Docker 1.10 Highlights – Updated

Docker 1.10

This video demonstrates some of the highlights of the latest Docker version:

  • User namespacing setup and demo
  • In-memory filesystem creation
  • In-flight resource constraining of a CPU-intensive container
  • Internal-facing Docker network provisioning
  • Seccomp profile enforcement (updated!)

In-memory filesystems seem particularly apposite for ephemeral and I/O-intensive containers.

The user namespacing feature is neat, but be aware that you need a compatible kernel.

And from an operational perspective, the ability to dynamically constrain resources for a container is a powerful feature.

 

Secure?

There’s some confusion around whether these changes ‘makes Docker secure’. While user namespacing reduces the risk in one attack vector, and seccomp enforcement policies can reduce them in the other, security is not a binary attribute of any software platform.

For example, you still need to consider the content you are downloading and running, and where those components came from (and who is responsible for them!). Also, if someone has access to the docker command, they still (effectively) are a privileged user.

Code

The code is here.

 

Currently co-authoring a book on Docker:

Get 39% off with the code 39miell

dip

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s