alphaspirit - Fotolia

Container security: Is CoreOS Rocket better than Docker?

Expert Dan Sullivan takes a look at how CoreOS Rocket and Docker differ security-wise, and how to decide which to deploy in your enterprise.

How does CoreOS' Rocket container technology differ from Docker security-wise? Are there scenarios where it would...

be preferable to use Rocket over Docker and vice-versa?

CoreOS Rocket -- commonly referred to as rkt -- and Docker are containers for executing images in isolation without requiring a virtualization hypervisor. Compared to virtualization platforms, both CoreOS and Docker are relatively lightweight options; CoreOS strives to be a minimalist implementation of a container builder and manager, while Docker has expanded the scope of the features it supports.

Docker and CoreOS have joined together with other industry vendors under the auspices of the Linux Foundation to define a common container standard known as the Open Container Initiative. Differences in Docker and CoreOS are likely to become less important as the Open Container Initiative moves ahead.

From a technology perspective, CoreOS Rocket uses more of a microservice, minimalist approach to design. Rocket is a container format and relies on other applications, such as Kubernetes for cluster management. Docker has a more monolithic design and incorporates multiple services in a single binary.

Separating functions into separate applications has a number of advantages. Minimalist approaches reduce the attack surface of the application and potentially decrease the chances of introducing vulnerabilities related to complex, difficult-to-model code.

One bigger difference between the two is the Docker runtime uses a daemon that requires root privileges. This has implications for how it is used. For example, if an API is used to issue commands to the Docker daemon, then the API may be exploited for malicious activities, such as running unauthorized containers. The Docker development team has been actively changing code to reduce potential risks, such as malicious image loading.

Docker images can be configured to run with restricted privileges. Web servers, for example, can be configured with limited capabilities, such as privileges to bind ports below 1024.

Before choosing a platform and evaluating container security, it is important to recognize the rapid pace of change in this area. Developers have joined to form a common standard. Containers exist as part of a larger ecosystem that includes other services, such as cluster managers. However, containers should not be considered in isolation of your larger environment.

Also keep in mind that hardware vendor Intel is developing hardware embedded virtualization technologies that will likely container security features in the future. Other vendors will probably follow suit.

Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)

Next Steps

What's the difference between containerization and virtualization? Find out here

Learn more about Docker and its security considerations

Docker security and container performance remain hot topics

Dig Deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection