It’s probably fair to say that, until recently, CoreOS didn’t like Docker. Why? One of CoreOS’s biggest gripes with Docker was that the container platform’s security infrastructure was half baked.
Specifically, there was no way for Docker images to be signed so that anyone using an image could know for sure who had created it and that it hadn’t been tampered with or altered since it was created.
“I think users want signing, the way Apple signs apps in the AppStore,” Kelsey Hightower, CoreOS’s product manager and chief advocate, said earlier this year. “People have been asking for signing with Docker images, and it has never happened. For us that is a security problem.”
But that’s all changed now with the release of Docker 1.8 and the introduction of a new feature called Docker Content Trust (DCT). This integrates The Update Framework (TUF), a secure general design for the problem of software distribution and updates, into Docker using Notary, an open source tool that provides trust over any content.
How Docker DCT Works
How does it work? Essentially, it uses some clever PKI-foo. Once activated, when a publisher creates an image and sends it to a remote registry, Docker Engine automatically signs it with the publisher’s private key. This is done at the publisher’s end.
Then when you or I attempt to pull this image from the registry, our Docker Engine checks the publisher’s public key to verify that the image in the repository is identical to the one that the publisher originally created. If it is, then that proves it has not been tampered with.
It also verifies that the image is the most recent and up to date version available. This “up to date” bit is actually quite important from a security perspective, That’s because without it, a signed image that contains a security vulnerability could be pushed to an end user long after the image had been updated to remove the vulnerability.
How exactly does it check for uptodateness? DCT uses a Timestamp key when publishing the image, and the Timestamp key is stored on a remote server managed by Docker where it can be checked.
The cool thing about Docker Content Trust is that it is designed to be transparent — the experience should be nothing at all like the hassle of downloading an application and then comparing the security hash provided by the author with one you have to compute manually.
That means the only time you’ll ever really encounter DCT is when a Docker command hard-fails with a message that says it was not able to verify the content. That indicates the image’s integrity has been compromised.
So far Docker has signed all its official repository images in Docker Hub so that anyone can get a base set of trusted images from which to start building applications.
Of course, signing is not the only thing that’s new in Docker 1.8. Other enhancements include:
- Docker Toolbox: This is a new installer from Windows and Mac OS X that installs the Docker client, Machine, Compose (Mac only) and VirtualBox.
- Full support for Docker volume plugins: It’s now possible to use third-party storage systems like Blockbridge, Ceph, ClusterHQ, EMC and Portworx using plugins that have already been written. More will doubtless follow in short order.
All in all, Docker 1.8 is a very nice update and one that shows Docker in particular, and the container landscape in general, are getting more and more mature every month.
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.