Docker and other Linux containers

Virtual machines are mainstream in cloud computing. The newest development on the this arena are fast and lightweight process virtualization.  Linux-based container infrastructure is an emerging cloud technology that provides its users an environment as close as possible to a standard Linux distribution.

Linux Containers and the Future Cloud article tells that as opposed to para-virtualization solutions (Xen) and hardware virtualization solutions (KVM), which provide virtual machines (VMs), containers do not create other instances of the operating system kernel. This brings advantage of containers over VMs is that starting and shutting down a container is much faster than starting and shutting down a VM. The idea of process-level virtualization in itself is not new (remember Solaris Zones and BSD jails).

All containers under a host are running under the same kernel. Basically, a container is a Linux process (or several processes) that has special features and that runs in an isolated environment, configured on the host.  Containerization is a way of packaging up applications so that they share the same underlying OS but are otherwise fully isolated from one another with their own CPU, memory, disk and network allocations to work within – going a few steps further than the usual process separation in Unix-y OSes, but not completely down the per-app virtual machine route. The underlying infrastructure of modern Linux-based containers consists mainly of two kernel features: namespaces and cgroups. Well known Linux container technologies are Docker, OpenVZ, Google containers, Linux-VServer and LXC (LinuX Containers).

Docker is an open-source project that automates the creation and deployment of containers. Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications. Consisting of Docker Engine, a portable, lightweight runtime and packaging tool, and Docker Hub, a cloud service for sharing applications and automating workflows.
Docker started as an internal project by a Platform-as-a-Service (PaaS) company called dotCloud at the time, and now called Docker Inc. Docker is currently available only for Linux (Linux kernel 3.8 or above). It utilizes the LXC toolkit. It runs on distributions like Ubuntu 12.04, 13.04; Fedora 19 and 20; RHEL 6.5 and above; and on cloud platforms like Amazon EC2, Google Compute Engine and Rackspace.

Linux containers are turning to a way of packaging up applications and related software for movement over the network or Internet. You can create images by running commands manually and committing the resulting container, but you also can describe them with a Dockerfile. Docker images can be stored on a public repository. Docker is able to create a snapshot. Docker, the company that sponsors the Docker.org open source project, is gaining allies in making its commercially supported Linux container format a de facto standard. Red Hat has woken up to the growth of Linux containers and has begun certifying applications running in the sandboxing tech.

Docker was last week a lot in IT news because Docker 1.0 has been released. Here are links to several articles on Docker:

Docker opens online port for packaging and shipping Linux containers

Docker, Open Source Application Container Platform, Has 1.0 Coming Out Party At Dockercon14

Google Embraces Docker, the Next Big Thing in Cloud Computing

Docker blasts into 1.0, throwing dust onto traditional hypervisors

Automated Testing of Hardware Appliances with Docker

Continuous Integration Using Docker, Maven and Jenkins

Getting Started with Docker

The best way to understand Docker is to try it!

This Docker thing looks interesting. Maybe I should spend some time testing it.

 

340 Comments

  1. Tomi Engdahl says:

    Principles of container-based application design
    https://www.redhat.com/en/resources/cloud-native-container-design-whitepaper

    PRINCIPLES OF SOFTWARE DESIGN:
    Keep it simple, stupid (KISS)
    Don’t repeat yourself (DRY)
    You aren’t gonna need it (YAGNI)
    Separation of concerns (SoC)
    RED HAT APPROACH TO CLOUD-NATIVE CONTAINERS:
    Single concern principle (SCP)
    High observability principle (HOP)
    Life-cycle conformance principle (LCP)
    Image immutability principle (IIP)
    Process disposability principle (PDP)
    Self-containment principle (S-CP)
    Runtime confinement principle (RCP)

    Reply
  2. Tomi Engdahl says:

    How to SSH into a running container
    https://opensource.com/article/19/6/how-ssh-running-container

    SSH is probably not the best way to run commands in a container; try this instead

    Reply
  3. Tomi Engdahl says:

    Getting started with software-defined networking
    https://www.redhat.com/sysadmin/getting-started-sdn

    Configure and isolate Linux containers with SDN and Container Network Interface plugins

    Reply
  4. Tomi Engdahl says:

    Ten layers of container security
    https://www.redhat.com/en/resources/container-security-openshift-cloud-devops-whitepaper

    The 10 key elements of container security are:

    Container host multitenancy
    Container content
    Container registries
    Building containers
    Deploying containers
    Container orchestration
    Network isolation
    Storage
    Application programming interface (API) management
    Federated clusters

    Reply
  5. Tomi Engdahl says:

    Docker is in deep trouble
    In a leaked internal memo, Docker CEO reveals the troubled company is looking for more money.
    https://www.zdnet.com/article/docker-is-in-deep-trouble/

    Reply
  6. Tomi Engdahl says:

    How To Quickly Run a Basic Security Audit Against Docker & Secure the Docker Daemon

    https://pentestmag.com/how-to-quickly-run-a-basic-security-audit-against-docker-secure-the-docker-daemon/

    #pentest #magazine #pentestmag #pentestblog #PTblog #docker #security #audit #basic #daemon #cybersecurity #infosecurity #infosec

    Reply
  7. Tomi Engdahl says:

    How to prepare and use Docker for web pentest by Júnior Carreiro

    https://pentestmag.com/prepare-use-docker-web-pentest-junior-carreiro/

    Reply
  8. Tomi Engdahl says:

    LXD (Linux containers) allows you to bind-mount directory from the host machine onto a container. Useful for moving LXD from one host to another or build a container without losing data. Learn how to add or mount a shared directory between one or more LXD. https://www.cyberciti.biz/faq/how-to-add-or-mount-directory-in-lxd-linux-container/ #sysadmin #Linux #devops

    Reply
  9. Tomi Engdahl says:

    How to prepare and use Docker for web pentest by Júnior Carreiro
    https://pentestmag.com/prepare-use-docker-web-pentest-junior-carreiro/

    Reply
  10. Tomi Engdahl says:

    Docker regroups as cloud-native developer tool company
    https://tcrn.ch/2vetsMu

    Docker had an existential crisis last year when,in a matter of months, CEO Steve Singhstepped down, the companysold its enterprise business to Mirantis and long-time executive Scott Johnston took over as CEO. It was a lot to process.

    The organization that remained decided to regroup as a developer tools company, and today the new entity officially begins its journey.

    Reply
  11. Tomi Engdahl says:

    BECOME CERTIFIED KUBERNETES ADMINISTRATOR
    OUR BEST TIPS ON HOW TO PASS THE CKA TEST
    https://www.montel.fi/blog/become-certified-kubernetes-administrator

    Reply
  12. Tomi Engdahl says:

    How to backup and restore LXD containers
    https://www.cyberciti.biz/faq/how-to-backup-and-restore-lxd-containers/

    Now that I set up an LXD container, how do I backup and restore LXD containers running on Ubuntu/Debian or Fedora/CentOS Linux server?

    Backing up your LXD server is an essential task in case your server crashed, or the database got corrupted. Let us see how to backup and restore LXD containers using the Linux command-line options.

    Reply
  13. Tomi Engdahl says:

    Kubernetes–the open source platform that automates Linux® container operations–eliminates many of the manual processes involved in deploying and scaling containerized applications.

    Reply
  14. Tomi Engdahl says:

    Docker partners with AWS to improve container workflows
    https://techcrunch.com/2020/07/09/docker-partners-with-aws-to-improve-container-workflows/?tpcc=ECFB2020

    Docker and AWS today announced a new collaboration that introduces a deep integration between Docker’s Compose and Desktop developer tools and AWS’s Elastic Container Service (ECS) and ECS on AWS Fargate. Previously, the two companies note, the workflow to take Compose files and run them on ECS was often challenging for developers. Now, the two companies simplified this process to make switching between running containers locally and on ECS far easier.

    “With a large number of containers being built using Docker, we’re very excited to work with Docker to simplify the developer’s experience of building and deploying containerized applications to AWS,” said Deepak Singh, the VP for compute services at AWS. “Now customers can easily deploy their containerized applications from their local Docker environment straight to Amazon ECS. This accelerated path to modern application development and deployment allows customers to focus more effort on the unique value of their applications, and less time on figuring out how to deploy to the cloud.”

    Reply
  15. Tomi Engdahl says:

    A Security Reminder: Containers Talk to Each Other and Other Endpoints

    https://pentestmag.com/a-security-reminder-containers-talk-to-each-other-and-other-endpoints/

    #pentest #magazine #pentestmag #pentestblog #PTblog #containers #endpoints #cybersecurity #infosecurity #infosec

    Reply
  16. Tomi Engdahl says:

    https://www.facebook.com/126000117413375/posts/3962878887058793/
    //Here is a quick and dirty shell script I put to check LXD container size and how much space they are taking on the Linux BTRFS subvolume. https://bash.cyberciti.biz/diskadmin/how-to-check-lxd-container-btrfs-disk-usage-on-linux/

    Reply
  17. Tomi Engdahl says:

    Grype is a Go-based tool to assist you with container and package security, it supports Docker and OCI image formats and also packages from major OS distributions (Alpine, BusyBox, Debian CentOS, Ubuntu) and certain programming language-specific packages (Ruby, Java, Python). https://www.darknet.org.uk/2021/04/grype-vulnerability-scanner-for-container-images-filesystems/

    Reply
  18. Tomi Engdahl says:

    Tim Anderson / The Register:
    Docker restricts use of its free desktop tool to individuals and small businesses, says companies with 250+ staff or $10M+ annual revenue must use paid version — Search for sustainable business model continues, but most usage will still be free — Docker will restrict use of the free version …

    Docker Desktop no longer free for large companies: New ‘Business’ subscription is here
    Search for sustainable business model continues, but most usage will still be free
    https://www.theregister.com/2021/08/31/docker_desktop_no_longer_free/

    Reply
  19. Tomi Engdahl says:

    Learn how to install Docker and docker-compose on Amazon Linux 2 (AMI) and build your sample applications running on EC2/Lightsail VM. https://www.cyberciti.biz/faq/how-to-install-docker-on-amazon-linux-2/ #docker #Linux #SysAdmin

    Reply
  20. Tomi Engdahl says:

    RHEL 8.5 delivers key container improvements
    The latest version of Red Hat Enterprise Linux is ready to run on Windows, Linux, and macOS.
    https://www.zdnet.com/article/rhel-8-5-arrives/

    Reply
  21. Tomi Engdahl says:

    RHEL 8.5 delivers key container improvements | ZDNet
    https://www.zdnet.com/article/rhel-8-5-arrives/
    RHEL 8.5, the newest version of Red Hat Enterprise Linux (RHEL), is out. As Joe Brockmeier, Red Hat Blogs’ Editorial Director, said, “Whether you’re deploying RHEL on-prem, in the public cloud, at the edge — or all of the above — RHEL 8.5 has improvements that users will be eager to dig into.”
    In particular, as we continue to move to a container and Kubernetes-based world, RHEL 8.5 comes with significant container improvements. These include:
    • Containerized Podman: The RHEL 8 Podman container image is now generally available and can help unlock the usage of Podman in cloud continuous integration/delivery (CI/CD) systems, on Windows Subsystem for Linux (WSL) 2, under Docker Desktop on macOS, and (of course) on RHEL 6, 7 and 8. You can use the Podman container image to help develop and run other container images.
    • Verify container image signatures by default: In RHEL 8.5, users can pull container images with confidence. Out of the box, RHEL 8.5 will check container image signatures to verify that they are, in fact, from Red Hat and haven’t been tampered with or manipulated.
    • Native OverlayFS as a Rootless container user: RHEL 8.5 offers better performance when building and running rootless containers, with native support for OverlayFS.
    Returning to RHEL basics, its web console, which is based on the open-source Cockpit project, now enables you to live patch the kernel from it. Previously, you could only keep your Linux running while updating the kernel in real-time by using the shell.
    The updated web console also includes an enhanced-performance metrics page. With this, you can more easily identify high CPU, memory, disk, and network resource usage spikes and their causes. In addition, you can also more easily export metrics to a Grafana server for a deeper look at what’s going on in your servers.
    Red Hat is also continuing to integrate its Ansible DevOps program into RHEL. RHEL’s system roles now use Ansible roles and modules to configure, automate, and manage RHEL services.

    AlmaLinux OS 8.5 Stable Now Available
    https://almalinux.org/blog/almalinux-os-85-stable-now-available/
    Hi, Community! The AlmaLinux OS Foundation is thrilled to announce that AlmaLinux OS 8.5 Stable is now available. This stable release for x86_64 and ARM architectures is ready for production installations and to power all your computing needs and workloads.
    You can read more about this stable release by checking out the Release Notes. AlmaLinux OS 8.5 includes features and improvements to container tools to reduce friction and make the build and deploy processes more flexible, support for OpenJDK 17, additional OpenSCAP profiles for hardening and security compliance, new system roles, and Network Time Security (NTS) for NTP, amongst other additions and enhancement.
    https://wiki.almalinux.org/release-notes/8.5.html

    Reply
  22. Tomi Engdahl says:

    Exploring Container Security: A Storage Vulnerability Deep Dive
    https://security.googleblog.com/2021/12/exploring-container-security-storage.html
    Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community.

    Reply
  23. Tomi Engdahl says:

    Manage containers at the edge with Linux
    Using systemd, Podman, Linux, and Ansible delivers the lightweight container management capabilities required in edge environments.
    https://red.ht/3qY8DxR #linux

    Reply
  24. Tomi Engdahl says:

    Containers, Security, and Risks within Containerized Environments https://securityintelligence.com/posts/containers-security-risks-containerized-environments/
    Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would tailor it to fit within the confines of the targeted system, like the store in the mall.

    Reply
  25. Tomi Engdahl says:

    Quick IOC Scan With Docker
    https://isc.sans.edu/diary/rss/29788
    When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I’m using to quickly scan for interesting IOCs (“Indicators of Compromise”). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. The tool has many interesting YARA rules, but you can always add your own to increase the detection capabilities

    Reply
  26. Tomi Engdahl says:

    How OpenTelemetry Works with Kubernetes
    Installing an OTEL operator for Kubernetes is a straightforward process. Here’s how to do it and how it simplifies the process of monitoring your Kubernetes cluster.
    https://thenewstack.io/how-opentelemetry-works-with-kubernetes/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*