Docker security sound but ‘immature’ says Gartner
The analyst outfit’s most recent assessment of the containerisation tool found the software to be reliable overall but ‘immature’ in admin and management standards.
In Gartner’s latest written assessment on Docker, Security Properties of Containers Managed by Docker, analyst Joerg Fritsch contrasts security properties of containers to the controls of the Linux operating system and hypervisors. For such new technology, the report isn’t entirely damning, with Fritsch giving an overall decent assessment of the software.
Docker lacking in administration and management
Fritsch highlighted that Docker has left room for improvement in administration and management which does not yet satisfactorily “support for common controls for confidentiality, integrity and availability.” That might sound a little scary, however, it’s important to note that 2015 will likely see the introduction of additions to Docker that harden the software by improving its manageability, which brings about the kind of functions businesses expect.
The suggestion of running Docker inside a hypervisor isn’t helpful according to Fritsch, even with the advancement of VMware. At last year’s VMworld2014, Chris Wolf of VMware and Docker’s Ben Golub spoke about the integration points of Docker and VMware that provide leading flexibility, performance, security, scalability, and management capabilities. However, Fritsch explains:
…except for a further fortification of resource isolation, there is little to be gained from the underlying hypervisor. Docker and containers cannot inherit from the hypervisor what they lack most: secure administration and management features, and support for common controls for confidentiality, integrity and availability. But the hypervisor adds a level of complexity that will need to be managed separately and may cause friction with, for example, evolving SDNs for containerized environments.
For those keen to run Docker, Fritsch insists that SELinux and AppArmor are essential tools for your arsenal. Docker also lacks live migration tools, which makes hypervisors a great place for it to run albeit behind Parallels’ Virtuozzo.
While Docker’s dedicated backup weakness has been addressed by Asigra, the report underlines the fact that being so new, Docker hasn’t amassed a network of tools that make it fully mature on a production level. However, with the coming improvements of 2015, Docker will be relatively easier to operate and somewhat less worrisome for new adopters.
Fritsch’s report follows the announcement of Docker’s new enterprise solution last year, which was somewhat overshadowed at the European Docker Conference by the news of competition from CoreOS.