At last month’s KubeCon North America, Dirk Hohndel, VP and chief open source officer at VMware, sat down for an episode of TFiR’s “Let’s Talk” series for an insightful discussion on container compliance and how non-compliant containers pose a huge risk to the open source field. Dirk is no stranger to discussing the compliance and security of container images, having recently delivered his “Don’t Ship That Container” presentation at Open Compliance Summit in December. The presentation highlights the challenges around packaging containers, how the format works and the struggle that comes with knowing what’s inside a container image.
During his appearance on “Let’s Talk,” Dirk chatted with Swapnil Bhartiya about how established industry practices for containers aren’t necessarily the best practices. “One of the key concerns is if you look at the Dockerfiles for a lot of the containers that you can get from Docker Hub, you will see in these Dockerfiles things that are allegedly best practices but in my mind are actually worst practices,” Dirk said. For example, Dirk mentioned that the prevalence of downloading a random binary from a user’s GitHub account, making it executable and running it in a container represents a security and compliance nightmare.
Conceptually, container compliance isn’t a new problem, but most people look at containers like it’s something completely new and the rules just changed. In reality, containers are package informant. Most in the industry are overlooking many of the crucial components that come with packaging and shipping containers. The way in which the tooling around container compliance works and the established practices in the industry have created an environment where the right thing isn’t always done, according to Dirk.
Because of that, “this whole topic is something that has grown in attention, relevance and participation over the last year,” Dirk said. In fact, the upcoming Open Source Leadership Summit in Half Moon Bay this spring will feature an automated compliance tool track. On top of that, the Linux Foundation just recently launched their Automated Compliance Tooling (ACT) project. The ACT initiative, which VMware donated its Tern project to, is meant to help people better understand what’s inside their containers and manage compliance obligations.
This hammers home the overlooked aspect of container compliance. This isn’t a criticism on containers—the underlying technologies are solid and strong. It’s a comment on how the industry is changing and how we’re putting these solutions together and thinking about innovation in this space. Containers have been around for years; what’s different now is the context in which they’re used, how they’re used and the open source communities around them.
“The thing that to me is so interesting about open source is that it allows us to work together in a way we didn’t have two decades ago, where the large companies are working together to improve the core technologies that we all work on,” Dirk said. “It’s really rewarding to see these teams of stout competitors sit together and have great conversations on the next version, the next release, the next feature and how to move the community forward. To me that’s a great sign of something that we didn’t have in the past and where the open source community has kind of changed the rules on the playground.”
Container compliance is a challenging endeavor, make no mistake about it. As VMware’s Nisha Kumar writes in her comprehensive blog on the subject, “the challenge with automating OSS compliance for containers stems from the fact that containers are built in an imperative way, despite there being build scripts and Dockerfiles for individual containers and configuration management for container orchestrator.” That’s why she created Tern, which inspects a container image and finds the metadata of the packages that are installed in it.
With more member of the open source community beginning to talk about it container compliance, Dirk hopes that the importance of compliant containers in open source will become a normal, more streamlined practice. Watch Dirk’s full interview here and be sure to stay tuned to the Open Source Blog and follow us on Twitter (@vmwopensource) for more around container compliance and open source.