Banjot Chanana

Author Archives: Banjot Chanana

Docker Security Update: CVE-2018-5736 and Container Security Best Practices

On Monday, February 11, Docker released an update to fix a privilege escalation vulnerability (CVE-2019-5736) in runC, the Open Container Initiative (OCI) runtime specification used in Docker Engine and containerd. This vulnerability makes it possible for a malicious actor that has created a specially-crafted container image to gain administrative privileges on the host. Docker engineering worked with runC maintainers on the OCI to issue a patch for this vulnerability.

Docker recommends immediately applying the update to avoid any potential security threats. For Docker Engine-Community, this means updating to 18.09.2 or 18.06.2. For Docker Engine- Enterprise, this means updating to 18.09.2, 18.03.1-ee-6, or 17.06.2-ee-19. Read the release notes before applying the update due to specific instructions for Ubuntu and RHEL operating systems.

Summary of the Docker Engine versions that address the vulnerability:

 

Docker Engine Community

Docker Engine Enterprise

18.09.2

18.09.2

18.06.2

18.03.1-ee-6

17.06.2-ee-19

To better protect the container images run by Docker Engine, here are some additional recommendations and best practices:

Use Docker Official Images

Official Images are a curated set of Docker repositories hosted on Docker Hub that are designed to:

5 Ways to Beat the Clock on Windows Server 2008 End of Support

In just over one year, Microsoft support for Windows Server 2008 will come to an end. Without the proper planning in place, the ripple effects may impact your business. The cost of maintenance will skyrocket, while security and compliance risks will increase without regular patches.

So, how can companies beat the clock? The short answer is enterprise container platforms can provide a fast and simple way to transform expensive and difficult-to-maintain applications into efficient, secure and portable applications ready for modern infrastructure – whether current Windows Server releases (such as WS 2016 or later) and/or into the cloud. Taking this approach saves a significant amount of money and improves security and performance across the application lifecycle.

We are already seeing immediate demand from customers in modernizing their existing Windows Server applications in preparation for the end of support in January 2020 – here are five key takeaways we have learned in the process.

 

1. Existing applications power businesses today

The fact is that most data in the largest businesses (or companies) in the world run on legacy applications. And these applications   can continue to provide value if enterprises containerize and migrate them to modern environments to make them more Continue reading

Introducing Docker’s Windows Server Application Migration Program

 

Last week, we announced the Docker Windows Server Application Migration Program, designed to help companies quickly and easily migrate and modernize legacy Windows Server 2008 applications while driving continuous innovation across any application, anywhere.

We recognize that Windows Server 2008 is one of the most widely used operating systems today and the coming end-of-support in January 2020 leaves IT organizations with few viable options to cost-effectively secure their legacy applications and data. The Docker Windows Server Application Migration Program represents the best and only way to containerize and secure legacy Windows Server applications while enabling software-driven business transformation. With this new program, customers get:

  • Docker Enterprise: Leading Container Platform and only one for Windows Server applications.
    Docker Enterprise is the leading container platform in the industry– familiar to millions of developers and IT professionals. It’s also the only one that runs Windows Server applications, with support for Windows Server 2016, 1709, 1803 and soon, 2019 (in addition to multiple Linux distributions.) Organizations routinely save 50% or more through higher server consolidation and reduced hardware and licensing costs when they containerize their existing applications with Docker Enterprise.
  • Industry-proven tools & services: Easily discover, containerize, and migrate with immediate Continue reading

Simplifying the Management of Kubernetes with Docker Enterprise Edition

Back in October at DockerCon Europe, we announced that Docker will be delivering a  seamless and simplified integration of Kubernetes into the Docker platform. By integrating Kubernetes with Docker EE, we provide the choice to use Kubernetes and/or Docker Swarm for orchestration while maintaining the consistent developer to operator workflow users have come to expect from Docker. For users, this means they get an unmodified, conformant version of Kubernetes with the added value of the Docker platform including security, management, a familiar developer workflow and tooling, broad ecosystem compatibility and an adherence to industry standards including containerd and the OCI.

Kubernetes and Docker

One of the biggest questions that we’ve been asked since we announced support for Kubernetes at  DockerCon EU –  what does this mean for an operations team that is already using Kubernetes to orchestrate containers within their enterprise? The answer is really fairly straightforward  –  Kubernetes teams using Docker EE will have the following:

  • Full access to the Kube API and all Kubernetes constructs
  • Native use of KubeCTL
  • If you are developing in Kube YML, seamless deployment
  • Ability to develop  in Docker with Compose and leverage your best practices around Kubernetes services

Docker Enterprise Edition with support for Kubernetes Continue reading

Extending Docker Enterprise Edition to Support Kubernetes

At DockerCon Europe, we announced that Docker will be delivering seamless integration of Kubernetes into the Docker platform. Bringing Kubernetes to Docker Enterprise Edition (EE) will simplify and advance the management of Kubernetes for enterprise IT and deliver the advanced capabilities of Docker EE to a broader set of applications.

Swarm and Kubernetes Side-by-Side

Docker EE is an enterprise-grade container platform that includes a private image registry, advanced security features and centralized management for the entire container lifecycle. By including Kubernetes for container orchestration, customers will have the ability to run both Swarm and Kubernetes in the same Docker EE cluster while still leveraging the same secure software supply chain for building and deploying applications.

Figure 1. Docker EE Architecture with Multiple Orchestrators

This is possible because Docker EE has a modular architecture that is designed to support multiple orchestrators. The Linux nodes are both Swarm and Kubernetes-ready and application teams can decide which orchestrator to use at app deployment time.

When creating a new Stack in Docker EE, you are given the choice of deploying it as Swarm Services or as Kubernetes Workloads:

Docker EE k8s

Figure 2. Selectable modes at app deployment time

Upon deployment, the Docker EE dashboard has a “Shared Resources” area Continue reading

Introducing Docker Datacenter on 1.13 with Secrets, Security Scanning, Content Cache and more

It’s another exciting day with a new release of Docker Datacenter (DDC) on 1.13. This release includes loads of new features around app services, security, image distribution and usability.  

Check out the upcoming webinar on Feb 16th for a demo of all the latest features.

Let’s dig into some of the new features:

Integrated Secrets Management

This release of Docker Datacenter includes integrated support for secrets management from development all the way to production.

This feature allows users to store confidential data (e.g. passwords, certificates) securely on the cluster and inject these secrets to a service. Developers can reference the secrets needed by different services in the familiar Compose file format and handoff to IT for deployment in production. Check out the blog post on Docker secrets management for more details on implementation. DDC integrates secrets and adds several enterprise-grade enhancements, including lifecycle management and deployment of secrets in the UI, label-based granular access control for enhanced security, and auditing users’ access to secrets via syslog.

Image Security Scanning and Vulnerability Monitoring

Another element of delivering safer apps is around the ability to ensure trusted delivery of the code that makes up that app. In addition to Continue reading

Docker Datacenter adds enterprise orchestration, security policy and refreshed UI

Today we are excited to introduce new additions to Docker Datacenter, our Container as a Service (CaaS) platform for enterprise IT and application teams. Docker Datacenter provides an integrated platform for developers and IT operations teams to collaborate securely on the application lifecycle. Built on the foundation of Docker Engine, Docker Datacenter (DDC) also provides integrated orchestration, management and security around managing resources like access, images, applications, networks and more across the cluster.

This latest release of Docker Datacenter includes a number of new features and improvements focused in the following areas:

  • Enterprise orchestration and operations to make running and operating multi container applications simple, secure and scalable
  • Integrated end to end security to cover all of the components and people that interact with the application pipeline
  • User experience and performance improvements ensure that even the most complex operations are handled efficiently

Let’s dig into some of the new features.

Enterprise orchestration with backward compatibility

This release of Docker Datacenter not only integrates the built in orchestration capabilities of Docker Engine 1.12 utilizing swarm mode and services, but also provides backwards compatibility for standalone containers using the docker run commands. To help enterprise application teams migrate, it is important Continue reading