Virtual machines are mainstream in cloud computing. The newest development on the this arena are fast and lightweight process virtualization. Linux-based container infrastructure is an emerging cloud technology that provides its users an environment as close as possible to a standard Linux distribution.
Linux Containers and the Future Cloud article tells that as opposed to para-virtualization solutions (Xen) and hardware virtualization solutions (KVM), which provide virtual machines (VMs), containers do not create other instances of the operating system kernel. This brings advantage of containers over VMs is that starting and shutting down a container is much faster than starting and shutting down a VM. The idea of process-level virtualization in itself is not new (remember Solaris Zones and BSD jails).
All containers under a host are running under the same kernel. Basically, a container is a Linux process (or several processes) that has special features and that runs in an isolated environment, configured on the host. Containerization is a way of packaging up applications so that they share the same underlying OS but are otherwise fully isolated from one another with their own CPU, memory, disk and network allocations to work within – going a few steps further than the usual process separation in Unix-y OSes, but not completely down the per-app virtual machine route. The underlying infrastructure of modern Linux-based containers consists mainly of two kernel features: namespaces and cgroups. Well known Linux container technologies are Docker, OpenVZ, Google containers, Linux-VServer and LXC (LinuX Containers).
Docker is an open-source project that automates the creation and deployment of containers. Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications. Consisting of Docker Engine, a portable, lightweight runtime and packaging tool, and Docker Hub, a cloud service for sharing applications and automating workflows.
Docker started as an internal project by a Platform-as-a-Service (PaaS) company called dotCloud at the time, and now called Docker Inc. Docker is currently available only for Linux (Linux kernel 3.8 or above). It utilizes the LXC toolkit. It runs on distributions like Ubuntu 12.04, 13.04; Fedora 19 and 20; RHEL 6.5 and above; and on cloud platforms like Amazon EC2, Google Compute Engine and Rackspace.
Linux containers are turning to a way of packaging up applications and related software for movement over the network or Internet. You can create images by running commands manually and committing the resulting container, but you also can describe them with a Dockerfile. Docker images can be stored on a public repository. Docker is able to create a snapshot. Docker, the company that sponsors the Docker.org open source project, is gaining allies in making its commercially supported Linux container format a de facto standard. Red Hat has woken up to the growth of Linux containers and has begun certifying applications running in the sandboxing tech.
Docker was last week a lot in IT news because Docker 1.0 has been released. Here are links to several articles on Docker:
Docker opens online port for packaging and shipping Linux containers
Docker, Open Source Application Container Platform, Has 1.0 Coming Out Party At Dockercon14
Google Embraces Docker, the Next Big Thing in Cloud Computing
Docker blasts into 1.0, throwing dust onto traditional hypervisors
Automated Testing of Hardware Appliances with Docker
Continuous Integration Using Docker, Maven and Jenkins
The best way to understand Docker is to try it!
This Docker thing looks interesting. Maybe I should spend some time testing it.
340 Comments
Tomi Engdahl says:
Ten layers of container security
https://www.redhat.com/en/resources/container-security-openshift-cloud-devops-whitepaper
Tomi Engdahl says:
Principles of container-based application design
https://www.redhat.com/en/resources/cloud-native-container-design-whitepaper
PRINCIPLES OF SOFTWARE DESIGN:
Keep it simple, stupid (KISS)
Don’t repeat yourself (DRY)
You aren’t gonna need it (YAGNI)
Separation of concerns (SoC)
RED HAT APPROACH TO CLOUD-NATIVE CONTAINERS:
Single concern principle (SCP)
High observability principle (HOP)
Life-cycle conformance principle (LCP)
Image immutability principle (IIP)
Process disposability principle (PDP)
Self-containment principle (S-CP)
Runtime confinement principle (RCP)
Tomi Engdahl says:
5 instrumentation strategies for architecting containerized apps
https://www.redhat.com/en/resources/5-instrumentation-strategies-architecting-containerized-apps-whitepaper
Tomi Engdahl says:
How to SSH into a running container
https://opensource.com/article/19/6/how-ssh-running-container
SSH is probably not the best way to run commands in a container; try this instead
Tomi Engdahl says:
Getting started with software-defined networking
https://www.redhat.com/sysadmin/getting-started-sdn
Configure and isolate Linux containers with SDN and Container Network Interface plugins
Tomi Engdahl says:
Ten layers of container security
https://www.redhat.com/en/resources/container-security-openshift-cloud-devops-whitepaper
The 10 key elements of container security are:
Container host multitenancy
Container content
Container registries
Building containers
Deploying containers
Container orchestration
Network isolation
Storage
Application programming interface (API) management
Federated clusters
Tomi Engdahl says:
Docker for Pentesters
https://blog.ropnop.com/docker-for-pentesters/
Tomi Engdahl says:
Docker is in deep trouble
In a leaked internal memo, Docker CEO reveals the troubled company is looking for more money.
https://www.zdnet.com/article/docker-is-in-deep-trouble/
Tomi Engdahl says:
How To Quickly Run a Basic Security Audit Against Docker & Secure the Docker Daemon
https://pentestmag.com/how-to-quickly-run-a-basic-security-audit-against-docker-secure-the-docker-daemon/
#pentest #magazine #pentestmag #pentestblog #PTblog #docker #security #audit #basic #daemon #cybersecurity #infosecurity #infosec
Tomi Engdahl says:
How to prepare and use Docker for web pentest by Júnior Carreiro
https://pentestmag.com/prepare-use-docker-web-pentest-junior-carreiro/
Tomi Engdahl says:
https://pentestmag.com/how-to-quickly-run-a-basic-security-audit-against-docker-secure-the-docker-daemon/
Tomi Engdahl says:
https://bash.cyberciti.biz/virtualization/shell-script-to-setup-an-lxd-linux-containers-vm-lab-for-testing-purpose/
Tomi Engdahl says:
LXD (Linux containers) allows you to bind-mount directory from the host machine onto a container. Useful for moving LXD from one host to another or build a container without losing data. Learn how to add or mount a shared directory between one or more LXD. https://www.cyberciti.biz/faq/how-to-add-or-mount-directory-in-lxd-linux-container/ #sysadmin #Linux #devops
Tomi Engdahl says:
How to prepare and use Docker for web pentest by Júnior Carreiro
https://pentestmag.com/prepare-use-docker-web-pentest-junior-carreiro/
Tomi Engdahl says:
http://www.commitstrip.com/en/2020/03/06/do-you-like-containers/
Tomi Engdahl says:
Docker regroups as cloud-native developer tool company
https://tcrn.ch/2vetsMu
Docker had an existential crisis last year when,in a matter of months, CEO Steve Singhstepped down, the companysold its enterprise business to Mirantis and long-time executive Scott Johnston took over as CEO. It was a lot to process.
The organization that remained decided to regroup as a developer tools company, and today the new entity officially begins its journey.
Tomi Engdahl says:
BECOME CERTIFIED KUBERNETES ADMINISTRATOR
OUR BEST TIPS ON HOW TO PASS THE CKA TEST
https://www.montel.fi/blog/become-certified-kubernetes-administrator
Tomi Engdahl says:
https://www.smarthomebeginner.com/run-pihole-in-docker-on-ubuntu-with-reverse-proxy/
Tomi Engdahl says:
How to backup and restore LXD containers
https://www.cyberciti.biz/faq/how-to-backup-and-restore-lxd-containers/
Now that I set up an LXD container, how do I backup and restore LXD containers running on Ubuntu/Debian or Fedora/CentOS Linux server?
Backing up your LXD server is an essential task in case your server crashed, or the database got corrupted. Let us see how to backup and restore LXD containers using the Linux command-line options.
Tomi Engdahl says:
Kubernetes–the open source platform that automates Linux® container operations–eliminates many of the manual processes involved in deploying and scaling containerized applications.
Tomi Engdahl says:
Docker partners with AWS to improve container workflows
https://techcrunch.com/2020/07/09/docker-partners-with-aws-to-improve-container-workflows/?tpcc=ECFB2020
Docker and AWS today announced a new collaboration that introduces a deep integration between Docker’s Compose and Desktop developer tools and AWS’s Elastic Container Service (ECS) and ECS on AWS Fargate. Previously, the two companies note, the workflow to take Compose files and run them on ECS was often challenging for developers. Now, the two companies simplified this process to make switching between running containers locally and on ECS far easier.
“With a large number of containers being built using Docker, we’re very excited to work with Docker to simplify the developer’s experience of building and deploying containerized applications to AWS,” said Deepak Singh, the VP for compute services at AWS. “Now customers can easily deploy their containerized applications from their local Docker environment straight to Amazon ECS. This accelerated path to modern application development and deployment allows customers to focus more effort on the unique value of their applications, and less time on figuring out how to deploy to the cloud.”
Tomi Engdahl says:
A Security Reminder: Containers Talk to Each Other and Other Endpoints
https://pentestmag.com/a-security-reminder-containers-talk-to-each-other-and-other-endpoints/
#pentest #magazine #pentestmag #pentestblog #PTblog #containers #endpoints #cybersecurity #infosecurity #infosec
Tomi Engdahl says:
Scaling Docker to Serve Millions More Developers: Network Egress
https://www.docker.com/blog/scaling-docker-to-serve-millions-more-developers-network-egress/
Tomi Engdahl says:
https://www.facebook.com/126000117413375/posts/3962878887058793/
//Here is a quick and dirty shell script I put to check LXD container size and how much space they are taking on the Linux BTRFS subvolume. https://bash.cyberciti.biz/diskadmin/how-to-check-lxd-container-btrfs-disk-usage-on-linux/
Tomi Engdahl says:
https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
Tomi Engdahl says:
Grype is a Go-based tool to assist you with container and package security, it supports Docker and OCI image formats and also packages from major OS distributions (Alpine, BusyBox, Debian CentOS, Ubuntu) and certain programming language-specific packages (Ruby, Java, Python). https://www.darknet.org.uk/2021/04/grype-vulnerability-scanner-for-container-images-filesystems/
Tomi Engdahl says:
Tim Anderson / The Register:
Docker restricts use of its free desktop tool to individuals and small businesses, says companies with 250+ staff or $10M+ annual revenue must use paid version — Search for sustainable business model continues, but most usage will still be free — Docker will restrict use of the free version …
Docker Desktop no longer free for large companies: New ‘Business’ subscription is here
Search for sustainable business model continues, but most usage will still be free
https://www.theregister.com/2021/08/31/docker_desktop_no_longer_free/
Tomi Engdahl says:
Learn how to install Docker and docker-compose on Amazon Linux 2 (AMI) and build your sample applications running on EC2/Lightsail VM. https://www.cyberciti.biz/faq/how-to-install-docker-on-amazon-linux-2/ #docker #Linux #SysAdmin
Tomi Engdahl says:
RHEL 8.5 delivers key container improvements
The latest version of Red Hat Enterprise Linux is ready to run on Windows, Linux, and macOS.
https://www.zdnet.com/article/rhel-8-5-arrives/
Tomi Engdahl says:
RHEL 8.5 delivers key container improvements | ZDNet
https://www.zdnet.com/article/rhel-8-5-arrives/
RHEL 8.5, the newest version of Red Hat Enterprise Linux (RHEL), is out. As Joe Brockmeier, Red Hat Blogs’ Editorial Director, said, “Whether you’re deploying RHEL on-prem, in the public cloud, at the edge — or all of the above — RHEL 8.5 has improvements that users will be eager to dig into.”
In particular, as we continue to move to a container and Kubernetes-based world, RHEL 8.5 comes with significant container improvements. These include:
• Containerized Podman: The RHEL 8 Podman container image is now generally available and can help unlock the usage of Podman in cloud continuous integration/delivery (CI/CD) systems, on Windows Subsystem for Linux (WSL) 2, under Docker Desktop on macOS, and (of course) on RHEL 6, 7 and 8. You can use the Podman container image to help develop and run other container images.
• Verify container image signatures by default: In RHEL 8.5, users can pull container images with confidence. Out of the box, RHEL 8.5 will check container image signatures to verify that they are, in fact, from Red Hat and haven’t been tampered with or manipulated.
• Native OverlayFS as a Rootless container user: RHEL 8.5 offers better performance when building and running rootless containers, with native support for OverlayFS.
Returning to RHEL basics, its web console, which is based on the open-source Cockpit project, now enables you to live patch the kernel from it. Previously, you could only keep your Linux running while updating the kernel in real-time by using the shell.
The updated web console also includes an enhanced-performance metrics page. With this, you can more easily identify high CPU, memory, disk, and network resource usage spikes and their causes. In addition, you can also more easily export metrics to a Grafana server for a deeper look at what’s going on in your servers.
Red Hat is also continuing to integrate its Ansible DevOps program into RHEL. RHEL’s system roles now use Ansible roles and modules to configure, automate, and manage RHEL services.
AlmaLinux OS 8.5 Stable Now Available
https://almalinux.org/blog/almalinux-os-85-stable-now-available/
Hi, Community! The AlmaLinux OS Foundation is thrilled to announce that AlmaLinux OS 8.5 Stable is now available. This stable release for x86_64 and ARM architectures is ready for production installations and to power all your computing needs and workloads.
You can read more about this stable release by checking out the Release Notes. AlmaLinux OS 8.5 includes features and improvements to container tools to reduce friction and make the build and deploy processes more flexible, support for OpenJDK 17, additional OpenSCAP profiles for hardening and security compliance, new system roles, and Network Time Security (NTS) for NTP, amongst other additions and enhancement.
https://wiki.almalinux.org/release-notes/8.5.html
Tomi Engdahl says:
Exploring Container Security: A Storage Vulnerability Deep Dive
https://security.googleblog.com/2021/12/exploring-container-security-storage.html
Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community.
Tomi Engdahl says:
After January 31, 2022, Docker Desktop will require a paid subscription. Here you can find instructions for running Docker on WSL2 under Windows without Docker Desktop (target distributions being Debian & Ubuntu).
Docker on WSL2 without Docker Desktop
https://dev.solita.fi/2021/12/21/docker-on-wsl2-without-docker-desktop.html?utm_medium=paidsocial&utm_source=facebook&utm_campaign=fi-dev-dev-blogs-1-2022&hsa_acc=1021896911210910&hsa_cam=6244509309508&hsa_grp=6270950579508&hsa_ad=6270950580308&hsa_src=fb&hsa_net=facebook&hsa_ver=3&fbclid=IwAR3Ue7il-G1pdv_42rcPofnQMr1TR4Z4MlXiCHe8abR4ldu9M4OZ4JhCCQ8
Tomi Engdahl says:
https://hackaday.com/2022/11/01/linux-fu-easy-vms/
Tomi Engdahl says:
Manage containers at the edge with Linux
Using systemd, Podman, Linux, and Ansible delivers the lightweight container management capabilities required in edge environments.
https://red.ht/3qY8DxR #linux
Tomi Engdahl says:
Containers, Security, and Risks within Containerized Environments https://securityintelligence.com/posts/containers-security-risks-containerized-environments/
Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would tailor it to fit within the confines of the targeted system, like the store in the mall.
Tomi Engdahl says:
Quick IOC Scan With Docker
https://isc.sans.edu/diary/rss/29788
When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I’m using to quickly scan for interesting IOCs (“Indicators of Compromise”). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. The tool has many interesting YARA rules, but you can always add your own to increase the detection capabilities
Tomi Engdahl says:
https://www.phoronix.com/news/Ubuntu-Snaps-Docker-Comparison
Tomi Engdahl says:
How OpenTelemetry Works with Kubernetes
Installing an OTEL operator for Kubernetes is a straightforward process. Here’s how to do it and how it simplifies the process of monitoring your Kubernetes cluster.
https://thenewstack.io/how-opentelemetry-works-with-kubernetes/
Tomi Engdahl says:
Build DOCKER multi-platform image using buildx REMOTE builder NODE
https://dev.to/aboozar/build-docker-multi-platform-image-using-buildx-remote-builder-node-5631
Tomi Engdahl says:
https://hackaday.com/2023/08/07/linux-containers-the-hard-way/