Disclosure of Authorization-Bypass on the Docker Hub
Following the postmortem of a previous vulnerability announced on June 30th, the Docker team conducted a thorough audit of the platform code base and hired an outside consultancy to investigate the security of the Docker Registry and the Docker Hub. On the morning of 8/22 (all times PST), the security firm contacted our Security Team:
8/22 – Morning: Our Security Team was contacted regarding vulnerabilities that could be exploited to allow an attacker to bypass authorization constraints and modify container image tags stored on the Docker Hub Registry. Even though the reporting firm was unable to immediately provide a working proof of concept, our Security Team began to investigate.
8/22 – Afternoon: Our team confirms the vulnerabilities and begins preparing a fix.
8/22 – Evening: We roll out a hotfix release to production. Additional penetration tests are performed to assure resolution of these new vulnerabilities. Later, it is discovered this release introduced a regression preventing some authorized users from pulling their own private images.
8/23 – Morning: A new hotfix is deployed to production, addressing the regression and all known security issues. Our Security Team runs another set of penetration tests against the platform and confirm all issues have Continue reading
Docker & VMware: 1 + 1 = 3
Today at VMworld we’re excited to announce a broad partnership with VMware. The objective is to provide enterprise IT customers with joint solutions that combine the application lifecycle speed and environment interoperability of the Docker platform with the security, reliability, and management of VMware infrastructure. To deliver this “better together” solution to customers, Docker and VMware are collaborating on a wide range of product, sales, and marketing initiatives. Why join forces now? In its first 12 months Docker usage rapidly spread among startups and early adopters who valued the platform’s ability to separate the concerns of application development management from those of infrastructure provisioning, configuration, and operations. Docker gave these early users a new, faster way to build distributed apps as well as a “write once, run anywhere” choice of deployment from laptops to bare metal to VMs to private and public clouds. These benefits have been widely welcomed and embraced, as reflected in some of our adoption metrics:
- 13 million downloads of the Docker Engine
- 30,000 “Dockerized” applications on Docker Hub
- 14,000 stars on GitHub
- 570 contributors
In its second year, Docker usage continues to spread and is now experiencing mass adoption by enterprise IT organizations. These organizations span Continue reading
Your Docker agenda for VMworld 2014
Next week starts the gigantic VMworld conference at the Moscone Center in San Francisco, California. If you are attending the conference, come visit us at the Docker booth #230 and make sure to attend the following Docker-related talks, demos, discussions and meetups where you can meet and chat with fellow Dockerites:
Monday, August 25th:
3:30 PM – 4:30 PM, Moscone West, Room 2014
VMware NSX for Docker, Containers & Mesos by Aaron Rosen (Staff Engineer, VMware) and Somik Behera (NSX Product Manager, VMware)
This session will provide a recipe for architecting massively elastic applications, be it big data applications or developer environments such as Jenkins on top of VMware SDDC Infrastructure. We will describe the use of app isolation technologies such as LxC & Docker together with Resource Managers such as Apache Mesos & Yarn to deliver an Open Elastic Applications & PaaS for mainstream apps such as Jenkins as well as specialized big data applications. We will cover a customer case study that leverages VMware SDDC to create an Open Elastic PaaS leveraging VMware NSX for Data communication fabric.
5:30 PM – 6:30 PM, Moscone West, Room 2006
VMware and Docker – Better Together by Ben Golub (CEO, Continue reading
Orchestrating Docker containers in production using Fig
In the last blog post about Fig we showed how you could define and run a multi-container app locally.
We’re now going to show you how you can deploy this app to production. Here’s a screencast of the whole process:
Let’s continue from where we left off in the last blog post. First, we want to put the code we wrote up onto GitHub. You’ll need to initialize and commit your code into a new Git repository.
$ git init $ git add . $ git commit -m "Initial commit"
Then create a new repository on GitHub and follow the instructions for how to set up a remote on your local GitHub repository. For example, if your repository were called bfirsh/figdemo, you’d run these commands:
$ git remote add origin [email protected]:bfirsh/figdemo.git $ git push -u origin master
Next, you’ll need to get yourself a server to host your app. Any cloud provider will work, so long as it is running Ubuntu and available on a public IP address.
Log on to your server using SSH and follow the instructions for installing Docker and Fig on Ubuntu.
$ ssh root@[your server’s IP address] # curl -sSL https://get.docker.io/ubuntu/ | Continue reading
Announcing Docker 1.2.0
The hardworking folk at Docker, Inc. are proud to announce the release of version 1.2.0 of Docker. We’ve made improvements throughout the Docker platform, including updates to Docker Engine, Docker Hub, and our documentation.
Highlights include these new features:
restart policies
We added a --restart flag to docker run to specify a restart policy for your container. Currently, there are three policies available:
- no – Do not restart the container if it dies. (default)
- on-failure – Restart the container if it exits with a non-zero exit code.
- Can also accept an optional maximum restart count (e.g. on-failure:5).
- always – Always restart the container no matter what exit code is returned.
This deprecates the --restart flag on the Docker daemon.
A few examples:
- Redis will endlessly try to restart if the container exits
docker run --restart=always redis
- If redis exits with a non-zero exit code, it will try to restart 5 times before giving up:
docker run --restart=on-failure:5 redis
–cap-add –cap-drop
Currently, Docker containers can either be given complete capabilities or they can all follow a whitelist of allowed capabilities while dropping all others. Further, previously, using --privileged would grant all capabilities inside a container, rather than applying a whitelist. This was not Continue reading
Announcing DockerCon Europe 2014
Today we are very happy to announce DockerCon Europe 2014, the first official Docker conference organized in Europe, by both Docker, Inc. and members of the community. The conference will take place in Amsterdam, at the NEMO science center, December 4th and 5th.
We will also have a full day or training prior to the conference, led by Jérôme Petazzoni on December 3rd.
The official website is still under construction as we are finalizing the last details, but today we can announce that the Docker team will be present as well as incredible speakers from the Docker community including:
- Ben Golub, CEO at Docker
- Bernd Mathiske, Senior Software Architect at Mesosphere
- Andrew Kennedy, Senior Software Engineer at Cloudsoft
Call for papers opens today, you can submit your talk here. If you are interested in our sponsorship options, please contact us at [email protected].
We also want to give a special thanks to Pini Reznik, Harm Boertien, Mark Coleman, Maarten Dirkse and the Docker Amsterdam community, who are working with us to bring the best of Docker to Europe.
Save the dates and stay tuned for more announcements!
Automagical Deploys from Docker Hub
I want the speed and other advantages of a static site generator, but with the flexibility of a database-backed CMS.
I want performance, flexibility, and ease of maintenance.
From cars to computers, getting both flexibility and performance all too often requires a carefully weighed set of trade-offs. Generating content for your readers and fans on the web is no exception. On the one hand, techies have recently embraced static site generators such as Jekyll, and for good reason, as these systems provide a lot of advantages (e.g., deploying straight to Github pages, high performance, and ease of keeping your content in version control). However, they are not without their own challenges such as steep learning curves and slow, cumbersome workflows.
On the other hand, flexible, database-backed content management system such as WordPress can be a better choice in some situations. It’s very nice to have the flexibility to allow non-technical people to edit and update content, and for authors to edit online from anywhere without needing a special suite of software and skills. However, CMSs such as WordPress can also be slow, temperamental, and hard to optimize.
Lately, I’ve been trying to find a good balance for my website. Currently, it Continue reading