Docker 1.3 tightens container security with digital signatures

The newest revision of Docker verifies digital signatures on containers, for deeper authentication and security features

security big data

Everyone's heads are still spinning from news of Docker's collaborations with Microsoft to bring its container technology to Windows.

But any Windows-side code delivered from the partnership is a long way off. In the meantime Docker has whipped back the drapes on a new point revision of Docker outfitted with security features that nod toward Docker's growing overall ambitions. Chief among the additions is a feature that still qualifies as a technical preview, but has big implications for running Docker in secure contexts: digital signature verification.

According to Docker's blog post for the 1.3 release, "The Docker Engine will now automatically verify the provenance and integrity of all Official Repos using digital signatures." That is, any Docker images submitted for redistribution by Docker through its repository will be digitally signed and verified, certifying it hasn't been changed by unknown parties.

Right now, any changes to a signed container won't do more than throw a warning. This keeps the signature-verification process from inadvertently breaking normal Docker functionality, but it reflects Docker's growing interest in setting up containers as trustable commodities. Docker claims that "one out of every five" downloads from the Docker Hub Registry are certified as official by Docker, and this is a way for the certification to carry a little more weight.

Even more tantalizing, this represents the first of many features in this vein that involve "publisher authentication, image integrity and authorization, PKI management, and more."

Another security-related feature in this release, the --security-opt flag, allows custom SELinux and AppArmor labels and profiles to be applied to a container. One useful side effect, Docker notes, is the ability to run Docker-in-Docker (yes, that's possible) without containers in privileged mode and thus expose them to security hazards.

The other changes in 1.3 are more general but still handy. The docker exec command, for instance, allows users to launch a new process within a running container as part of the gamut of tools used in debugging Docker containers. Those running Docker on Mac OS X can more easily share folder between the host machine and any running containers.


Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform