How Core OS aims to make containers more secure

As container technologies grow in popularity, security is becoming a critical issue. In February, Docker addressed one of the major security concerns by adding support for user namespace the Docker 1.10 release.

Now the Core OS team has launched an open source project called Clair, an API-driven analysis service that inspects container images for known security flaws.  Developers can use it to build services that scan containers for security threats and vulnerabilities.

Quentin Machu, a software engineer at CoreOS, explained on a company blog that “Clair scans each container layer and provides a notification of vulnerabilities that may be a threat, based on the Common Vulnerabilities and Exposures database (CVE) and similar databases from Red Hat, Ubuntu, and Debian. Since layers can be shared between many containers, introspection is vital to build an inventory of packages and match that against known CVEs.”

This enables Clair to know about new vulnerabilities and DevOps are notified immediately.

Core OS’ hosted private container registry Quay will incorporate Clair as a feature. Joey Schorr, a software engineer onthe Quay team, wrote in a blog post, “In practice, every time an image is pushed into Quay, the analysis system will check for vulnerabilities, flag it in the interface, and send a notification. It will include a level of the vulnerability – high, medium or low – with a description and packages that are installed. A link is included to the vulnerabilities source information, which generally includes steps required to patch the vulnerability.”

In a test, Quay Security Scanning(QSS) discovered that more than 80% of vulnerabilities rated High and Critical have known fixes that can be applied with a simple update to packages in these images. One such example is Heartbleed, which according to QSS is still a potential threat to 80 percent of the Docker images users have stored on Quay. Though Core OS Linux comes with an auto-update tool that patches vulnerabilities like Heartbleed at the OS layer, containers still lack such measures.

CoreOS product manager Jake Moshenko told me via email that “Clair is responsible for finding vulnerabilities in deployable container images before they get distributed and run as containers. This leverages the hard work that OS vendors have been doing to track and patch exploits.”

Clair is, however, not the only solution on the market. So when I asked how Clair distinguishes itself from the rest, Moshenko told me, that  “one key way that Clair is unique, is that through being open source and being built on top of open source technologies, Clair can be deployed on premises. Another key differentiator between Clair and other solutions is that we index everything up front, and only reference those images when identifying vulnerabilities. This means that we can continue to find and notify users about problems without re-running or re-analyzing images.”

For more background on the history of CoreOS, containers and Docker, read “CoreOS CTO: Containers Are the Next Linux Package Manager.”