a lighter-weight form of virtualisation - Docker is designed to free developers from software and infrastructure dependencies, cutting costs and creating efficiencies in the process.
Last month Docker CEO Ben Golub said the container technology is moving from something used primarily at web companies to software used by banks, pharma, manufacturing, and governments.
"So there's a big premium on stability and security and enterprise-grade tools. That's a priority for us to deliver," Golub said.
Gartner's Fritsch recommends that firms adopting Docker technology should recognise its inherent complexity and newness.
"Start with simple deployments until the de facto standards for container management and SDNs in containerised environments become clear," he wrote.
He also proposes standardising on the nsenter tool, in situations where firms do not need to emulate the experience of a virtual private system. It adds: "Protect nsenter by limiting the input set. For example, using a special shell emulation or web GUI. Nsenter limits the ways tenants can interact with containers," Fritsch said.
Where companies are operating at scale, they should select a framework for managing resources, such as Apache Mesos.
"SSL/TLS wrappers for the Docker/Swarm API should be implemented to ensure integrity and confidentiality of PaaS management."
Gartner also suggests compensating for the lack of traditional EPP (Extensible Provisioning Protocol) with application whitelisting or SELinux. Alternatively, it proposes making containers self-assessing entities using the DevOps tool chain.
The Docker container management framework has soared in popularity in the past 12 months. It originally used Linux containers as the underlying OS container but also introduced its own libcontainer technology.
Although Docker deployments are based on the Linux OS, the container framework has recently been ported to OpenSolaris, and Microsoft has announced plans to add OS virtualisation and support for Docker to Windows Server.
The comparisons made by Gartner in its Security properties of containers managed by Docker research paper are based on the security properties of containers based on libcontainer2 and the Linux OS.