Pei Ling Hoo - Fotolia

Open Container Project: Does it improve container security?

The Open Container Project is creating a standard container image format and runtime engine. Expert Dan Sullivan explains how it can improve container security.

I read about how Docker and CoreOS recently teamed up on a new Linux Foundation effort called the Open Container Project. What is the Open Container Project, and how will open standards improve the security of software containers?

The Open Container Project, also known as the Open Container Initiative, is a tightly focused effort to create a standard container image format and runtime engine. The project is organized under the auspices of the Linux Foundation. Although Docker is practically a de facto standard, an alternative from Linux software provider CoreOS, called rkt, was different enough from Docker to introduce the potential for fragmentation in the container industry.

It is hard to envision software developers gaining a competitive advantage by having fragmentation at a key level of the software stack; in fact, it is more likely to stunt development and introduce unnecessary cross-platform issues. Major software and services vendors -- including Google, RedHat, Oracle, Suse and VMware -- joined Docker, CoreOS and the Linux Foundation to establish the Open Container Project.

One of the driving goals of the project is to develop a secure container standard. This includes protecting the isolation of processes and resources within a container. The standard will also include support for strong cryptographic primitives, application identity services and image auditing features.

The members of the project plan to create a minimalist standard that helps ensure container security without addressing supporting tools, such as launching cloud servers or running clusters. CoreOS was motivated to build rkt in part because the scope of the Docker project expanded beyond the initial focus of a container standard. There was also concern about the need to run Docker primarily as root.

The ability to build secure container images will help improve security indirectly as well. For example, a team can justify a significant time investment to harden an application image if it will be used repeatedly. Containers lend themselves to automated deployment, which can help reduce the risk of mistakes that can occur with manual deployments. Also, automation scripts can be reviewed to ensure proper security controls are deployed along with containers. These benefits would exist if there were multiple container standards, but would require additional effort and resources to maintain.

Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn more about containerization, Docker security in the enterprise, and the differences between Docker and CoreOS.

Dig Deeper on Cloud Network Security Trends and Tactics