CoreOS's Container Security Scanner, Clair, Reaches Production Quality

CoreOS has announced Clair 1.0, the production release of its container security scanner and vulnerability patching app.

Christopher Tozzi, Contributing Editor

March 18, 2016

3 Min Read
One area where CoreOS has been doing important things that Docker has not is security
One area where CoreOS has been doing important things that Docker has not is security.

CoreOS has taken another step toward distinguishing itself in the container ecosystem with the release of Clair 1.0, the production-quality version of its security scanner. But will this truly be enough for CoreOS to stand out from the likes of Docker?

As container companies go, CoreOS is a distant number two. Its name is well known and its software respected, but the company has followed an awkward trajectory — first trying to distribute Docker containers, then producing its own container offering, Rocket (or rkt). The company has arguably done a poor job of moving outside Docker’s shadow.

But the one area where CoreOS has been doing important things that Docker has not is security. In November, the company announced development of a container scanner called Clair, which is designed to detect security vulnerabilities in containers and help developers patch them automatically.

On Friday, CoreOS announced that Clair is now ready for production use. Since November, Clair has evolved to offer better performance through recursive database queries, which CoreOS says improves response time by as much as three magnitudes. Clair 1.0 also features a more extensible RESTful JSON API.

Clair has certainly come far in a short time. Back when CoreOS announced the tool in the fall, it was easy to assume that this would be a simple security scanner, which might make some admins feel better about security, but not actually do much to improve cloud performance. It is now clear that that is not the case. By all indications, Clair 1.0 is a sophisticated, robust security tool that is easy to extend and to integrate into different types of environments.

Plus, CoreOS is making good on the biggest selling-point of Clair, which is that the scanner is able not only to detect security issues but also patch them. That’s important, CoreOS says, because the whole point of using containers is to build a flexible, scalable infrastructure. If you have to update software manually whenever security vulnerabilities appear, you lose a lot of nimbleness. But if you can handle security in an automated fashion, you’re getting the most out of your cloud.

Indeed, in a way, Clair is like a cloud orchestration platform, except instead of managing the cloud workload, it handles the security front.

This all said, it remains to be seen whether Clair will prove a compelling enough offering to convince cloud admins to consider CoreOS’s container solution instead of Docker. The latter is much more established in the marketplace. It also has gobs more funding. Plus, you can use Clair to scan Docker containers just as well as you can CoreOS container images — so Clair is not going to force companies to use the entire CoreOS platform just to get a better security and upgrade experience.

But Docker compatibility may be the factor that makes people actually use Clair and, in turn, assures that CoreOS gets its slice of the container space. Docker itself has yet to offer security tools like Clair, or even send a strong message that it takes container security seriously. By filling this gap through Clair, CoreOS is positioning itself to stay relevant — although not to advance adoption of its entire container platform.

Read more about:


About the Author(s)

Christopher Tozzi

Contributing Editor

Christopher Tozzi started covering the channel for The VAR Guy on a freelance basis in 2008, with an emphasis on open source, Linux, virtualization, SDN, containers, data storage and related topics. He also teaches history at a major university in Washington, D.C. He occasionally combines these interests by writing about the history of software. His book on this topic, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” is forthcoming with MIT Press.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like