It's about time Docker got serious about security, and it's setting out to do that -- at least, on paper.
Earlier this week, Docker released a security benchmark for Docker 1.6, a set of standards for how to secure Docker containers, created in conjunction with the Center for Internet Security along with folks from VMware, Rakuten, Cognitive Scale, and International Securities Exchange.
The benchmark, a 118-page document available as a free download, describes a set of best practices for deploying Docker containers in production. All told, there are 84 best practices, along with a checklist summarizing them all, and they range from the obvious (don't let untrusted run the Docker daemon) to the less obvious (run a local registry mirror to reduce network traffic).
Not all of the recommendations are ironclad; some are more suggestions for good practice than absolutes. That said, the sheer number of recommendations, both for Docker and for the host running it, speaks to how much attention to detail is still needed to run Docker securely.
Docker is further touting the security benchmark as "unbiased and community-driven," meaning that those interested in becoming part of the process of refining the benchmark can submit feedback through CIS.
At least one of the participants in the creation of the security benchmark seems wise to the idea that Docker users will need all the help they can get tightening things up. VMware, a Docker partner in container tech but not exclusively so, is offering an update to one of its own tools -- the VMware vRealize Configuration Manager -- to "[provide] compliance health status for each Docker container, image, container host, Docker daemon, etc., against each automatable recommendation from [the] CIS benchmark." That tool's not a free product, although it is available in a 60-day free trial version.
An enterprising third party could dive in and offer an open source tool to accomplish the same goals, although the ideal solution would have Docker itself provide that kind of tooling -- maybe even by way of its own client. For now, even apart from security as the user's responsibility, the quest to deliver a more secure Docker experience still falls most on those putting Docker to work.