Docker 1.10 Highlights – Updated

Docker 1.10

This video demonstrates some of the highlights of the latest Docker version:

  • User namespacing setup and demo
  • In-memory filesystem creation
  • In-flight resource constraining of a CPU-intensive container
  • Internal-facing Docker network provisioning
  • Seccomp profile enforcement (updated!)

In-memory filesystems seem particularly apposite for ephemeral and I/O-intensive containers.

The user namespacing feature is neat, but be aware that you need a compatible kernel.

And from an operational perspective, the ability to dynamically constrain resources for a container is a powerful feature.



There’s some confusion around whether these changes ‘makes Docker secure’. While user namespacing reduces the risk in one attack vector, and seccomp enforcement policies can reduce them in the other, security is not a binary attribute of any software platform.

For example, you still need to consider the content you are downloading and running, and where those components came from (and who is responsible for them!). Also, if someone has access to the docker command, they still (effectively) are a privileged user.


The code is here.


Currently co-authoring a book on Docker:

Get 39% off with the code 39miell


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.