Bug fixes polish Docker container management
Just as into every life some rain must fall, into every software some bugs must creep — and Docker is no exception.
Docker container management received some incremental, but important, improvements this month, with fixes to security and domain name system (DNS) bugs. The updates underscore why security in depth is critical in container environments.
Docker responded in mid-January 2017 to a security vulnerability in runC, called CVE-2016-9962, which was reported earlier in the month. The vulnerability could have allowed for privilege escalation from containers to hosts, as well as potentially help a hacker access the wider corporate network. Docker rated the bug as minor and patched it with Docker 1.12.6.
Docker container management adherents said they weren’t affected by the bug, but it’s a good reminder of the necessity of defense in depth as container technology matures.
“For us, other security systems not based in Docker were available to help negate any ill effect here,” said Alex Witherspoon, vice president of platform engineering at FlightStats Inc., a Portland, Ore., company that provides real-time aviation data services.
For many, defense in depth starts with things as simple as a firewall to prevent unauthorized control over a Docker container in the first place, Witherspoon said.
“We also use New Relic and APM [application performance monitoring] as a way to detect bad behavior in the environment, so we can automatically block or deny a bad actor,” he added.
In order to exploit CVE-2016-9962 in an attack, one must first compromise the code and the means by which the code is placed within the container, said Edward Haletky, CEO and principal analyst at TVP Strategy, based in Austin, Texas.
Containers, therefore, require code evaluation before they are put into an environment, and code security testing to ensure the possibility of this attack is not allowed, Haletky said.
“Just patching or using SELinux is not enough of an answer,” Haletky said. “We need control and security testing of every aspect of container deployment.”
As the technology evolves, to track and deploy Docker containers and the Docker daemon itself, FlightStats has had to get comfortable with numerous deployments to keep up to date.
“Docker is still very young and changing rapidly,” Witherspoon said.
Docker 1.13 incremental, but important
Speaking of updates, Docker 1.13, released by the company last week, introduces a number of subtle, but essential, updates for Docker container management.
One update that will make frequent upgrades easier to deal with is backward compatibility for the command-line interface (CLI), according to a Docker blog.
“We stick with newer versions, but this will probably be very helpful for admins who are not constantly updating Docker,” said Chris Riley, director of solutions architecture at cPrime, an Agile software development consulting firm in San Francisco.
The CLI also has been cleaned up with simplified commands and restructured, which will also greatly contribute to better ease of use for containers, Riley said.
“I have had a lot of clients complain about disk usage when using Docker, and [some of the new] commands are meant to help this issue and will be helpful,” Riley said. “This is a nice refactor as they expand their API, and [it] helps keep things organized and focused.”
Upgrades that simplify how Docker container logs are accessed will improve container monitoring, and Riley said he’s excited to see Docker for Amazon Web Services (AWS) and for Microsoft Azure come out of beta with this release.
“The fact that [Docker is] targeting the ops side and the two largest cloud providers is smart,” Riley said. “We have been waiting for this to compete with Kubernetes on AWS and Amazon ECS [EC2 Container Service].”
Another update to Docker 1.13 that wasn’t mentioned in the company’s blog post is a bug fix for an irksome DNS issue in previous versions, according to Witherspoon.
“Some containers would rarely, but very painfully, fail to resolve certain DNS lookups for no apparent reason,” he said. “It seems better now — time and testing will tell.”
Docker declined to comment on whether CVE-2016-9962 is fully resolved, how it resolved the DNS lookups bugs, or whether there are any significant changes or new features in the generally available versions of Docker for AWS and Azure.