VMware Adopts Docker Container Security Guidelines
Though Docker Inc. containers are garnering a lot of publicity, the backing technology is still young. For example, security measures are still evolving, such as VMware Inc.'s management tool that has been updated to meet emerging security standards.
The CIS Docker 1.6 Benchmark is an early major standard, just recently released for Docker Engine 1.6. It's a joint effort of the Center for Internet Security (CIS), VMware, Rakuten, Cognitive Scale and International Securities Exchange.
Docker blogged that the benchmark "… provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security."
VMware's Sajai Krishnan, vice president of product marketing, Cloud Management Business Unit, noted that the benchmark includes 84 best practices and recommendations for locking down Docker-containerized environments. Those guidelines have been built into a compliance toolkit and added to VMware's vRealize Configuration Manager .
VMware's Pravin Goyal, who authored the CIS benchmark, blogged that vRealize Configuration Manager "… covers 100% of the automatable recommendations in the benchmark," and said the toolkit is the first of its kind for assessing workload security based on the benchmark.
The list of recommended practices is long, and includes items such as:
- Creating a separate partition for containers
- Removing all non-essential services from the host
- Restricting network traffic between containers
- Allowing Docker to make changes to iptables
- Not binding Docker to another IP/Port or Unix socket
- Not running SSH within containers
- Rebuilding container base images to include security patches
- Verifying that Docker server certificate key file permissions are set to 400
The vast majority of these processes can be automated via vRealize Configuration Manager.
Krishnan said the toolkit is available now and can be downloaded as a free, 60-day trial. Additionally, Docker has produced its first-ever white paper about container security, which is now available for download.
Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.