VMware Incorporates New Docker Security Guidelines
A just-released benchmark lists 84 recommendations for securing Docker containers.
Although Docker Inc. containers are experiencing skyrocketing popularity, it's still a relatively immature technology. One of the ways that immaturity manifests itself is in the area of security. Standards are beginning to emerge, however, and VMware Inc. has released an updated management product to help meet those standards.
The first major standard has just been released for Docker Engine 1.6. It's called the CIS Docker 1.6 Benchmark, and was a joint effort of the Center for Internet Security (CIS), VMware, Rakuten, Cognitive Scale and International Securities Exchange.
Docker blogged that the benchmark "… provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security."
VMware's Sajai Krishnan, vice president of product marketing, Cloud Management Business Unit, noted that the benchmark includes 84 best practices and recommendations for locking down Docker-containerized environments. Those guidelines have been built into a compliance toolkit and added to VMware's vRealize Configuration Manager .
VMware's Pravin Goyal, who authored the CIS benchmark, blogged that vRealize Configuration Manager "… covers 100% of the automatable recommendations in the benchmark," and said the toolkit is the first of its kind for assessing workload security based on the benchmark.
The list of recommended practices is long, and includes items such as:
- Creating a separate partition for containers
- Removing all non-essential services from the host
- Restricting network traffic between containers
- Allowing Docker to make changes to iptables
- Not binding Docker to another IP/Port or Unix socket
- Not running SSH within containers
- Rebuilding container base images to include security patches
- Verifying that Docker server certificate key file permissions are set to 400
The vast majority of these processes can be automated via vRealize Configuration Manager.
Krishnan said the toolkit is available now and can be downloaded as a free, 60-day trial. Additionally, Docker has produced its first-ever white paper about container security, which is now available for download.
Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.