Privilege Isolation in Docker Containers

While still in development, Docker containerization represents what many consider to be the next generation of virtualization. This ambitious program is intended to enable applications to run anywhere seamlessly, by allowing applications (and their configurations) to be packaged as portable light-weight containers that can be run on any system. We believe that Docker containers could represent an enormous step forward in flexibility, performance and economies of scale for anyone operating in a cloud infrastructure, or working with Hadoop/YARN. One of the shortcomings of the current Docker container code is that the root user within these virtualized environments automatically acquires root privileges on the host system. This challenge has been a critical stumbling-block in the release of Docker 1.0 and its deployment in production applications. Altiscale has developed a new feature in Docker called “user namespaces,” which solves this security issue. This feature prevents a containerized application from exercising root privileges on the host system. More technical details on this feature can be found in this blog on our company website: https://www.altiscale.com/making-docker-work-yarn/

Altiscale intends to employ this feature in our purpose- built Hadoop as a Service to securely isolate Hadoop tasks of different tenant customers, as well as contribute this feature to the Docker open source community. Dinesh Subhraveti Bio

Bio: Raymie Stata CEO/Founder

Raymie comes to Altiscale from Yahoo!, where he was Chief Technical Officer. At Yahoo, he played an instrumental role in algorithmic search, display advertising, and cloud computing. He also helped set Yahoo’s Open Source strategy and initiated its participation in the Apache Hadoop project. Prior to joining Yahoo!, Raymie founded Stata Laboratories, maker of the Bloomba search-based e-mail client, which Yahoo! acquired in 2004. He has also worked for Digital Equipment’s Systems Research Center, where he contributed to the AltaVista search engine. Raymie received his PhD in Computer Science from MIT in 1996.