Docker Founder Details His Plan to Secure Virtualization
CHICAGO--Solomon Hykes started the open-source Docker project in March of 2013, and over the last year and half watched it grow into one of the most talked about new virtualization efforts in the industry.
In an interview with eWEEK at the LinuxCon conference here, Hykes discussed what's next for Docker and specifically how the security posture is set to get some significant enhancements.
Docker 1.0 was released on June 9, and new updates have come out every month since then. Hykes explained that new releases of Docker debut every month in a rolling release cycle.
The next set of releases will include new security features for access and identity control.
"The goal is to offer primitives that are simple and solid enough to build all these different complex scenarios," Hykes said. "The basic idea is that if you install a Docker runtime somewhere, that runtime has a keypair associated with it and then you, the end-user, can manage which runtime is authorized to do what."
Hykes explained that the keypair is public key cryptography technology and on top of that is an authorization model for the keys. Going a step further, there could potentially be a validation mechanism that would only trust digitally signed keys issued by an authorized Certificate Authority (CA).
"The goal is to have a default chain of trust that you can rely on," Hykes said.
Docker runs on Linux, which also has a role to play in helping to ensure the isolation of Docker containers. The Linux kernel includes cgroups and namespaces, which are features that provide levels of control and sandboxing within an operating system.
"As for sandboxing, mostly we're tracking the progress in the [Linux] kernel, and we participate in that effort," Hykes said. "With cgroups and namespaces, security at the kernel level is on the right track. It just needs time to be hardened and vetted by the security community."
Another idea that is being worked on in the Docker community is that of container provenance.
"In production you want to be able to ask, 'Who built this and from which source and when, and has it been signed by keys that I trust?'" Hykes said. "Collectively, we call that provenance, and that's a big topic."
Watch the full video interview with Solomon Hykes below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Read more on "Open Source Software Spotlight" »