What do you envision as the future of Docker in terms of not only enhancing container security, but also the short- and long-term innovation and adoption of the technology?
I don’t believe that container technology is the really interesting part of Docker. I believe that Docker will become a new standard for shipping software, and this is the game-changer. If a developer, quality engineer or end user can all build, test and run the exact same bits, it is less likely that a modification to a host will cause an application to break. I believe this is what will make Docker take off in the enterprise. But there are pitfalls in this, which companies like Red Hat have to solve.
If I am running lots of applications with their own userspaces, and we have a major vulnerability in something like OpenSSL, how do I check if any of my containers are vulnerable?
Docker security features on the horizon
Walsh gave us a preview of new features Red Hat is currently testing and developing to further bolster the security of container technology.
• User Namespace: Could allow the Linux Kernel to treat roots within a container as non-root outside of the container.
• Customizable SELinux Types: This could allow users to tighten or loosen the security of processes within the container.
• Libseccomp: Can be used to minimize the syscalls available to a container. This could potentially lower the attack surface on the container.
• Audit: Allows Red Hat to work with common criteria to allow easier adoption of container technology into governments.
• Proper Signing of Images: Affords the capability to cryptographically sign images and start to build trust into Docker pull and Docker push.