This article is more than 1 year old

A hybrid upstart trying to sink its fangs into Docker: Apcera

CEO talks to El Reg about peering inside those mystery containers

Interview With Apcera's new chief architect for security Jim Reno, formerly of CA Technologies, bedded down in his role, the company's taking aim at one of Docker's in-room elephants. The Register talks to CEO Derek Collison about how IT shops can trust what's in Docker containers.

Collison told The Register's networking desk that while Docker – and devops more generally – is driven by speed, that makes IT shops nervous.

“Generally, to build things faster you need to build less, and assemble more. Docker and the notion of common off-the-shelf software is good, in that respect,” he said.

“But both devops and IT operations need the ability to trust what is being deployed.”

Hence, for example, an incoming Docker container needs to be checkable for zero-day vulnerabilities without the devops team having to pore over code, and “without the developer's cooperation”.

“We've been working on strategies around that – [Apcera as] a platform tech that drives and enforces policy decisions,” Collison said.

To get there, he added, “the platform technology or automation piece needs to understand what to look for, and what to enforce.” That means answering question like “where is this Docker image allowed to run? What does it mean for me to deploy this image?”

Access to services is also important: what services can a Docker image talk to, what can send data back to the Docker image, and who is responsible for enforcement?

Not that Apcera believes it can answer all of those questions. Collison said that as a member of the Open Container Initiative (OCI), the company is also looking to other members of the ecosystem to help.

In developing its ability to look inside Docker, Collison said, “we understand who is trying to run an image, and the policies of who is running it. So we can say an image 'must be blessed by X'.”

That, he said, might include what layers in the image can run, whether a company can use images from a public repository or only from private repositories, and what has to happen to an image (for example, scanning for exploits) before it's run.

“We can put these transparently as part of the injection point,” Collison claimed, adding that this also makes the deployment auditable without getting in the way of the devops team, “right until they bump into the guardrail.”

Turning all of this into something that draws from the rest of the OCI ecosystem means there's another implication of the work Reno is leading: working out what Apcera can open up in the form of APIs for the rest of the community to work with.

The question of APIs is fundamental to “how we drive trust into these platforms, so that devops can innovate at their speed, with tools like Docker and Kubernetes”, while IT operations and the rest of the company are confident they have guardians around the system.

Collison recalled his time at Google by way of example, where experimental workloads are on the same machines that run production workloads.

“Google trust their intermediate platforms to protect search and ads at all costs, and that's what we want with enterprise IT shops.” ®

More about

TIP US OFF

Send us news


Other stories you might like