Docker 1.10 Foregrounds Container Security

On February 4, Docker announced the release of version 1.10 marked by enhanced orchestration and application composition functionality, improved security and better networking capabilities. Docker Compose now enables developers to define an application within a single file that enumerates its requirements and the relationships between its constituent components. The enhancements to Docker Compose in Docker 1.10 facilitate simplified management of distributed applications by empowering developers to define “application services, network topologies, volumes and their relationships” in one file. Moreover, this version of Docker gives developers the ability to define network attributes independent of a physical network and to subsequently integrate with Docker Networking. With respect to security, Docker 1.10 claims the general availability of User namespacing, which separates privileges specific to individual containers and the daemon. As a result, individual containers no longer have ability to access the root on the host. Moreover, customers can now restrict access to the host to a designated group of sysadmins in contrast to providing global sysadmin access. Additional security functionality in version 1.10 includes Seccomp profiles that deliver granular policy control on individual containers that ensures containers perform only the executable processes to which they have been assigned. Docker 1.10 also features content addressable IDs that provide reference ids to track downloaded content and authorization controls that allow for the configuration of granular access to the Docker daemon. The combination of the GA of User namespacing, seccomp profiles, content addressable image IDs and authorization profiles means that security takes center stage in Docker 1.10 by giving users a portfolio of tools to configure granular access control and container-based privileges and functionality. Read more about the release here.