This video demonstrates some of the highlights of the latest Docker version:
- User namespacing setup and demo
- In-memory filesystem creation
- In-flight resource constraining of a CPU-intensive container
- Internal-facing Docker network provisioning
- Seccomp profile enforcement (updated!)
In-memory filesystems seem particularly apposite for ephemeral and I/O-intensive containers.
The user namespacing feature is neat, but be aware that you need a compatible kernel.
And from an operational perspective, the ability to dynamically constrain resources for a container is a powerful feature.
There’s some confusion around whether these changes ‘makes Docker secure’. While user namespacing reduces the risk in one attack vector, and seccomp enforcement policies can reduce them in the other, security is not a binary attribute of any software platform.
For example, you still need to consider the content you are downloading and running, and where those components came from (and who is responsible for them!). Also, if someone has access to the docker command, they still (effectively) are a privileged user.
The code is here.