How does CoreOS' Rocket container technology differ from Docker security-wise? Are there scenarios where it would...
be preferable to use Rocket over Docker and vice-versa?
CoreOS Rocket -- commonly referred to as rkt -- and Docker are containers for executing images in isolation without requiring a virtualization hypervisor. Compared to virtualization platforms, both CoreOS and Docker are relatively lightweight options; CoreOS strives to be a minimalist implementation of a container builder and manager, while Docker has expanded the scope of the features it supports.
Docker and CoreOS have joined together with other industry vendors under the auspices of the Linux Foundation to define a common container standard known as the Open Container Initiative. Differences in Docker and CoreOS are likely to become less important as the Open Container Initiative moves ahead.
From a technology perspective, CoreOS Rocket uses more of a microservice, minimalist approach to design. Rocket is a container format and relies on other applications, such as Kubernetes for cluster management. Docker has a more monolithic design and incorporates multiple services in a single binary.
Separating functions into separate applications has a number of advantages. Minimalist approaches reduce the attack surface of the application and potentially decrease the chances of introducing vulnerabilities related to complex, difficult-to-model code.
One bigger difference between the two is the Docker runtime uses a daemon that requires root privileges. This has implications for how it is used. For example, if an API is used to issue commands to the Docker daemon, then the API may be exploited for malicious activities, such as running unauthorized containers. The Docker development team has been actively changing code to reduce potential risks, such as malicious image loading.
Docker images can be configured to run with restricted privileges. Web servers, for example, can be configured with limited capabilities, such as privileges to bind ports below 1024.
Before choosing a platform and evaluating container security, it is important to recognize the rapid pace of change in this area. Developers have joined to form a common standard. Containers exist as part of a larger ecosystem that includes other services, such as cluster managers. However, containers should not be considered in isolation of your larger environment.
Also keep in mind that hardware vendor Intel is developing hardware embedded virtualization technologies that will likely container security features in the future. Other vendors will probably follow suit.
Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)
What's the difference between containerization and virtualization? Find out here
Docker security and container performance remain hot topics
Dig Deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading