So, for fun, let’s begin this article with a little Docker Inception. Let’s run the following commands and see what happens?
docker pull fatherlinux/myfinger
docker run fatherlinux/myfinger
So, what happened? Well, if you ran it, you are now reading the rest of this article in a terminal, with a text based browser called Links. Why is this cool? Because, that is how easy Docker makes it to do certain things. In fact, I built this image by simply committing a Dockerfile to https://github.com/fatherlinux/myfinger and triggering a DockerHub automatic build. Strangely, nobody else in the entire world had a repository called myfinger, and I have the screenshot to prove it.
I was and still am an advocate of Docker. I think this tooling changed the world and laid the groundwork to make packaging and deployment a whole lot easier, but I also think there is a lot more work to be done. I also see some challenges with the project being beholden to Docker Inc.
Well, that brings me to the section of this article where I highlight some really strange things that the Docker project does because Docker Inc essentially controls all pull requests with an iron fist.
- https://github.com/docker/docker/pull/5001: True, this can easily be implemented with external tools, but as AskB rightly mentions, many companies prohibit running random code off the Internet. In fact, I just finished my company’s yearly security training and it warned of this exact problem.
- https://github.com/docker/docker/pull/11991: Why not allow people using the open source tool to select which registry servers they want to connect to? Because you want to drive ALL users who download the Docker tool to DockerHub. I get it, configure this by default, but why not let people block registry servers? Why not let them add registry servers? Red Hat carries this patch and allows Fedora, CentOS, and Red Hat users to configure which servers to connect to. By default all Red Hat Enterprise Linux systems connect to registry.access.redhat.com, but an end user can easily remove that from the /etc/sysconfig/docker configuration file…
- https://github.com/docker/docker-bench-security/pull/55: So, I really liked the Docker CIS benchmark as soon as I saw it. I would prefer that it used OpenSCAP, but I thought it was noble to put a baseline list of sane configurations together. Interestingly, Alpine Linux was chosen as the base image in the container. I immediately created a CentOS and RHEL Dockerfile, first because Alpine Linux didn’t work with CentOS/RHEL (What’s in the Container Does Matterâ„¢), but second because I immediately knew that as a security person, I don’t want to run some other distribution of Linux. I want to build tools like this from scratch on MY version of Linux because that’s what I trust.
The list goes on and on and on, and that’s why Fedora and Red Hat Enterprise Linux carry a set of patches that the Docker project just won’t merge:
So, long story short – I love the Docker project and I really wish it could operate more freely from Docker Inc. I think it would be wonderful if they would listen to the community of users more. It’s not just Red Hat users complaining. This is a secret that is hidden in plain sight. I have chatted with people at conferences, meet ups and I even on an airplane once with a complete stranger who said, “Docker isn’t open source, it’s run by a single company.”
Everyone knows there are challenges, and I totally understand that Docker Inc. is being pulled in a million directions, but I really hope they can keep the community satisfied because CoreOS already decided to create RKT (which essentially amounts to a fork) and I would hate to see more….
I believe the Open Container Initiative (OCI) is a step in the right direction, but I still think Docker Inc. needs to nurture and allow the community to innovate….
As always, please leave comments below, I would love to discuss: