Cloud // Infrastructure as a Service
News
8/15/2014
10:26 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CoreOS Acquires Quay.io For Docker Container Security

Acquisition positions CoreOS as a more secure, enterprise-oriented offering for the Docker form of Linux containers.

 NYC Vs. Vegas: 10 Fun Interop Differences
NYC Vs. Vegas: 10 Fun Interop Differences
(Click image for larger view and slideshow.)

CoreOS, supplier of a Linux distribution geared for servers running Docker containers, has acquired Quay.io, a firm that offers secure hosting of Docker image IDs.

"Your Docker image IDs are secrets and it's time you treated them that way!" says the headline on a Quay.io blog post.

In that blog, Quay.io points out that a Docker image ID is a lot like a password or cryptography's SSH key. It's a proprietary company secret with valuable intellectual property -- the configuration of proprietary systems -- behind it. If you don't safeguard your ID, anyone with it can access the software images on a Docker registry. Quay.io bills itself as being the registry that is an exception to that rule.

Docker software images are a specialized Linux container file that's built up in layers. The layers ensure that an application and its dependencies will be fired up in the correct order and work together as expected. Images are valuable not only for the configurations they contain, but also in their ability to be moved around and used in different environments, as long as they recognize and work with the Docker format.

Consequently, using the image IDs carelessly, not an uncommon practice among developers working with unfinished code, is an invitation to outsiders into company secrets. "Do not post them in support tickets. No more screencasts where you run docker inspect. Do not post screenshots of your repository pages on index.docker.io. Just don't do it," Quay.io urged in the blog post.

Want to learn more about CoreOS Managed Linux? See CoreOS Unveils Linux Containers As A Service.]

To illustrate the point, they ran a docker inspect command against an application running as a Docker image and, oops, "there's the entire 256 bit key."

(Source: Quay.io)
(Source: Quay.io)

A screenshot from Ubuntu Linux's index.docker.io showed the image ID at the top of the screenshot. "Ouch," said the Quay.io authors.

"It is also easy to imagine these IDs being thoughtlessly appended to support tickets, Internet Relay Chat channels, forums, etc. As usual, it's the social aspect to security that proves to be the weakest," they wrote.

In acquiring Quay.io, a New York City firm founded and run by Jacob Moshenko and Joseph Schorr, for an undisclosed amount, CoreOS is positioning itself as more of a secure, enterprise-oriented company for those interested in running the Docker form of Linux containers. Containers are stirring interest, primarily among developers, because of their efficient use of compute resources, with many containers running on a single host. Each container's application is isolated from the others, but the limits of that isolation are still being tested in labs and security firms. The close proximity of different users' applications and data make some hard-boiled security experts nervous.

Disregarding the security of the containers themselves, an immediately addressable problem is use of the container IDs. With the acquisition, announced Wednesday, CoreOS has incorporated Quay.io into its product line and offers the CoreOS Enterprise Registry with Quay.io container ID protections. CoreOS customers who sign up for the Premium version of CoreOS Managed Linux get access to the registry, said Alex Polvi, founder and CEO of CoreOS, in the announcement.

"We are freeing our customers to use Docker containers in a secure and fast way and providing more control over who has access to their source code or applications," he said.

CoreOS is a Linux kernel with related utilities but many components left out. Under the Docker scheme, application-specific modules of Linux are packaged in the Docker format. The only thing that needs to be added to allow it to run is the correct Linux kernel. Polvi once quipped that CoreOS is the equivalent of "25 pictures on your cellphone," compared to the hundreds of megabytes of a normal Linux distro.

Cloud Connect (Sept. 29 to Oct. 2, 2014) brings its "cloud-as–business–enabler" programming to Interop New York for the first time in 2014. The two-day Cloud Connect Summit will give Interop attendees an intensive immersion in how to leverage the cloud to drive innovation and growth for their business. In addition to the Summit, Interop will feature five cloud workshops programmed by Cloud Connect. The Interop Expo will also feature a Cloud Connect Zone showcasing cloud companies' technology solutions. Register with Discount Code MPIWK or $200 off Total Access or Cloud Connect Summit Passes.

Charles Babcock is an editor-at-large for InformationWeek, having joined the publication in 2003. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive Week. He is a graduate of Syracuse ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
8/15/2014 | 6:31:00 PM
CoreOS expands its function
This supplier of a lightweight Linux container host system wants to become the premier host system for Docker containers, hence this acquisition. It's got a foot in the door at Rackspace, Amazon, etc.
Multicloud Infrastructure & Application Management
Multicloud Infrastructure & Application Management
Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.