clouds, containers, networks and their management
Industry’s First Hardware Signing of Container Images
User Namespaces Provides Enhanced Access Control
Built-in container security analysis in Docker Hub
(launched at Dockercon SF)
Survivable Key Compromise
Proof of Origin
Protection against untrusted transports.
integrates the guarantees from The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content.
Hardware signing of container images reinforces Docker Content Trust
Yubico released Yubikey 4 at DockerCon with the goal of increasing the security of Docker images.
A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button.
http://blog.docker.com/2015/11/docker-content-trust-yubikey/
Docker Experimental only
notary key generate
notary key list
notary key backup
export DOCKER_CONTENT_TRUST=1
docker push
Built-in container security analysis in Docker Hub
Project Goals
Text
An image-scanning service that makes it easier to build and consume high-integrity content
Steps through a sequence of tests, including:
Image security
Component inventory/license management
Image optimization
Basic functional testing
containers themselves don’t have access to root on the host
only the Docker daemon does.
user namespaces gives IT operations the ability to separate container and Docker daemon-level privileges to assign privileges for each container by user group.
IT operations will lock down hosts to a restricted group of sysadmins per security best practices
"an on-premises solution for deploying and managing Dockerized distributed applications in production on any infrastructure."
gives IT ops a single Docker-native management interface for all container on-premise or in cloud
Currently in beta. Sign-up here.
UCP is to containers as vCenter is to VMs
•LDAP/AD integration with Trusted Registry
•Role based access control (RBAC) to cluster, apps, containers, images
•Visibility into cluster, apps, containers, images, events with intuitive dashboards
•Manage clusters, images, network and volumes
•Manage apps and containers
•Monitoring and logging
•On-premise deployment
•Out of the box TLS
•LDAP/AD authentication
•User audit logs
•Out of the box HA
• Docker Engine 1.9 features a new networking system, and Swarm integrates fully with this. Any networks you create in Swarm will seamlessly work across multiple hosts.
Multi-host networking no longer experimental
Out of the box overlay networking in 1.9
New 'docker network' command provides management of networks as a top-level object
Extensibility through network plugins
Already 6 implementations done or under development
Support for DNS to come later
An IP per container... contrasted with an IP per pod in kubernetes
Dec 10th: Introduction to Docker Security
Dec 17th: Intro to Docker - Demo and FAQ
Feb 11th: Introduction to the Docker Platform