CoreOS Acquires Quay.io For Docker Container Security

Acquisition positions CoreOS as a more secure, enterprise-oriented offering for the Docker form of Linux containers.

Charles Babcock, Editor at Large, Cloud

August 15, 2014

4 Min Read
(Source: Quay.io)

 NYC Vs. Vegas: 10 Fun Interop Differences

NYC Vs. Vegas: 10 Fun Interop Differences


NYC Vs. Vegas: 10 Fun Interop Differences (Click image for larger view and slideshow.)

CoreOS, supplier of a Linux distribution geared for servers running Docker containers, has acquired Quay.io, a firm that offers secure hosting of Docker image IDs.

"Your Docker image IDs are secrets and it's time you treated them that way!" says the headline on a Quay.io blog post.

In that blog, Quay.io points out that a Docker image ID is a lot like a password or cryptography's SSH key. It's a proprietary company secret with valuable intellectual property -- the configuration of proprietary systems -- behind it. If you don't safeguard your ID, anyone with it can access the software images on a Docker registry. Quay.io bills itself as being the registry that is an exception to that rule.

Docker software images are a specialized Linux container file that's built up in layers. The layers ensure that an application and its dependencies will be fired up in the correct order and work together as expected. Images are valuable not only for the configurations they contain, but also in their ability to be moved around and used in different environments, as long as they recognize and work with the Docker format.

Consequently, using the image IDs carelessly, not an uncommon practice among developers working with unfinished code, is an invitation to outsiders into company secrets. "Do not post them in support tickets. No more screencasts where you run docker inspect. Do not post screenshots of your repository pages on index.docker.io. Just don't do it," Quay.io urged in the blog post.

Want to learn more about CoreOS Managed Linux? See CoreOS Unveils Linux Containers As A Service.]

To illustrate the point, they ran a docker inspect command against an application running as a Docker image and, oops, "there's the entire 256 bit key."

A screenshot from Ubuntu Linux's index.docker.io showed the image ID at the top of the screenshot. "Ouch," said the Quay.io authors.

"It is also easy to imagine these IDs being thoughtlessly appended to support tickets, Internet Relay Chat channels, forums, etc. As usual, it's the social aspect to security that proves to be the weakest," they wrote.

In acquiring Quay.io, a New York City firm founded and run by Jacob Moshenko and Joseph Schorr, for an undisclosed amount, CoreOS is positioning itself as more of a secure, enterprise-oriented company for those interested in running the Docker form of Linux containers. Containers are stirring interest, primarily among developers, because of their efficient use of compute resources, with many containers running on a single host. Each container's application is isolated from the others, but the limits of that isolation are still being tested in labs and security firms. The close proximity of different users' applications and data make some hard-boiled security experts nervous.

Disregarding the security of the containers themselves, an immediately addressable problem is use of the container IDs. With the acquisition, announced Wednesday, CoreOS has incorporated Quay.io into its product line and offers the CoreOS Enterprise Registry with Quay.io container ID protections. CoreOS customers who sign up for the Premium version of CoreOS Managed Linux get access to the registry, said Alex Polvi, founder and CEO of CoreOS, in the announcement.

"We are freeing our customers to use Docker containers in a secure and fast way and providing more control over who has access to their source code or applications," he said.

CoreOS is a Linux kernel with related utilities but many components left out. Under the Docker scheme, application-specific modules of Linux are packaged in the Docker format. The only thing that needs to be added to allow it to run is the correct Linux kernel. Polvi once quipped that CoreOS is the equivalent of "25 pictures on your cellphone," compared to the hundreds of megabytes of a normal Linux distro.

Cloud Connect (Sept. 29 to Oct. 2, 2014) brings its "cloud-as–business–enabler" programming to Interop New York for the first time in 2014. The two-day Cloud Connect Summit will give Interop attendees an intensive immersion in how to leverage the cloud to drive innovation and growth for their business. In addition to the Summit, Interop will feature five cloud workshops programmed by Cloud Connect. The Interop Expo will also feature a Cloud Connect Zone showcasing cloud companies' technology solutions. Register with Discount Code MPIWK or $200 off Total Access or Cloud Connect Summit Passes.

About the Author

Charles Babcock

Editor at Large, Cloud

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive Week. He is a graduate of Syracuse University where he obtained a bachelor's degree in journalism. He joined the publication in 2003.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights