Docker revs up Engine, hits 1.10
Liberty, security, granularity
Docker pushed the latest version of its eponymous containerization platform out the door late yesterday, with a heavy emphasis on security.
The latest version of Docker Engine finally drops the zero after the decimal point - yes, it's a whole 1.10 release. Companies in this space seem loath to actually commit to anything beyond a 1.x release.*
In a blog post highlighting the release, Docker engineer, Jessie Frazelle, said the latest version includes Seccomp Profiles, which should give “an extra level of granularity in locking down the processes in your containers to only do what they need.
The posting went onto say that “What started as a side project for a better way to write custom apparmor profiles, has turned into a proposal for native security profiles in Docker Engine." Details here.
Don’t get too excited. Frazelle said the features was “still being worked on” but in the meantime she “wanted to give a plug to my awesome tool”. More details here.
Another teaser comes in the shape of PIDS Control Group. Frazelle wrote: “We decided to make this feature secure by default, meaning we are setting the PIDs Limit for the docker cgroup parent to 512 (actual number may change but something along these lines), more than enough for the average user, but not enough to do great harm. Of course if you need more you can override the default, or even set it as unlimited.” The full feature is due in the next version, 1.11.
Other additions include Authorisation Plugins and user namespaces, which will allow multiple namespaces to reside on the same Docker host.
There are also “incremental improvements” to with Docker’s native clustering tech, Swarm 1.1, including rescheduling of containers when a node fails, while a failure to connect to a node will not result in a retry. ®
Bootnote *Just to be clear, this is version 1.10, not 1.1, as in the one after 1.9, and the aforementioned upcoming 1.11. Apologies for any confusion.