michelangelus - Fotolia

Simple Docker image acquisition the key to IBM's container strategy

By making it easier for clients to acquire a Docker image, IBM hopes to see more enterprises adopting a container-based development strategy.

Acquire, build, delivery, deployment, production runtime and ongoing maintenance are the six key stages in development in which containers can play an important role. None of these steps can happen if the first step, Docker image acquisition, isn't accomplished, and making that happen can be challenging, said IBM fellow and IBM Cloud Platform vice president and CTO Jason McGee at DockerCon 2016 in Seattle this week. McGee introduced IBM's new approaches at the conference to helping developers tackle those challenges. As part of the IBM Bluemix Container Service, new services include providing Docker images in private registries and creating container images for their own software products.

Acquisition is a funny thing in the world of Docker. DockerHub is the container world's equivalent of the Apple store or Google Play. Fully-configured big data processing, microservices hosting, document store tooling and relational database storage systems are a single click and a high-speed download away. But not every Docker image comes from a reliable builder, and often certain features need to be customized. That's where security risks enter the picture, McGee said. Big banks and government agencies are often reluctant to sanction the Docker images that are obtained through a DockerHub download. 

Security is a roadblock that must be overcome in order for widespread adoption to become a reality. To address this major hurdle, DockerHub indicates which images were produced by those who are considered reliable contributors. The problem is that there are no guarantees or assurances. In fact, an old bash shell vulnerability still exists on many DockerHub images that have the Bourne Again Shell installed, creating a great deal of consternation about the sanctity of DockerHub systems.

Of course, McGee said at DockerCon, the alternative to downloading a Docker image is to build one from scratch, a task that can be difficult, daunting, and time-consuming, especially for people who are new to the containerization game.

IBM is addressing these concerns by building Docker images of their own and making them available not only on DockerHub, but also through their own private registries to which clients have access. With IBM standing behind and supporting the containers that clients are targeting for their production machines, potential adopters have more confidence, given that Big Blue has provided their seal of approval.

Containerizing commercial software

And not only is IBM building and making available containers for popular open source products, but they're also creating container images for their own software products, ones that are not chartered under the Apache license. Already, the IBM MobileFirst Platform, IBM Node with StrongLoop and the IBM WebSphere Application Server Liberty profile are already being delivered as Docker images, and more IBM products are soon to follow.

We're building images not only around open source, but also around commercial software.

Jason McGee;
IBM fellow, vice president and CTO; IBM Cloud Platform

"We're building images not only around open source, but also around commercial software," McGee said.

With the IBM Bluemix Container Service catalog comes the ability for organizations to create private registries for their Docker images, giving organizations a bit more control over their enterprise software. The appeal of this approach is twofold. The first benefit to this approach is that a large organization can create standard Docker images for various software products that quickly become both visible and available across the board. The other benefit is the knowledge that the container has no external exposure, and no software vulnerabilities are going to be found by someone acquiring the image and working to exploit it.

Enforcing software security policies

A key part of the container tool set is the IBM Bluemix Vulnerability Advisor (VA) tool, which was introduced at last year's DockerCon. VA examines all of the packages that went into building the Docker image and subsequently report back any potential problems in the containers it examines, McGee said. It also has the ability to enforce best practices and recognize security anti-patterns that might be of concern. For example, the policy adviser can examine various user rights assignments and passwords, and generate an alert when a weak password that might compromise the integrity of the image is identified. These types of tools, which address security while enforcing software governance rules, are essential if widespread adoption of Docker images, from inception to deployment, is to become a reality.

Of course, the IBM Bluemix Container Service continues to provide tools that will guide organizations through all of the container-based software development lifecycle stages. But providing helpful tools and important features that make Docker acquisition and container adoption more palatable is certainly the first step, and it's a step that IBM has clearly done right.

What is the biggest barrier to Docker image adoption at your organizations? Let us know.

Next Steps:

Dockers simplify DevOps, from staging to deployment
DevOps containers move beyond virtualization
How Docker might improve application development

Dig Deeper on DevOps-driven, cloud-native app development

App Architecture
Software Quality
Cloud Computing