Docker 1.10 Highlights – Updated
source link: https://zwischenzugs.com/2016/02/06/docker-1-10-highlights/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Docker 1.10
This video demonstrates some of the highlights of the latest Docker version:
- User namespacing setup and demo
- In-memory filesystem creation
- In-flight resource constraining of a CPU-intensive container
- Internal-facing Docker network provisioning
- Seccomp profile enforcement (updated!)
In-memory filesystems seem particularly apposite for ephemeral and I/O-intensive containers.
The user namespacing feature is neat, but be aware that you need a compatible kernel.
And from an operational perspective, the ability to dynamically constrain resources for a container is a powerful feature.
Secure?
There’s some confusion around whether these changes ‘makes Docker secure’. While user namespacing reduces the risk in one attack vector, and seccomp enforcement policies can reduce them in the other, security is not a binary attribute of any software platform.
For example, you still need to consider the content you are downloading and running, and where those components came from (and who is responsible for them!). Also, if someone has access to the docker command, they still (effectively) are a privileged user.
The code is here.
Currently co-authoring a book on Docker:
Get 39% off with the code 39miell
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK