Part One of Getting Started with Docker introduced some features of the Docker solution that make it unique from VMs and other comparable technologies. In this follow-up article, we’ll take a look at how ScriptRock works with Docker containers—both in how we deliver our product to customers, as well as in its built-in integration capabilities for simplifying tasks like creating Dockerfiles, among others.
Security Benefits of Docker Containers
Using Docker to package up and deploy applications can yield a myriad of benefits, including higher server instance utilization in the cloud and multi-cloud portability. From a security standpoint, Docker containers provide unique benefits through isolation: since containers make it easy to segregate applications that would typically run on the same host, configurations for items like ports and files can be uniquely tied down to each container and application.
For instance, ScriptRock’s cloud-hosted single tenant appliance is built on top of a cluster of Docker systems. This effectively isolates our customers from each other: every deployment runs its own database instance, with its own data isolated from everyone else’s. In fact, the entire application stack is run inside of the container—making constituent components like web workers and services also unique to each deployment.
Consider the following scenario—a Ruby-on-Rails (RoR) vulnerability is exploited by an attacker, allowing him access to the Rails server and resident data. In a Docker-packaged deployment of the application stack, only one customer is impacted. Similarly, if one host goes down in the Docker cluster, none of the other customer hosts/deployments are affected. Another common architecture places the database and application stack in separate Docker containers for even more granularity, as depicted in the RoR/PostreSQL configuration below.
A two-container Rails/PostgreSQL configuration. Source: LearningDocker.com
Incidentally, in terms of issues like the previously mentioned RoR vulnerabilities, ScriptRock can scan the application stack for such flaws automatically—even inside Docker containers, as we’ll soon see.
ScriptRock’s Platform Integration with Docker
The security benefits to isolation—as well as the industry’s shift towards software modularity—have made containers all the rage now. DevOps-enabled organizations in particular have adopted Docker for its portability and multi-cloud interoperability: the ability to package an application together with its libraries and dependencies for deployment across disparate cloud providers and customer deployments. However, keeping these software stacks and systems configured securely and consistently inside their containers can be just as unwieldy as traditional IT systems.
Luckily, ScriptRock can scan and monitor environments within Docker containers, just like any other system. Our platform’s agentless architecture uses lightweight SSH-based connection managers for connecting to and scanning/monitoring Docker containers. And once a Docker container’s environmental state has been captured by ScriptRock, powerful differencing and variance analysis tools can be used to keep your environment states in alignment. And in the spirit of open integration, ScriptRock outputs to popular automation and DevOps tools—including Docker, which makes recreating containers to exact configuration specifications a trivial affair. WIth one click, a Dockerfile snippet is created from the desired node for easy automation.
Generating Dockerfile snippets from ScriptRock.
In short, Docker gives organizations the ability package, deploy, and isolate applications for increased security and portability. ScriptRock not only takes advantage of Docker's benefits in the cloud-based single tenant appliance offering, but can also output your Docker container's configurations to Dockerfile snippets automatically. Of course, native Docker integration is just one of a myriad of powerful features that makes ScriptRock the leading platform for configuration integrity. Give ScriptRock a test drive to find out for yourself—on us.