“Docker now is building tools for launching cloud servers, systems for clustering, and a wide range of functions: building images, running images, uploading, downloading, and eventually even overlay networking, all compiled into one monolithic binary running primarily as root on your server. The standard container manifesto was removed. We should stop talking about Docker containers, and start talking about the Docker Platform. It is not becoming the simple composable building block we had envisioned.”
One of Rocket’s core design principles is security, and Docker’s approach to security has been the other main controversy facing the young company.
Security: What’s in that image?
No one denies there are risks associated with using images downloaded from the public Docker registry, as noted in a May 15, 2015 blog by the container startup Banyan Ops. The report, by Jayanth Gummaraju, Tarun Desikan and Yoshio Turner, was titled “Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities.” Known exploits such as Shellshock, Heartbleed and POODLE were found in images the company pulled from Docker Hub. But is the claim as damning as it seems?
“It’s inaccurate. The official repositories are the 70-plus repos that we work very specifically with the ISVs to create,” said Docker’s Messina. “There is parity with what they have and what the ISVs have.
“We go through a very rigorous process ourselves. Before they make the official repo, we go through the vulnerabilities ourselves. What that [report] did was take a set of raw numbers that don’t reflect how developers use the images. We don’t remove images from Hub. Also, what they scanned for was inaccurate: They just looked for the release level, just the numbers, as opposed to scanning for vulnerabilities. Debian has much deeper level of code numbering scheme… So basically, their counting is wrong.”
Cockroft added: “The container provides some isolation, but not as much as a VM. When VMs came out, people weren’t happy about VM security. People were saying you could break out and control the host machine. In fact that’s happened very rarely. The isolation that Docker gives you is improving over time.”
Via Docker’s layered image model, it’s easier to get out patches and updates across a codebase as opposed to the non-containerized model, according to a Docker white paper on security best practices. Further, the paper concludes that “The simple deployment of Docker increases the overall system security levels by default, through isolation, confinement, and by implicitly implementing a number of best practice, that would otherwise require explicit configuration in every OS used within the organization.”
That facility has a downside, however. “If there is a container that has a flaw or security issue, people will get it automatically, so the pipeline needs to be secure,” said Fred Simon, cofounder and chief architect for JFrog, maker of the Artifactory binary repository. “You can’t secure one container at a time; it’s going to be too painful.”
Especially in a bare-metal scenario, deployed without x86 virtualization, Docker’s security best practices white paper notes that “Containers do not provide ring-1 hardware isolation, given that it cannot take full advantage of Intel’s VT-d and VT-x technologies. In this scenario, containerization is not a complete replacement of virtualization for host isolation levels.”