Earlier this summer, Docker held the DockerCon event at which it talked about enhancements to its solutions intended to make them better suited for production environments. Some of these enhancements were in the security realm. This week, however, Docker Cloud experienced a 12-hour outage. Here’s what Docker and a few other sources had to say about it.
“Docker Cloud did experience an outage on July 18 due to two distributed denial of service attacks on our DNS,” the company said. “Service was restored … and things are completely back to normal.
“We provided updates via the forums within an hour after the outage was discovered, which was as soon as we could based on the information we had, and continued doing so throughout the day. We also continuously updated the status at status.docker.com,” the company added. “We've taken corrective measures to ensure this situation does not occur in the future, and, most importantly, are taking steps to ensure that user applications will not be affected in the event that Docker Cloud experiences another outage.”
The Register on July 19 was among the media outlets that reported the news, saying the websites running on Docker Cloud were down and that the company’s customers were complaining and were also frustrated with Docker’s limited response to the problem.
Website Magazine earlier today reported that “Docker notified users on its system status page that an ‘unusual’ high load on its DNS servers was causing some lookups to fail and there was a corresponding thread about the issue in its forum. That wasn't enough however for some Docker users and they weren't shy about sharing their discontent with others.”
Avi Freedman, co-founder and CEO of Kentik, and his public relations team were approaching media outlets with commentary on the Docker outage, and provided this quote to me this morning: "DDoS is an equal opportunity disrupter of IT value chains. Today there are plenty of private and public clouds that are hosting Docker and other containers, and as distributed applications and microservices architectures grow in popularity, container deployments will grow as well. Anytime there is a dependence on internet traffic flows to deliver applications or services to internal or external users, there is potential vulnerability. “
He added that “CIOs need to develop a (digital supply-chain) game plan. This requires developing a map of all digital trading dependencies, from end users to API calls.”
Despite this outage, Docker has made a number of enhancements in terms of its security.
At DockerCon, the company introduced Cryptographic Node Identity. With it, each node (machine) in a cluster has a unique identity, allowing for workload segregation. That means that payment card workloads could be dispatched to only certain machines that have undergone a rigorous auditing process, as one use case example. Docker, at the Seattle event, also introduced a cluster management system that enables end-to-end encryption by default, mutual TLS authentication (to prevent against man-in-the-middle attacks) and certificate rotation (to recover from compromised credentials).
In a recent email interview with me, Docker said that the Docker platform is the most secure container runtime available today. Current versions of Docker (1.11 and later) support AppArmor, cryptographic image signing, end-to-end cryptographic signature validation, granular control through the use of cgroups, SELinux (mandatory access control), seccomp (syscall restrictions) and user namespaces (root in the container without privileges on the host).
“Criticisms of Docker security typically refer to very old versions of the Docker Engine (1H 2015),” the company added. “Docker has been focused over the last year on addressing the three key areas of container security: secure access, secure content, and secure platform. The isolation and containment features are not only built into the Docker Engine but also enabled out of the box. These features allow you to have trust over the origin of your content, reduce the attack surface area of the Linux kernel, improve the containment capabilities of the Docker Engine, and ultimately help you build, ship and run safer applications.”