Part One of Getting Started with Docker introduced some features of the Docker solution that make it unique from VMs and other comparable technologies. In this follow-up article, we’ll take a look at how UpGuard works with Docker containers—both in how we deliver our product to customers, as well as in its built-in integration capabilities for simplifying tasks like creating Dockerfiles, among others.
Security Benefits of Docker Containers
Using Docker to package up and deploy applications can yield a myriad of benefits, including higher server instance utilization in the cloud and multi-cloud portability. From a security standpoint, Docker containers provide unique benefits through isolation: since containers make it easy to segregate applications that would typically run on the same host, configurations for items like ports and files can be uniquely tied down to each container and application.
For instance, UpGuard’s cloud-hosted single tenant appliance is built on top of a cluster of Docker systems. This effectively isolates our customers from each other: every deployment runs its own database instance, with its own data isolated from everyone else’s. In fact, the entire application stack is run inside of the container—making constituent components like web workers and services also unique to each deployment.
Consider the following scenario—a Ruby-on-Rails (RoR) vulnerability is exploited by an attacker, allowing him access to the Rails server and resident data. In a Docker-packaged deployment of the application stack, only one customer is impacted. Similarly, if one host goes down in the Docker cluster, none of the other customer hosts/deployments are affected. Another common architecture places the database and application stack in separate Docker containers for even more granularity, as depicted in the RoR/PostreSQL configuration below.
A two-container Rails/PostgreSQL configuration. Source: LearningDocker.com
Incidentally, in terms of issues like the previously mentioned RoR vulnerabilities, UpGuard can scan the application stack for such flaws automatically—even inside Docker containers, as we’ll soon see.
UpGuard’s Platform Integration with Docker
The security benefits to isolation—as well as the industry’s shift towards software modularity—have made containers all the rage now. DevOps-enabled organizations in particular have adopted Docker for its portability and multi-cloud interoperability: the ability to package an application together with its libraries and dependencies for deployment across disparate cloud providers and customer deployments. However, keeping these software stacks and systems configured securely and consistently inside their containers can be just as unwieldy as traditional IT systems.
Luckily, UpGuard can scan and monitor environments within Docker containers, just like any other system. Our platform’s agentless architecture uses lightweight SSH-based connection managers for connecting to and scanning/monitoring Docker containers. And once a Docker container’s environmental state has been captured by UpGuard, powerful differencing and variance analysis tools can be used to keep your environment states in alignment. And in the spirit of open integration, UpGuard outputs to popular automation and DevOps tools—including Docker, which makes recreating containers to exact configuration specifications a trivial affair. WIth one click, a Dockerfile snippet is created from the desired node for easy automation.
Generating Dockerfile snippets from UpGuard.
In short, Docker gives organizations the ability package, deploy, and isolate applications for increased security and portability. Of course, native Docker integration is just one of a myriad of powerful features that makes UpGuard the leading platform for configuration integrity. Give UpGuard a test drive to find out for yourself—on us.