App Containers Get a Needed Security Boost
Application container rivals CoreOS and Docker each released "production ready" versions of their platforms this week as the expanding container ecosystem moves to button down secure distribution of enterprise applications at scale.
Industry leader Docker released the latest version of its application container platform on Thursday (Feb. 4) focusing on across-the-board container orchestration and improved networking capabilities along with a package of new security features. The security upgrades primarily focus on managing access control so that application containers remain isolated from one another.
On the same day, CoreOS unveiled the "stable" 1.0 version of its container runtime known as rkt, emphasizing new security features that make it ready for production workloads. Among the runtime's security features are improved container isolation via kernel-based virtual machines along with integration of a "trusted platform module."
CoreOS also disclosed technology collaboration with Intel Corp. (NASDAQ: INTC).
With Docker emerging as a de facto industry standard for application containers, open source advocate CoreOS also stressed that its container runtime can handle existing Docker images along with Linux and other standard container images. "This means developers can build with Docker [and] run with rkt," the San Francisco-based company asserted.
Emphasizing production requirements, Docker said its latest released aids developers by allowing them to specify access policies based on the "behavior of their containers" while ensuring the "integrity" of content used to build and distribute applications. Once in production, the new release "enables more fine-grained access control to mitigate risk and reduce the attack surface of [the] application-operating environment," noted the Bay Area company.
The goal for Docker, CoreOS and a growing list of application container specialists is improving security and orchestration tools, along with networking and monitoring so developers can build more complex cloud-native applications that will run at scale.
To that end, CoreOS said the latest release of its rkt runtime features stable interfaces and an on-disk format. It also said rkt would soon be integrated with its Tectonic container platform. The startup unveiled the enterprise version of Tectonic with "distributed trusted computing" in December. The combination, CoreOS asserted, would provide a "secure platform from the application layer down to the hardware…."
Along with container monitoring and networking improvements, the production version of the rkt runtime includes a container registry to host runtime images. The host also can convert Docker images to the rkt runtime.
CoreOS also has been working with Intel Corp. to provide additional security features like the ability to launch its runtime as a virtual machine. The partners said rkt has been optimized "to take full advantage of Intel platform technologies to deliver improved workload isolation and hardware-based security capability."
In a blog post, CoreOS CEO Alex Polvi noted that Intel's "Clear Containers" approach allows rkt to deliver applications with "CPU-enforced isolation." That, Polvi added, balances the need for "application-focused packaging and deployment efficiencies, with the explicit hardware-guaranteed isolation of a virtual machine."
Similarly, Docker stressed that its latest release contains new security features like user name spacing, which allows IT managers to separate container and daemon-level privileges to allow assignment by user group. It also has added image IDs that refer specifically to what's inside the image.
Docker 1.10 is available here.