The market acceptance of container-based virtualization is nothing short of spectacular. A recent Docker survey...
of 500 IT professionals reported that over 50% had at least one container application running in production, suggesting that the container adoption rate is much faster than even the cloud and that this rate is accelerating. The same report indicated that 90% of respondents use Docker for application development, citing agility, flexibility and increased release frequency as benefits.
Efforts to improve Docker container security
It's easy to understand why container-based virtualization is on the rise. Containers are easy to deploy, fast to start and can increase instance count -- compared to VMs -- more than three times. They also offer decent code stability and come at a reasonable price. Furthermore, the effort to judiciously use hypervisors with hardware support for multi-tenant security has helped put many of the security concerns surrounding containers to rest. Infrastructure support for containers is also booming, with Microsoft, VMware, OpenStack, all Linux distributions and major public cloud providers offering comprehensive support.
Management tools, on the other hand, are still playing catch-up, but it's interesting to note that when it comes to orchestration tools, Docker Swarm has made significant strides. Despite increased efforts to address security, it's still perceived as a potential issue, though many organizations are actively working to provide products that alleviate this concern. Intel developed a thin hypervisor aimed squarely at containers with the potential to lead to bare-metal container solutions down the road. The Intel approach utilizes hardware support for memory separation to protect against cross-tenancy violations.
Docker has just released Docker Security Scanning (DSS) as an optional service to check the security level of a container image by scanning its binary code. In effect, it creates an image signature. This allows both the original code and updates to be validated prior to deployment. In fact, software vendors can create a security profile of their code that should exactly match what a customer is deploying. DSS automates what would otherwise be a patchy, manual process, saving a lot of time and enhancing security.
DSS is applied to Docker Hub repository images and the general release means private repositories have the same capability. Another security enhancement on the way is the ability for the next Docker Engine release to separate user privileges. Docker's main competitor, CoreOS, has a similar tool called Clair, which was recently updated to v1.0.
The Docker Bench for Security -- a script that checks for adherence to security best practices -- is currently in the process of being updated to enhance validation of users' hardware configurations. Bench identifies potential problems or security concerns, allowing admins to spot deficiencies and plan for action to upgrade systems.
Third-party tools for container-based virtualization
Docker is better at security than traditional apps on enterprise servers and infrastructure, so perhaps the sense of an unfinished job is a direct result of the clarity of structure and the new agility that containers bring to the picture. Security can still be compromised by breaches in the underlying hypervisor structure or in the loaded app image or data just as in hypervisor-based clouds, so there is still room for improvement.
Third-party tools can help here. Nessus 6.6, for example, checks for kernel host vulnerabilities and runs a scan against Center for Internet Security benchmarks to identify holes in security. Twistlock announced a new tool that can analyze container behaviors and compare them against a profile of expected results.
Work on unikernels is also underway. These are stripped back OS kernels, which boot faster than standard kernels and offer the security benefit of a reduced attack surface. They can run on a hypervisor or be ported to bare metal, which points to a long-term threat that containers will displace the hypervisor completely. Critics of the unikernel approach suggest too many tools would be lost, making debug difficult, but this may be less of an issue in large scale deployments, as the debug process will need to change considerably.
The automated container management field is also making great progress. Google Cloud's Container Engine, which is based on Kubernetes, orchestrates containers. You can apply this same tool to private or hybrid clouds, introducing a way to easily bridge the various clouds in your IT sky.
Docker Swarm handles orchestration tasks for OpenStack, while other tools can be deployed. The RightScale Universal Cloud Management Platform now supports containers, with a control and statistics gathering agent that can be launched in existing containers by a script.
The Open Container Initiative is broadening its horizons, creating a project to standardize image formats. This fits well with the direction of the containers movement in IT with simpler, more standard and more secure approaches for everything.
Docker isn't alone in the world. CoreOS is busy with its rkt container runtime, which addresses some of the security issues from which Docker suffers. Rkt -- pronounced rocket -- claims to have fully implemented signing and validating images, though Docker's recent announcements close that gap significantly. Rkt also is daemon-less, which allows it to operate outside of root.
CoreOS is pushing the standard image format hard. They can convert existing Docker images on the fly, but a standard approach would avoid that rebuilding. In the meantime, CoreOS offers support for Docker container images.
With new security, management and orchestration tools being released regularly, it's likely that container-based virtualization will continue to thrive in the coming future.
Docker security a major talking point at DockerCon 2016
Will Docker's ambition be its downfall?
OpenStack updates boost container support
CoreOS' new approach to container security