Docker 1.13 Prunes Containers, Improves Security

by Sean Michael Kerner

The Docker 1.13 release introduces multiple new commands including prune and squash, which can help containers to use disk space more efficiently.

Docker officially announced its 1.13 release on Jan. 19, with new capabilities to help build, manage and secure containers.

Among the interesting new capabilities in Docker 1.13 are several new commands that enable users to understand and manage container storage space usage. The new 'docker system prune' command will remove unused data, while the 'docker system df' command shows users how much space has been used on a given disk.

Making Docker containers even more efficient in terms of storage utilization is the new squash capability that is an experimental option for the 'docker build' command. With the squash capability, multiple filesystem layers that are the byproduct of a container build process are collapsed or 'squashed' into a single layer.

In the Docker 1.12 release that was first announced in June 2016 at the DockerCon 2016 conference, the big new feature was the integration of swarm container orchestration directly into the Docker engine. In the new Docker 1.13 update, the swarm-mode in Docker is being further enhanced.

With Docker 1.13, a user can now use a standard Docker compose command to deploy and manage a swarm service, and define how many instances (or nodes) are needed for each service. Swarm-mode now also benefits from integration with a new Secret Management API that can be used to safely store and retrieve sensitive data used with Docker services.

"In terms of Docker Swarm services, a secret is a blob of data, such as a password, SSH private key, SSL certificate, or another piece of data that should not be transmitted over a network or stored unencrypted in a Dockerfile or in your application's source code," the Github commit file for the secrets capability states. "In Docker 1.13 and higher, you can use Docker secrets to centrally manage this data and securely transmit it to only those containers that need access to it."

The secrets are encrypted both at rest and in transit, with access only given to those services that are running and that have been granted explicit permission.

Docker 1.13 also benefits from a pair of incremental updates for Linux mandatory access control technologies including SELinux (Security Enhanced Linux) and AppArmor. Additionally, Docker 1.13 will inherit security fixes from the Docker 1.12.6 release that debuted on Jan. 10. The CVE-2106-9962 security issue patched by Docker 1.12.6 was a container escape vulnerability titled 'Insecure opening of file-descriptor allows privilege escalation.'

The Docker 1.13 release comes as the market for container technologies is continuing to grow. A recent report from 451 Research estimates that in 2016 application container technologies generated $762 million in revenue. By 2020, 451 Research is forecasting that container revenues will rise to $2.7 billion.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

This article was originally published on Friday Jan 20th 2017
Mobile Site | Full Site