Virtual Container Technology Options For Management Security

E-guide
Virtual container
technology options
for management,
security
Your expert guide to lorem ipsum dolor sit amet
E-guide
In this e-guide
Introduction
Introduction
Containers are not just for development and testing. Companies such as
Docker, Amazon, Google and Microsoft offer some compelling and full-
Container Choices featured virtual container products aimed specifically at enterprise
IT production environments. But are these offerings a sign that containers
are ready for enterprise deployments, or are businesses not ready to make
Virtual container managment
the necessary changes to switch to containers?
Virtual container security Use this guide to learn about the current virtual container choices and
technologies, proper tools for management, and the level of security
achievable for different container options. Not sure what some of the lingo
Glossary means? Head down to the glossary section to brush up on key container
terms
Page 1 of 99
E-guide
In this e-guide Container Choices

A number of companies provide container services: Amazon Web Services
Introduction (AWS), Microsoft's Azure Container, Google Container Engine and
Kubernetes, Docker -- the list goes on. The stories below will give you a
better idea about the choice between bare metal and VMs for Docker
Container Choices
deployment, migration technologies, a way to try out Linux containers and
more.
Docker portability shows promise with

Virtual container security
Glossary new cloud integrations

Beth Pariseau, Senior News Writer
SEATTLE -- Docker portability between private and public clouds is

demonstrably possible today.
The seeds for this Holy Grail of server virtualization were planted here at
DockerCon with the unveiling of a new Microsoft Azure integration with
Docker's Datacenter product. On the keynote stage, Microsoft Azure CTO
Mark Russinovich demonstrated a new integration between the Azure cloud
platform (including the Azure stack, which remains in technical preview) and
Docker Datacenter, showing an app operating across public and private
Azure clouds.
Page 2 of 99
E-guide
To this week's IT pro audience, containers appear set to keep the promise
In this e-guide VMs couldn't: move apps smoothly between operating environments.
"If you stay with Docker containers as the minimal unit of infrastructure, it
Introduction
was demonstrated today that you can get this portability," said Nirmal
Mehta, senior lead technologist for the strategic innovation group at Booz
Container Choices Allen Hamilton Inc., a consulting firm based in McLean, Va., who works with
government organizations to establish a DevOps culture.
Virtual container managment While Docker portability creates less friction for cloud partners to move
customer workloads onto their infrastructure, it also makes it easier to leave.
Virtual container security Still, a rising tide of moving workloads will raise all boats in the market,
Mehta said, and he predicted most cloud players will jump on the portability
bandwagon in time.
Glossary
"The real race is for features other than infrastructure, things like API
gateways, security, CDNs, DDoS protection, and serverless computing,"
Mehta said. "A whole other world is fast approaching."
On premises-to-cloud vs. inter-cloud

portability
Other new Docker products released into beta this week, Docker for AWS
and Docker for Azure, hold the potential for simultaneous multi-cloud app
deployments, though it remains to be seen how these products will assist
migration of workloads between different public cloud providers in practice.
Page 3 of 99
E-guide
Nevertheless, that's the goal being pursued by some of the largest and most
In this e-guide advanced enterprises in the world.
"We want to operate a multi-cloud environment according to security risk,"

Introduction
said Andy Lim, senior developer at General Electric (GE) in a presentation
here this week.
Container Choices
GE wants to move applications between clouds depending on if the apps are
processing sensitive data. Right now the company is operating only in the
Virtual container managment AWS cloud, though it has engaged with Azure and Rackspace, according to
Lim. It wasn't clear from his presentation which vendors would handle which
Virtual container security level of risk for the company.
Meanwhile, an experimental feature released into private beta by Docker

Glossary this week could be the final missing piece of the inter-cloud container
portability puzzle.
Docker Application Bundles, bundles of containers comprising apps, could

prove an easier construct for moving workloads between cloud providers.
It's an upgrade of Docker Compose, in Mehta's eyes, and "could be the
definitive version of how applications can be connected in a declarative
way," he said.
While some of the technology is still being sorted out, one thing is clear:
Enterprise organizations want this kind of Docker portability in their data
centers yesterday.
In a recent survey by 451 Research of more than 400 IT decision makers,

two-thirds of respondents said that they care about PaaS and IaaS
Page 4 of 99
E-guide
integration specifically because they want app portability between services,

In this e-guide according to Donnie Berkholz, an analyst with the firm.
"That's PaaS rather than containers, but it shows people are interested,"
Introduction
Berkholz said.
Container Choices But interest has yet to translate into action, according to Berkholz.
"What we see right now is a lot of interest in portability, but not a lot of
Virtual container managment people doing portability yet," he said.
Beth Pariseau is senior news writer for TechTarget's Data Center and
Virtualization Media Group. Write to her at bpariseau@techtarget.com or
follow @PariseauTT on Twitter.
Glossary
Next Article
Page 5 of 99
E-guide
In this e-guide Containers vs. VMs: Which should you use

for cloud?
Introduction
Tom Nolle, President
Container Choices The majority of cloud deployments today are based on virtual machines, but
it's become clear that containers offer significant benefits to cloud users.
However, before choosing one technology over the other, it's important to
Virtual container managment understand the key differences between containers vs. VMs. The big
question is whether VMs or containers are best suited for public, private or
Virtual container security hybrid cloud strategies. And the answer depends on three primary factors:
the functional differences between VMs and containers, the level of
interdependence between private and public cloud components, and users'
Glossary willingness to customize their own cloud platform.
Containers vs. VMs: Understanding the

difference
VMs and containers represent two different ways to create virtual resources
that run applications. With VMs, a special software system -- a hypervisor --
partitions a server below the operating system (OS) level creating true
"virtual machines" that share only hardware. With containers, virtualization
takes place at the operating system level, so the OS and possibly some
middleware are shared.
Page 6 of 99
E-guide
Functionally, VMs are more flexible, because the "guest" environment where
In this e-guide applications run is similar to a bare-metal server. You can pick your own
operating system and middleware, independent of what other VMs on the
Introduction
same server might use. With containers, however, you need to
accommodate a common OS and middleware elements when you choose
applications, since each container uses the core server platform and shares
Container Choices it with other containers.
For enterprises with a variety of software platforms for their applications,

containers may be more difficult to use because of the need to standardize
on a single hosting platform. Even when everything runs on a single OS, you
Virtual container security may need to harmonize everything to use a single version of some or all
middleware tools -- which can be difficult to do if software is dependent on a
specific version.
Glossary
On the other hand, containers have less overhead because they don't
duplicate the platform software for every application or component that's
deployed. This lower overhead makes it possible to run more components
per server with container technology. In addition, the deployment and
redeployment of applications or components is faster with containers.
Because containers are usually deployed through management platforms

like Docker, it's also generally easier to operationalize container-based
clouds than VM-based clouds, where management tools are more varied.
Page 7 of 99
E-guide
In this e-guide Choosing containers vs. VMs for public,

private or hybrid cloud
Introduction
Users can gain all the benefits of containers in private cloud deployments.
Container Choices And for businesses with standardized operating systems and middleware,
container-based private clouds are likely the best strategy. However, for
public and hybrid clouds, containers are often more problematic and VMs
may be the better approach.
Virtual container security For example, one challenge for enterprises adopting containers is that
container hosting services in the public cloud are more difficult to find than
VM services. While some infrastructure as a service (IaaS) providers, such
Glossary
as Amazon Web Services, offer container services, these services are
normally an overlay to the IaaS service, and, in many cases, are only
available for customers using a dedicated server or cluster hosting. While
any user can deploy VMs via a public IaaS service, it is more complicated
with containers, in terms of setup and operations -- particularly because
container networking may be difficult to accommodate inside a public cloud.
The difficulty of deploying and managing containers in a public cloud can

also make container deployments more complicated in hybrid clouds. First,
best practices for container deployment of an application suggest co-
hosting all its components for easy network connection. This, however,
makes it more difficult to manage cloud bursting or to failover to public cloud
resources -- which are two of the most common hybrid cloud use cases.
Page 8 of 99
E-guide
Second, any differences in middleware or OS at the application level will limit

In this e-guide container deployment in the cloud if the cloud container platform isn't
compatible. That means hybridization might not work the same across all
Introduction
applications.
Hybrid clouds based on containers are easier to build and maintain if the
Container Choices component distribution in the cloud versus the data center is fairly constant,
or if an organization cloudsources those components in a very structured
way -- for example, from a specific set of data center servers to a specific
set of cloud servers. This makes the networking and integration of the
hybrid environment easier to manage and less prone to configuration errors.
Virtual container security With VMs, however, it's generally easier to deploy applications and
components into the cloud from the data center using standardized tools
and integration practices.
Glossary
Easing into container technology
It's best to gain familiarity with container technology in private deployments

before moving to the public cloud. Knowledge of how containers work, and
what's needed to maintain them in operations, will help you select the right
approach, tools and providers. Container management tools like Docker or
Cloud Foundry are essential to make containers work, so try them out in
house and decide what's best for you.
In the long term, it's likely that management tools will deploy VM- and
container-based clouds. As these tools evolve, the operational differences
between container- and VM-based clouds will shrink, and the primary
Page 9 of 99
E-guide
difference will be related to security and compliance. If you're making a

In this e-guide choice now, make sure containers offer enough isolation for your cloud
applications, since the security and compliance differences between
Introduction
containers vs. VMs is unlikely to shrink over time.
Next Article
Container Choices
Glossary
Page 10 of 99
E-guide
In this e-guide Containers conflict: IT pros debate Docker

bare metal vs. VM
Introduction
Container Choices SEATTLE -- To VM or not to VM? As enterprise IT contemplates containers,

that is the question.
Virtual container managment For many IT pros deploying containers into existing infrastructure, VMs offer
compatibility with the rest of the environment and flexible deployment
between hosts. Others argue a Docker bare-metal deployment best
matches with containers' kernel-sharing efficiencies for better performance.
Each side argues theirs is the more frugal option.
Glossary
"For VMs, you buy a chassis with an ungodly amount of CPUs and a huge
memory partition," which tends to be more expensive than groups of smaller
commodity bare-metal servers, said Gary Davidson, senior solution architect
for Vitacost.com Inc., a division of Kroger Inc. that sells vitamins and
supplements through an e-commerce site.
Vitacost is preparing to put containers into production later this year, and,
for now, runs them on a VM infrastructure, but Davidson said bare-metal
servers are his ideal deployment choice.
However, a consultant working with Vitacost and other enterprise clients

said most of his customers prefer VMs over containers on bare metal.
Page 11 of 99
E-guide
"With VMs, you can quickly spin up images, and they can offer better
In this e-guide resilience," with features like high-availability (HA) failover and dynamic
resource scheduling, said Vijay Ramanan, principal consultant with Lister
Introduction
Technologies, a multinational consultancy with U.S. offices in Fremont, Calif.
Docker on bare metal might be the theoretical ideal, but it's not the existing
Container Choices infrastructure at most companies -- most of which are also not fully
containerized yet, Ramanan said.
Virtual container managment "It is different if you're talking about a 100% Docker infrastructure," Davidson
said.
Still, other attendees at DockerCon 2016 here countered that running bare-
metal containers is a no-brainer.
Glossary
"Why would you run it on a VM?" said a software engineer for a customer
experience management software maker on the West Coast who requested
anonymity. "Docker does the bin packing for you and makes better use of
the hardware."
For companies that want to use containers in hybrid or public cloud

environments, VMs are unavoidable, said Pauly Comtois, vice president of
DevOps for a multinational media company, whose business runs both
Docker on bare metal and Docker VM deployments. Still, VMs' scalability
speeds and processes are somewhat antiquated today, Comtois said,
making bare metal the better option for some apps.
Page 12 of 99
E-guide
In this e-guide Have it your way
Introduction Docker itself isn't picking sides, according to a presentation here.
"When I came to Docker, everything in my life was VMs," said Mike Coleman,
Container Choices a Docker technical evangelist with a focus on IT operations. Many
enterprises approaching containers for the first time will be in that same
Virtual container managment boat, he said.
However, "It's hard to scale out 1,000 containers in a web service if they all
Virtual container security take too long to boot," which is an argument for bare metal, he added.
Conversely, commercial software licensing costs are now tailored to

Glossary
virtualized environments and tend to charge by CPU core or socket,
meaning VMs might be the more frugal way to go. VMs can also offer
resource pools and quotas, an area where Docker isn't quite there yet,
Coleman said.
Moreover, VMware resiliency features in particular, such as HA, Distributed

Resource Scheduler and Fault Tolerance, "can be hard to live without -- that
might be a deciding factor for you," he said.
Additionally, enterprises with mixed environments, whether running multiple

Linux distributions or both Windows Server and Linux OSes, can best mix
workloads today using Docker on VMs.
Then again, hypervisors do introduce latency for some applications,

Coleman said. And while some applications are better consolidated using
Page 13 of 99
E-guide
virtual servers, Coleman cited the example of Swisscom, which he said

In this e-guide moved a MongoDB database deployment from a pool of over 400 VMs to a
set of 20 hosts, each of which runs 20 containers.
Introduction
Ultimately, Coleman stopped short of offering any direct guidance for those
evaluating the Docker bare-metal or VM choice.
Container Choices
"In the real world ... microservices and monoliths are a continuum," he said.
"And I don't expect the way people get started [with containers] to be the
Virtual container managment way they'll necessarily end up -- we're all in the early days here."
Glossary
Next article
Page 14 of 99
E-guide
In this e-guide How ECS containers stack up to Google

and Azure platforms
Introduction
Dan Sullivan, Contributor
Container Choices Containers are lightweight, virtualization mechanisms built on features of the
Linux operating system. While they enable enterprise teams to exploit even
greater efficiencies of virtualization, management can be tricky.
Managing clusters of machines that host containers can be difficult. IT
teams have a few options: run cluster management tools, such as Docker
Swarm or Kubernetes, or use container services from providers, such as
Amazon, Google and Microsoft that offer container management services in
Glossary addition to VM instances. Amazon EC2 Container Service (ECS) enables
customers to run containerized applications in an AWS-managed cluster of
EC2 instances. By running ECS containers, IT teams can take the
guesswork out of installing and managing cluster management
infrastructure.
Like other AWS products, customers use API calls to create clusters, launch
Docker containers and monitor the state of the cluster. The service is built
on EC2 instances, so developers and application administrators can take
advantage of other AWS features, such as AWS Identity and Access
Management, Elastic Block Store, security groups and Elastic Load
Balancing. AWS does not impose a separate charge for using AWS
container services; customers are billed for the underlying compute, storage
and other metered services the container applications use.
Page 15 of 99
E-guide
ECS containers are well-suited to applications that may not require the full
In this e-guide resources of an EC2 instance. Microservices, for example, are good
candidates to use in conjunction with ECS containers. IT teams can run any
Introduction
application without time limits on when an operation completes, and they
can deploy applications developed on any platform or in any language. The
service manages availability and scalability, so IT teams can adjust the
Container Choices number of ECS containers running at any time, according to demand.
ECS containers are configured using an abstraction called tasks. Tasks

specify a Docker image, the processor and memory resources, data
volumes, port mappings, links to additional containers and other parameters.
Virtual container security Tasks enable developers to divide services down to the microservices level
while still coordinating a number of services to complete a processing
operation.
Glossary
Diving into Google's container engine
Google Cloud Platform also offers a container service for Docker called
Google Container Engine (GKE). GKE uses Kubernetes as a cluster
management platform. Kubernetes is an open source platform, which gives
customers the option to run the same cluster management platform on
premises and in the cloud. Other vendors, such as Red Hat, VMware,
Microsoft and IBM support Kubernetes integration; OpenStack is also
working to support Kubernetes.
Page 16 of 99
E-guide
GKE allows admins to specify containers and resource parameters. The

In this e-guide service then manages the scheduling of those jobs. A welcome feature of
GKE is the ability to specify containers in a declarative JSON format.
Introduction
GKE includes a private Docker registry, giving IT teams the option to use
public repositories, such as Docker Hub, as well as their choice of an image
Container Choices repository. Administrators can easily integrate Google's logging service with
deployed containers. And the ability to reserve a range of IP addresses
means clusters can be integrated over virtual private networks with private,
on-premises networks.
Virtual container security Unlike AWS, Google charges for its container service, depending on the size
of the cluster. Container management is free for up to five nodes in a
cluster. A cluster of six or more nodes is billed at $0.15 per hour per cluster.
Glossary
A peek at Azure Container Service
Microsoft is currently offering Azure Container Service in preview mode.

Microsoft Azure allows IT teams to choose between Docker Swarm and
Apache Mesos for cluster management. Apache Mesos abstracts features
of OSes and applies them across clusters.
With Mesos, applications use resources that are running across clusters or
across data centers. Customers can also use Marathon for service
orchestration on Mesos. Chronos is a distributed job scheduler that is used
with Mesos; it is often described as a CRON job scheduler for clusters.
Page 17 of 99
E-guide
Mesos is known to scale to the order of 10,000 nodes and uses ZooKeeper
In this e-guide -- part of the Hadoop ecosystem -- to ensure fault tolerance.
Like AWS, Microsoft does not charge for container services. Customers are
Introduction
billed only for the metered resources used within the cluster.
Container Choices
Next Article
Glossary
Page 18 of 99
E-guide
In this e-guide Evaluating Azure Container Service vs.

Google and AWS
Introduction
David Linthicum, Cloud analyst
Container Choices As more organizations use container technology to deploy cloud

applications, it seems containers and cloud will become joined at the hip. So
it's no surprise that the three big cloud providers -- Amazon Web Services,
Virtual container managment Microsoft Azure and Google -- have their own container services on the
market. However, these services are not created equal.
For the purposes of this article, Cloud Technology Partners, a cloud
consulting firm based in Boston, performed an internal review of the Amazon
Glossary Web Services (AWS), Google and Azure container services, polling
consultants around the technology and examining use cases. The firm
looked at several features that are important when evaluating or using
cloud-based container services, including data management, scalability,
performance, security, DevOps and integration with management and
operations (results shown in Table 1). The uses cover development and
operations -- in short, what you should experience if you build and deploy
applications using each of these three technologies.
For the 1-5 scale, 1 is the lowest score and 5 is the highest. A designation of
1 means the technology does not provide support for the category at all,
whereas 5 conveys that the technology meets most of the feature and
function requirements for that category. One of the requirements we looked
at for the DevOps category, is the ability for the container subsystem to
support DevOps operations, or provide an integrated repository.
Page 19 of 99
E-guide
For enterprises evaluating Google, AWS or Azure container services, this

In this e-guide article provides some of the basics. Individual application requirements
should ultimately drive your final product decision.
Introduction
Integration and data considerations
Container Choices
Azure Container Service (ACS) is based on Apache Mesos, an open source
Virtual container managment container orchestration system. That means you can make some good
assumptions about the features and functions of ACS, considering the
features and functions of Mesos, which pre-dates ACS. ACS, which is not
Virtual container security generally available yet, is the newest of the three container services
previously mentioned. Much will change as we obtain more data points
Glossary around the Microsoft container offering going forward.
With the AWS EC2 Container Service (ECS), we're seeing a number of
operational issues, such as the inability to monitor containers at a fine-
grained level. When looking at ECS integration with management and ops,
which should be as strong as any AWS offering, we had to knock it down to
4 points, relative to Google Container Engine (GKE)'s 5 points. ECS does,
however, include CloudWatch integration, which could give it a leg up
compared to ACS. Also, at this time, ACS supports Linux containers only.
While Windows support is coming soon, as Microsoft ports Mesos over,
.NET developers are left behind the curve for now.
On the data side of things, all of these services offer native data
connections, without forcing the use of external APIs -- but there's room for
improvement. One concern is they will bind containers with native data
Page 20 of 99
E-guide
services and not provide open data access, which enhances portability. It's
In this e-guide difficult to create portable containers if the data is tightly coupled to the
containers. This is an emerging area that we're keeping an eye on for now.
Introduction
AWS, Google and Azure container security
Container Choices
When considering security, we found Google's service, through its
Virtual container managment Kubernetes container orchestration system, has a "Secrets" functionality
and some additional resource limitations that the other two services lack. As
a result, GKE was given a higher ranking for security. Keep in mind that
Virtual container security Microsoft also uses Kubernetes, but does so in different ways. Much of the
technology itself is abstracted from the users.
Glossary
However, when looking at the host platform -- or the public cloud platform
where the container service resides -- it's interesting to note that the Google
platform, when it comes to security, is less advanced in some ways than
AWS or Azure. While Google can work with third-party identity access
management (IAM) tools, it lacks native IAM support. Although this did not
impact the rankings indicated in the table, it's something to consider as you
move forward with any of these platforms.
DevOps and scalability
When it comes to DevOps, GKE and Amazon ECS have their own registries
now, but Azure Container Service does not. Google and AWS provide better
Page 21 of 99
E-guide
DevOps integration, when considering container services in their respective

In this e-guide clouds.
Scalability is relative to the needs of your applications, so we made

Introduction
assumptions based upon the mechanisms they provide, such as Mesos, and
some use cases that we see on projects. You can use the same approach
Container Choices when you look to these technologies to host and execute your containers.
For instance, ACS, which uses Mesos, should provide fair scalability, but not
as good as GKE, which provides better clustering capabilities.
Amazon ECS is known to provide quality scalability, driven largely by the
Virtual container security highly scalable platform features that AWS brings to its container engine.
In summary, the Google offering is more advanced overall due largely to

Glossary Google's tight integration with its own Kubernetes container cluster, and
Google's development and operational support. However, Google is not so
far ahead that AWS and Microsoft can't quickly catch up. Considering the
hold that AWS has on the market, it will likely provide some better container
tricks in the near future.
Note: Cloud Technology Partners' principal architects Mike Kavis, Sibu Kutty
and Jonathan Baier contributed to this article.
Next Article
Page 22 of 99
E-guide
In this e-guide Get started with systemd Linux containers

in five minutes
Introduction
Sander van Vugt, Independent Trainer and Consultant
Container Choices Systemd Linux containers offer great new possibilities and flexibility for
specific workloads. Different solutions do exist, but none are as available or
fast to deploy as systemd containers, created with systemd-nspawn. If
Virtual container managment you've got five minutes, this article shows how to get started.
The best environment to get started with systemd-nspawn, is a test system

that runs CentOS 7.1 or later. Make sure that you're using a recent enough
distribution to ensure optimal working of systemd-nspawn.
Glossary
Create a directory for systemd-nspawn
To start with, you'll need a directory that systemd-nspawn can use for the
container system root. In this example, I'll use the /var/lib/container
directory for this purpose. Type mkdir /var/lib/container to create
this directory.
Before moving on, it's a good idea to switch off SELinux. Or, at least, set it to
permissive mode using setenforce Permissive before you continue. It
will be easier to change the password from within the systemd environment,
and this article is about systemd-nspawn, not about SELinux.
Page 23 of 99
E-guide
Next, you'll need to install a minimal operating system in this root directory.
In this e-guide The command yum -y --releaseserver=7Server --
installroot=/var/lib/container/centos7 install systemd
Introduction
passwd yum redhat-release vim-minimal will do this for you. This
command ensures that the required packages are copied to the container
root you've specified. Notice that the amount of packages installed here
Container Choices really is a minimum to get a proof-of-concept up and running. After the
install part of the yum command, you can add any additional packages that
you might need.
After installing the required packages to this directory, you can start the
Virtual container security container. At first try, it's a good idea to use just the command systemd-
nspawn -D /var/lib/container/centos7 -b. This will boot the
container and ask you for a root password. The problem is that you haven't
Glossary
set a root password yet.
Get out of chroot jail
That is because you're in a chroot jail. From within the chroot environment,
there's no way to fetch the password of the root user on the container host
operating system. So, the only thing that you can do now is open another
shell and terminate the systemd-nspawn process.
To get yourself into a complete environment where you can actually log in,
you'll need to add the passwd command to the systemd-nspawn command.
While you're at it, it's a good idea to disable some unnecessary services. The
complete command to do all of this will be as follows:
Page 24 of 99
E-guide
systemd-nspawn -D /var/lib/container/centos7 passwd;

In this e-guide systemctl disable kdump postfix firewalld tuned
You can now set the root password in the chroot environment. After doing
Introduction so, you'll get back to the prompt on your host operating system. From there,
you can now use the systemd nspawn -D
Container Choices /var/lib/container/centos7 -b command.
Within a second you'll see a running container, which you can start using
Virtual container managment immediately. You can use the systemd-analyze command to find out how
long it took the container to boot. From this container environment, you can
Virtual container security now start offering any services you want. To shut down the computer, you
can treat it like any other virtual machine. Just use the "shutdown" or
"poweroff" commands to shut it down.
Glossary
In this article you've read how to use systemd-nspawn to create a Linux
systemd container. To do this, you don't need anything complicated. All that
is required is a part of modern operating systems by default. Being so
simple, systemd-nspawn has everything it needs to become a serious player
on the market of Linux container solutions.
Next Article
Page 25 of 99
E-guide
In this e-guide Virtual container management

Managing virtual containers requires automation and orchestration,
Introduction especially as we look to make applications scalable. Google, Amazon and
Docker offer tools and are tying management features together. Meanwhile,
Microsoft shops are getting creative as they wait for Azure containers.
Container Choices

Bug fixes polish Docker container
management
Glossary Beth Pariseau, Senior News Writer
Just as into every life some rain must fall, into every software some bugs
must creep -- and Docker is no exception.
Docker container management received some incremental, but important,

improvements this month, with fixes to security and domain name system
(DNS) bugs. The updates underscore why security in depth is critical in
container environments.
Docker responded in mid-January 2017 to a security vulnerability in runC,

called CVE-2016-9962, which was reported earlier in the month. The
vulnerability could have allowed for privilege escalation from containers to
hosts, as well as potentially help a hacker access the wider corporate
network. Docker rated the bug as minor and patched it with Docker 1.12.6.
Page 26 of 99
E-guide
Docker container management adherents said they weren't affected by the

In this e-guide bug, but it's a good reminder of the necessity of defense in depth as
container technology matures.
Introduction
"For us, other security systems not based in Docker were available to help
negate any ill effect here," said Alex Witherspoon, vice president of platform
Container Choices engineering at FlightStats Inc., a Portland, Ore., company that provides real-
time aviation data services.
Virtual container managment For many, defense in depth starts with things as simple as a firewall to
prevent unauthorized control over a Docker container in the first place,
Virtual container security Witherspoon said.
"We also use New Relic and APM [application performance monitoring] as a
Glossary way to detect bad behavior in the environment, so we can automatically
block or deny a bad actor," he added.
In order to exploit CVE-2016-9962 in an attack, one must first compromise

the code and the means by which the code is placed within the container,
said Edward Haletky, CEO and principal analyst at TVP Strategy, based in
Austin, Texas.
Containers, therefore, require code evaluation before they are put into an
environment, and code security testing to ensure the possibility of this
attack is not allowed, Haletky said.
"Just patching or using SELinux is not enough of an answer," Haletky said.

"We need control and security testing of every aspect of container
deployment."
Page 27 of 99
E-guide
As the technology evolves, to track and deploy Docker containers and the
In this e-guide Docker daemon itself, FlightStats has had to get comfortable with numerous
deployments to keep up to date.
Introduction
"Docker is still very young and changing rapidly," Witherspoon said.
Container Choices Docker 1.13 incremental, but important

Speaking of updates, Docker 1.13, released by the company last week,
introduces a number of subtle, but essential, updates for Docker container
Virtual container security management.
One update that will make frequent upgrades easier to deal with is
Glossary
backward compatibility for the command-line interface (CLI), according to a
Docker blog.
"We stick with newer versions, but this will probably be very helpful for
admins who are not constantly updating Docker," said Chris Riley, director of
solutions architecture at cPrime, an Agile software development consulting
firm in San Francisco.
The CLI also has been cleaned up with simplified commands and
restructured, which will also greatly contribute to better ease of use for
containers, Riley said.
"I have had a lot of clients complain about disk usage when using Docker,
and [some of the new] commands are meant to help this issue and will be
Page 28 of 99
E-guide
helpful," Riley said. "This is a nice refactor as they expand their API, and [it]
In this e-guide helps keep things organized and focused."
Upgrades that simplify how Docker container logs are accessed will improve
Introduction
container monitoring, and Riley said he's excited to see Docker for Amazon
Web Services (AWS) and for Microsoft Azure come out of beta with this
Container Choices release.
"The fact that [Docker is] targeting the ops side and the two largest cloud
Virtual container managment providers is smart," Riley said. "We have been waiting for this to compete
with Kubernetes on AWS and Amazon ECS [EC2 Container Service]."
Another update to Docker 1.13 that wasn't mentioned in the company's blog
post is a bug fix for an irksome DNS issue in previous versions, according to
Glossary Witherspoon.
"Some containers would rarely, but very painfully, fail to resolve certain DNS
lookups for no apparent reason," he said. "It seems better now -- time and
testing will tell."
Docker declined to comment on whether CVE-2016-9962 is fully resolved,

how it resolved the DNS lookups bugs, or whether there are any significant
changes or new features in the generally available versions of Docker for
AWS and Azure.
Page 29 of 99
E-guide
Next article
In this e-guide
Introduction Docker management gaps smoothed over

with new tool
Container Choices
Virtual container managment IT operations pros faced with container management have a new tool to
evaluate this week.
Virtual container security Docker Inc. looks to catch IT operations up with developers with a new
product, called Docker Datacenter, which stitches together various Docker
Glossary management utilities to ease container deployment in production.
Docker Datacenter brings together five previously separate products under

one Docker management interface: the Universal Control Plane for
management; Content Trust for security; Swarm for orchestration; Engine
for container runtime; and Trusted Registry. The goal is to bridge the gaps
where Docker is used to port apps between dev, test, quality assurance and
production environments, and traditional IT operations, where container
management isn't yet straightforward.
"We're looking at microservices, and we've stood up Docker with Mono in

our testing environment in the last year," said Jeff Lockwood, director of
infrastructure and operations for HealthStream Inc., a healthcare
assessment and education company based in Nashville, Tenn.
Page 30 of 99
E-guide
The company tests Docker with Mono because it's a Microsoft .NET shop
In this e-guide for software development, and Mono is a workaround that allows .NET code
to be used in a Linux environment.
Introduction
The concept of containers as a service makes sense, according to
Lockwood. "You don't want to have to build that capability," he said.
Container Choices
However, that doesn't mean enterprises are ready to put Docker into
production.
"I wouldn't rush into it," Lockwood said. "I am not as concerned on the
technology's maturity -- although that is a concern -- as much as the skill
sets in the market available to deploy and support it."
Glossary Lockwood said he's also waiting for Microsoft's next version of .NET, which
will natively support Docker, and is currently in preview.
Even when it is released, however, Lockwood isn't keen on being a guinea

pig to do .NET on Docker at scale.
"We openly deploy things in the lab for testing, but I don't feel comfortable
putting it out in production, because it doesn't have the footprint yet," he
said.
Page 31 of 99
E-guide
In this e-guide A 'one-stop shop' for Docker management
Introduction Consultants to large enterprises said, for those on the bleeding edge,
Docker can be a "one-stop shop" for containers, as well as their
management.
Container Choices
"Companies that are moving forward building loosely coupled microservices-
Virtual container managment type architectures, they're going to be all over this stuff," said Mike Kavis,
vice president and principal architect for Cloud Technology Partners Inc., a
cloud consultancy based in Boston.
A vast ecosystem of startups has sprung up since Docker debuted three
years ago to fill operational gaps in the deployment of containers. Public
Glossary
cloud providers, such as Amazon Web Services and Google Cloud Platform,
also have tried to make hay with services that abstract away many aspects
of container management.
But with Docker Datacenter, the container registry lives on premises, and
Docker orchestration is controlled from there, which fits the hybrid cloud
deployment pattern of more large enterprises than pure public clouds or
even private platform as a service, Kavis explained.
"Every vendor I've talked to in this space, they all started in public cloud and
they've all ... had to come up with an on-premises solution, because that's
just where everyone is today," he said.
Page 32 of 99
E-guide
There are still ways Docker Datacenter needs to develop this base product,
In this e-guide such as adding native live database migration capabilities -- though
customers can plug in software from partners to accomplish this -- finer-
Introduction
grained role-based access controls and compliance best practices baked in,
according to IT pros.
Container Choices People will need some time to evaluate what Docker has put out and
whether it meets their needs, said Fintan Ryan, an analyst with RedMonk,
based in Seattle.
"There are quite a lot of people [who] are doing a combination of taking
Virtual container security some sets of tools and rolling their own solution -- from a technical point of
view, people are quite comfortable doing that," Ryan said. "But from an
enterprise and CIO point of view, they'd prefer to have something that they
Glossary can have clarity and control over."
The Docker product will probably meet the needs of most IT pros, so they
could be less likely to turn to third parties for such tools -- unless they have
specific needs, such as live database migration with ClusterHQ, that are
better addressed by startups that have popped up to fill various Docker
management niches, Ryan said.
Beth Pariseau is senior news writer for SearchAWS. Write to her at

bpariseau@techtarget.com or follow @PariseauTT on Twitter.
Next article
Page 33 of 99
E-guide
In this e-guide Managing containers requires right mix of

tools, IT skills
Introduction
Container Choices Those who build and migrate applications using containers, such as Docker,
quickly realize the need for container management tools. These tools help
users manage container operations and scale, as well as monitor container
Virtual container managment performance and security.
And while managing containers can require a lot of work, one of the first
steps is to choose a management tool. There are two types of management
tools for container-enabled applications: container cluster managers and
Glossary container operations managers.
Container cluster managers
Container cluster managers, such as Docker Swarm, CoreOS Tectonic and

Google Kubernetes, form a shared computing environment made up of
servers, or nodes, where resources are combined to support workloads and
processes running within the cluster. Users combine processes within the
cluster to create a task, and then order those tasks to meet a specific
business or IT need. This also involves combining tasks to create a job.
To pull this off, users need to manage the cluster, or clusters, using a cluster
management framework, which typically includes a resource manager to
Page 34 of 99
E-guide
track resources such as memory, CPU and storage. When an executing task
In this e-guide needs a resource, it must go through the resource manager to obtain those
resources. Users also have access to resources, which means they can
Introduction
manage the cluster's performance, response time and other components.
This allows the cluster to scale, either virtually or physically.
Container Choices Other components of a container cluster manager include a task manager,
which is responsible for task execution and state management. Cluster
managers also contain schedulers to manage dependencies between the
tasks that make up jobs, and to assign tasks to nodes. The scheduler is a
core component of the cluster manager; without it, the manager would not
Virtual container security be able to start or stop jobs and tasks.
Glossary Container operations managers
For IT pros managing containers, tools known as operations managers

perform tasks such as starting and stopping container-based applications,
monitoring, managing resources, logging and taking automated action based
on predefined policies.
Tutum, which Docker acquired in October, is a container management tool

that has built-in logging capabilities, allowing users to access their
containers' output logs and aggregate them for easy viewing. Tutum also
provides monitoring capabilities to help users check on container status, an
updater to make sure they have the latest versions of Tutum and Docker
features, an API and a dashboard.
Page 35 of 99
E-guide
In this e-guide Best practices for managing containers
Introduction Besides picking the right tools, here are some general tips for managing
containers:
Container Choices Understand your core container usage patterns. Some container-based
applications are complex and require a good deal of monitoring and
Virtual container managment management. Others are simpler, and may not need to be scaled or
monitored. Container management tools can be costly to run and maintain,
so only implement them when you need them; the number and type of
Virtual container security containers you have will drive your requirements.
Glossary
Don't get too focused on the tools. Many organizations managing
containers focus too much on the available tools, and not the capabilities
they really need. Chances are, you'll have a mix of container management
tools that will change over time.
Practice continuous correction. Always keep an eye on your containers,

management tools and processes. Continuously ask how you can do things
better, or more efficiently use the technology. Correct or update processes
and tools as needed.
Next Article
Page 36 of 99
E-guide
In this e-guide Configuration management tools seek

foothold in containers
Introduction
Container Choices If you deploy containers, you may be less likely to deploy configuration
management tools alongside them.
Virtual container managment With the popularization of containers comes a new debate about the role of
configuration management tools in environments with highly automated
container clusters. Early adopters of container cluster automation, such as
Google's Kubernetes or Apache Mesos, said those tools can supplant the
likes of Puppet, Chef, Ansible and SaltStack, which are widely used to
Glossary automate data center configuration management.
Users can very easily circumvent Puppet, Chef and similar competitive
products when container cluster management is offered as a cloud service,
such as Google's Container Engine, which is based on Kubernetes,
according to IT pros who have used the product.
"When you move to container orchestration, the need for automation tools
becomes somewhat different, and tools like Puppet, Chef and Ansible have a
little bit less applicability," said Mark Betz, a software engineer with 20 years'
experience in the industry. Betz recently worked for a startup called icitizen
in Nashville, Tenn., where he used Google Container Engine.
Kubernetes can spin up a fully configured server cluster using relatively few
API calls. Docker itself is responsible for the state of the file system each
Page 37 of 99
E-guide
time a container is deployed. Betz's company was able to achieve a

In this e-guide completely automated build process on Google Cloud Platform. When a
developer pushed a change to a branch, CircleCI would pick up that change,
Introduction
rebuild the containers, push the images to Google Cloud Registry, contact
Google Cloud and tell it to restart the services to pull the new container
images down onto the infrastructure.
Container Choices
"We just essentially worked with makefiles and we didn't find ourselves
having to use [configuration management] tools," Betz said.
Some on-premises adopters of containers also said they have forgone
Virtual container security configuration management tools in favor of container cluster automation
tools.
Glossary Mesosphere's Datacenter Operating System (DCOS) was a "cleaner" option

for deployment of containers at massive scale than Chef, according to
Stephen Voorhees, director of engineering for cloud platforms at Autodesk
Inc., a maker of 3D design software based in San Rafael, Calif.
"One of the key reasons we chose DCOS is that everything is getting more
and more complicated in terms of how you deploy and how infrastructure
works," Voorhees said. "At the same time, it's really important to build the
tooling and the capabilities around the infrastructure to make it really easy
for developers and teams to move fast."
Even when it's not the big automation suites such as Kubernetes or DCOS in
play, container management tools have gained momentum at some other
companies as well.
Page 38 of 99
E-guide
"Cloud 66 lets us remove virtual machines from the load balancer and spin
In this e-guide up a new Docker container, start the Docker container and add it back into
the stack, and that would typically be done in Chef or something like that,"
Introduction
said Scott Hasbrouck, CTO and co-founder of Convoy Inc., a consumer tech
support service company based in San Francisco.
Container Choices Cloud 66 Ltd., based in San Francisco, provides cluster automation for
Docker environments meant to automate app deployment.
Virtual container managment Very rarely do software engineers have to muck around with configuration
of the underlying infrastructure with Cloud 66 in place, Hasbrouck said.
Not so fast
Glossary
This shift in the market isn't lost on configuration management tool company
Red Hat.
There is still room for configuration management to make sure application

images within containers are consistent, but in container orchestration tools,
"there's a composing aspect that ... does a better job than we have seen in
these prior frameworks," according to Lars Herrmann, general manager of
the integrated solutions business unit at Red Hat.
Red Hat owns Ansible and has also integrated Kubernetes into its OpenShift
platform as a service product.
Traditional, infrastructure-based automation approaches to configuration

management will diminish over time, according to a Chef product manager.
Page 39 of 99
E-guide
Value, he said, is moving into the application space, but as long as

In this e-guide applications exist, there will be configurations to manage, and containers do
not obviate this.
Introduction
But while Red Hat and Chef see change afoot in how apps are managed,
Puppet's CEO Luke Kanies said he strongly disagrees with this viewpoint
Container Choices when it comes to the applicability of configuration management tools in
Virtual container managment "It's a lot like server virtualization -- in some ways, virtualization makes
configuration less necessary," Kanies said.
But while virtualization made each individual machine less necessary and
eliminated many of the difficult problems involving managing physical
Glossary machines, it also increased the number of machines under management
about tenfold, Kanies said. Meanwhile, Docker is going to make everybody's
infrastructure at least another 10 times bigger. Some people argue IT will
have as much as 100 times as many containers as it has VMs to manage --
and potentially even more.
"So, every application you have just got more complex, more critical, more
confusing and more complicated," Kanies said. "You need way more
management, not way less management."
In container automation environments, particularly on premises, Kanies

argued users will still need Puppet to automate the setup of the Kubernetes
environment and the underlying infrastructure layer, as well as to trigger
Kubernetes' container builds.
Page 40 of 99
E-guide
Some bleeding-edge container users side with this viewpoint as well.

In this e-guide
"Nothing is as easy as it seems, and even though you get a lot of bang for
your buck with containers, there still is a need to do automation tasks, and
Introduction
you do want something to manage all that automation," said Noah Gift, CTO
of Sqor Inc., a sports social network startup based in San Francisco. The
Container Choices company will soon deploy SaltStack for this purpose, Gift said.
Leaving configuration management behind when implementing container

Virtual container managment management would be a return "to the Dark Ages of terrible custom-written
bash scripts to configure your systems on an ad hoc basis," said David
Virtual container security Danzilio, Puppet evangelist at Constant Contact Inc., an email marketing
company in Waltham, Mass.
Glossary If anything, the move to containerization will probably makes configuration

tools more relevant, not less, Danzilio said.
"Your containers have to get built somehow," he said. "That's sort of where
configuration management tools can save us, by having a robust build-time
language."
Next Article
Page 41 of 99
E-guide
In this e-guide Microsoft shops prefer a DIY approach to

Azure containers
Introduction
Container Choices Windows shops assessing Microsoft's emerging container products are
sticking with the axiom that if you want something done right, you should do
it yourself.
Microsoft shops that have kicked the tires on the company's container
products so far favor running Windows Server 2016 containers on internal or
self-managed cloud infrastructure, as opposed to using a more abstracted
offering, such as the Azure Container Service -- even though Azure
Glossary containers are generally available and Windows Server Containers are still
months away.
"We want a solution which will work for different kinds of platforms, not just
Linux-based systems," said Bala Subra, a .NET architect for a large
publishing company in the Northeast, who has done proof-of-concept
testing on Windows Server Containers, which are due out with Windows
Server 2016 in the fall.
While the company uses Linux containers already, they're not in production
yet, and Subra said he's content to wait until Windows Server 2016 becomes
generally available to deploy Windows containers.
This is largely because Microsoft shops want a native product developed

and supported by Microsoft, which isn't unusual in the Microsoft customer
Page 42 of 99
E-guide
base. But it's also because some shops want to tinker with running Windows
In this e-guide Server Containers on bare metal on internal infrastructures before
committing to virtual machines in the public cloud.
Introduction
"To get a monetary advantage to moving over to containers, we'd have to
look at restructuring our server infrastructure," said Marc Priolo,
Container Choices configuration manager for Urban Science, a Detroit-based data analysis
company specializing in the automotive industry. "When you're doing
containers, virtualized OSes are a lot of overhead that containers can get rid
of."
Virtual container security While VMs can consistently run dozens of containers, bare-metal servers
can pack in hundreds, if not thousands of containers, and bare metal is
where web-scale companies are going, said Jay Lyman, an analyst with 451
Glossary Research.
"The difference in the number of containers you can host on a VM versus a

physical server is pretty dramatic," he said. "I'm watching to see when the
needle starts moving on that trend."
Azure Container Service available now, but

still incomplete
In the cloud, the Azure Container Service (ACS), built on Hyper-V

Containers, became available April 19, currently offering adopters an array
of choices for cluster management and orchestration.
Page 43 of 99
E-guide
But choice here is a two-edged sword, as it also means users still need to
In this e-guide bring their own integrations for continuous integration and delivery tools, as
well as logging and monitoring. Azure containers don't have a native Docker
Introduction
registry, and Microsoft has no opinion on Docker's version of the registry,
according to Boris Scholl, principal product manager for Azure Compute,
who presented at a recent Meetup put on by the Boston Azure Cloud User
Container Choices Group.
"We would absolutely run Docker ourselves, leveraging what's going to be

built into [Windows] Server 2016, if we were going to do it," said Chris Riley,
DevOps analyst for Fixate IO, based in Livermore, Calif., as well as a
Virtual container security TechTarget contributor and an Azure Web Sites customer who is
considering a move to containers. "ACS doesn't really remove enough
complexity to deal with tying that in with our existing application -- it would
Glossary
be much easier for us to deploy to containers running in Windows Server
2016."
Partners polish their Windows container

wares
Microsoft is fleshing out multiple tools to ride the wave of Docker hype, but
no moss is growing on its partners as all grasp for the Windows container
brass ring.
For example, a company called ContainerX, with leadership composed of

VMware alumni, came out of stealth this week with support for Windows
Page 44 of 99
E-guide
Server 2016 containers, infrastructure pooling and multi-tenancy features

In this e-guide that it hopes will set it apart from the Windows container pack.
Companies like WinDocks, which makes a container-based virtualization

Introduction
platform for SQL Server, and DH2i both have beaten Microsoft to the
Windows Server container punch.
Container Choices
Ding, a Dublin, Ireland-based mobile airtime payment company, is evaluating
WinDocks' product for use in its software development pipelines to test
Virtual container managment code against replica SQL Server instances running in containers.
"Creating a test [and] dev SQL Server can be quite a lengthy process,
otherwise," said Andrew Pruski, Ding's database administrator. "It can take
anywhere from 10 minutes to two hours, depending on the size of the VM."
Glossary
Tests of WinDocks have spun up SQL Server replicas in as little as 90
seconds, Pruski said.
Next Article
Page 45 of 99
E-guide
In this e-guide IT automation tools tame microservices

'nightmare'
Introduction
Container Choices Supporting cutting-edge applications means working smarter, not harder.
The complexity of modern app development patterns goes well beyond even
Virtual container managment the management of containers. These are stitched together to form
microservices, which, in turn, are combined into highly complex modern
application architectures.
This complexity means the infrastructure must be managed
Glossary programmatically and automatically through emerging IT automation tools.
No human can keep up with provisioning and managing thousands of
containers, their various dependencies and their composition into
microservices by hand.
Breaking down a monolithic application into smaller constituent parts results

in lots of little applications deployed throughout an IT infrastructure, which
creates "a management nightmare," said Juan Garcia, CTO of nextSource
Inc., a staffing management firm based in New York.
All these small pieces must communicate with one another over the network,
and securing that communication can be a bear, as well.
Enter a new generation of cluster abstraction tools born to manage

containers, but which can automate the underlying server, networking and
Page 46 of 99
E-guide
storage infrastructures according to policies, rather than by individual

In this e-guide components.
For Garcia's firm, that tool is Apcera, a next-generation platform as a service

Introduction
offering developed by the architect behind Cloud Foundry. Apcera allows for
resources to be tagged, and then for those tags to be managed according
Container Choices to policy, including for security and governance.
"The policy-driven configuration of security was something that we really

Virtual container managment liked," Garcia said. Apcera has also been "an on-ramp to the cloud," capable
of managing and dispersing workloads between a private VMware-based
Virtual container security infrastructure and the Amazon Web Services public cloud for nextSource.
Glossary
Microservices give traditional IT a
makeover
The proliferation of containers -- catalyzed by the rise of Docker -- has

prompted the change to IT automation, but they're only one part of the
cluster-wide abstraction layers that have emerged from academia into the
data center.
Longtime industry watchers compare the arrival of container orchestration

and microservices to previous seismic shifts in the data center landscape,
such as operating system-level server virtualization and cloud computing.
"One of the amazing things that we're seeing is how sophisticated and
almost academic computer science ideas are now being integrated into the
Page 47 of 99
E-guide
enterprise," said Heroku CEO/COO Adam Gross, now a senior vice

In this e-guide president with Salesforce, which acquired Heroku in 2010. "The primitives
that we're building off of are becoming much more powerful through
Introduction
containers."
Containers force application developers to build their applications in a way

Container Choices that's not as rigid or long-running as individual container services -- hence,
the transition to microservices and other architectural principles, according
to Nirmal Mehta, senior lead technologist for the strategic innovation group
at Booz Allen Hamilton Inc., a consulting firm in McLean, Va., who works with
government organizations to establish a DevOps culture.
"It's also forcing operators to understand that you're not going to log into a
system and have a three-tiered app and let it be -- you're going to have to
Glossary manage it in a more fluid way," he said.
Microservices orchestration easier said

than done
There is complexity that comes with setting up such cluster-wide

abstractions, and it's still early days for platforms such as Kubernetes, which
is still developing its APIs and features, like multiregion deployment or rolling
software upgrades.
"Schedulers require a different approach to how [IT] ops maintains and

keeps the infrastructure reliable," said Mitchell Hashimoto, founder of
HashiCorp in San Francisco, which makes the Nomad infrastructure
Page 48 of 99
E-guide
orchestration platform. "Developing a scheduler-based infrastructure makes

In this e-guide things easier, but doing that development is not an incremental step for
most enterprise companies."
Introduction
Still, those on the journey to implement new IT automation paradigms expect
new peace of mind when these architectures ultimately arrive.
Container Choices
Kubernetes container orchestration has been somewhat challenging to
achieve, as the software goes through growing pains evolving beyond
Virtual container managment version 1.0, according to Dietmar Fauser, vice president of architecture,
quality and governance for Amadeus IT Group SA, a travel technology
Virtual container security company headquartered in Madrid, Spain.
But once implemented, the simplicity of global configuration and software

Glossary upgrades will be second to none.
Under Kubernetes, each single object in the global distributed infrastructure

has tags, which are key-values. A user can have a query language that says,
'I want to shut down all of those tags associated with a given release
number,' and manage the infrastructure that way, according to Fauser.
"It makes software upgrades extremely elegant and automated," he said.
Next Article
Page 49 of 99
E-guide
In this e-guide Readers sound off on Docker containment

strategies
Introduction
Modern Infrastructure Staff
Container Choices Docker had a big year in 2015, and from the looks of it, 2016 is only going to
be bigger. IT pros around the world are excited about the possibilities, but
also issued a warning for those nagging sparse files. Here's a look at what
Virtual container managment the Twitterverse has to say.
Ok ... let's try to build something with Docker for our new dev
server #Docker
Glossary -Tom Riat (@riattom) December 28, 2015
With #docker you can run #CLUSTERS of #VPC's as honeypots, imagine the
#infosec possibilities :) @illusivenw
- mike grimshaw (@mikegrimshaw2) December 27, 2015
Page 50 of 99
E-guide
Note to self: If you want to install #docker (the container runtime) on a

In this e-guide debian based system then docker.io is the right package not docker
- Petros Gasteratos (@ptrgast) December 27, 2015

Introduction
Container Choices
Virtual container managment Being able to launch a new site with #docker #nginx #cloudflare and #azure
in a few minutes feels good
Virtual container security - Derek Bekoe (@derekbekoe) December 27, 2015
Glossary
Docker pro tip: beware of sparse files when doing a `docker commit`.
#Docker #linux
- Brandon Williams (@williamsbdev) December 26, 2015
A process manager in a #docker container means youre prob thinking of it

as a VM still. Break it up & create smaller containers per role
Page 51 of 99
E-guide
- Mike Metral (@mikemetral) December 26, 2015

In this e-guide
Introduction
Universal Control Plane look too cool and easy to setup. Docker swarm
Container Choices
integration is just awesome!! #docker #docker-machine
Virtual container managment - Ajeet Singh Raina (@ajeetsraina) December 26, 2015
Next Article
Glossary
Page 52 of 99
E-guide
In this e-guide Virtual container security

Container security levels vary, depending on the type of virtual container and
Introduction how the IT team implements containerization. Some experts say that Docker
is less secure than CoreOS, while others tout its security options.
Container Choices
When working with container technology,
Virtual container managment proceed with caution
Bob Plankers, Contributor
Have you heard the news? Container technology is here and will be the
savior of IT! If you aren't familiar with containers they encapsulate
Glossary
applications in a way that hides operating systems and other pesky
infrastructure layers. Application developers can check out a container
image, install their application, and then deploy it repeatedly. With these
techniques, developers can build, ship, and run any app, anywhere,
according to Docker, arguably the largest container software vendor.
I'm being sarcastic about containers being our savior, though. I see a lot of
parallels between Docker and Java. Java promised the ability to write an
application once and run it anywhere. That was a bold promise, and Sun
Microsystems (and now Oracle) almost completely failed to deliver on it. We
are forever mired in Java version problems, forward and backward version
incompatibility, platform incompatibilities, performance issues between
platforms, security problems, and so on.
Page 53 of 99
E-guide
We see some of these same problems with containers. Despite the promise
In this e-guide of abstraction from the underlying operating system, there still is an
underlying operating system that needs care and feeding. In particular, it
Introduction
needs updates and patching, which developers rarely do. A majority of
container images contain serious unmediated security issues, studies show.
Furthermore, there are big trust issues in the container technology world. Is
Container Choices it okay that your developers are building applications on container images
built by unknown people on the Internet? How do you know that those
images are safe, and don't contain back doors or malware?
There are versioning problems, too, just like Java. There is different
Virtual container security container software out there, such as Docker, Rocket, LXC, VMware
ThinApp, Solaris Zones, etc., and it isn't uncommon for two different
development teams to have chosen two different technologies. Each
Glossary
container technology has compatibility issues with underlying infrastructure,
too. Developers need version X of their container technology but the
operating systems my organization supports and secures aren't compatible,
or require heavy retrofitting, which increases staff time commitments.
On top of this, there are very few management interfaces for containers.
Chargeback/showback is unheard of. Security tools are nonexistent.
Backup and restore isn't possible in the normal frameworks, either, which is
a big problem not only for daily operations but also disaster recovery and
business continuity. Change management is laughed at. Given all the holes in
the process the pessimist in me starts thinking that containers are an
elaborate way for developers to shirk the responsibilities of traditional IT,
especially around risk management. And while it's clear that developers are
Page 54 of 99
E-guide
eating the free lunch that containers promise, I often wonder who is paying
In this e-guide for the meal, because it's a very expensive one.
So what do we do about it? For starters, we start asking all the same hard
Introduction
questions we've always asked. How are these things secured, and how do
we prove it? How do we handle an incident with a container? Where is
Container Choices application data stored and how is it protected? Can we standardize all
teams around one container platform? Who is building and maintaining "gold
master" container images, and if it isn't our organization, how do we know
we can trust them? How do our applications get security updates? How do
containers mesh with our change management process, and how do we do
Virtual container security capacity planning?
Because when all is said and done, there really no such thing as a free lunch.
Glossary
Next Article
Page 55 of 99
E-guide
In this e-guide Ensure virtualization containers' security

in an app world
Introduction
Clive Longbottom, Co-founder, Service Director
Container Choices The rapid rise of virtualization containers in the application world cements
their growing relevance to production IT managers. Although similar in
approach to virtual machines, containers have a few core differences that
Virtual container managment prompt IT departments to review their security approaches.
Increasingly, IT is being forced to change its ways from implementing

constraining full-stack VM models. An organization runs on processes, and
these processes need to be flexible. With a VM, if the process changes, then
Glossary the whole VM has to change.
Whereas VMs typically underpin historical monolithic application models,

containers can provide better support for composite applications.
A VM contains absolutely everything required for a working application. This

includes the application, its database, analytics, as well as a virtualized
version of the hardware, BIOS and every service needed for the application
to function. Therefore, each VM is a complete system, and the approach to
security is essentially the same as if the VM were a physical system. The
downside is that, since it is a complete stack, starting up a VM means that
the BIOS has to be started, followed by the OS, followed by all the rest of
the software stack. While running it against a virtualized set of resources is
fast, it is not instantaneous, unless hot -- preprovisioned and implemented --
Page 56 of 99
E-guide
VM images are used, which wastes resources. Virtualization containers strip

In this e-guide a lot of these issues away.
A container has greater dependencies on the outside world, not from within
Introduction
the container itself. Although it still creates abstraction from the physical
level, virtualization containers share most of their resources in a dynamic
Container Choices manner, and a container accesses the majority of its devices via the base
platform. Containerization is more of an application approach that presumes
that the BIOS and OS are already running, unlike VMs. It creates a loose
sandbox environment of the shared resources on which each container then
layers the function, service or application.
In virtualization containers, an application can be broken down into sets of
containerized functions that are pulled together practically on the fly,
Glossary creating a system that supports a process in a far more flexible manner. A
composite application can pull together a container that is set up and
optimized just to run analytics, a specific database or application logic.
Containers are better at managing this service chaining than VMs, since they
are designed to work against a shared platform and use shared functions
and devices far more effectively than VMs.
More flexibility means more security

considerations
Although this use of containers increases overall flexibility, it introduces

extra management requirements -- and extra security issues. With a VM,
Page 57 of 99
E-guide
everything is in one place -- the VM can be managed and secured as a single

In this e-guide entity; with a composite, container-based application, there are a series of
functions that are more loosely strung together that each need management
Introduction
and securing.
If the security of the base platform is compromised, so too is the security of

Container Choices all the containers on it. This can work in both directions. Let's assume that a
container image has full super-user privileges. As the container has to talk
back to the underlying platform on a continuous basis, an intruder who has
accessed the container could, theoretically, break through from the
containerized environment to the underlying platform and retain those
Virtual container security privileges.
Although this sounds like a pretty bad design flaw, it is the only way that
Glossary containers can work, and is how they provide the density improvements over
VMs that have garnered a great deal of interest. The key for production IT's
adoption of containers is to ensure that not only are containers secure
within themselves, but also that the approach to creating the containerized
environments is secure.
Securing virtualization containers must rank high on the priority list for any
group using them. Where possible, isolate them through the use of their own
namespace. Provide virtualized containers with their own network stack,
avoiding any privileged access across different containers to physical ports.
Use control groups to manage resource allocation and usage -- this
enhances external security, as it helps in managing distributed denial of
service attacks.
Page 58 of 99
E-guide
In this e-guide Tend to the contents of virtualization

containers
Introduction
Only use enhanced privileges where absolutely necessary with virtualized

Container Choices containers, and drop those privileges back to standard as soon as possible.
Never leave privileges set as enhanced, just in case; the slight increase in
internal latency required to set and reset enhanced privileges is worth it for
the sake of greater overall security on the IT platform.
Virtual container security Try to run services as non-root: If root must be used, be as careful here as
you would be in the physical IT infrastructure. The container is not a
sandbox -- it has holes all over it. Developers are not coding in an airlocked
Glossary
space; whatever is coded badly in one container can have major security
effects on all other containers run on the same physical platform. The vast
majority of containers do not need root privileges. Most services that require
root privileges should already be running outside of the container as part of
the underlying platform. Running with reduced privileges enables the
container to deny any mount requests, deny file creation or attribute change
activities, prevent module loading and otherwise protect the system.
The one major area in the underlying platform to treat differently than
conventional virtualization when it comes to security is the core functional
part of virtualization containers. With Docker, the Docker daemon runs with
full privileges in a physical root environment to create a virtualized container
environment. Anyone with access to the daemon has complete freedom to
Page 59 of 99
E-guide
do what they want. Therefore, control access to the daemon through

In this e-guide dedicated sys admin controls.
Virtualized container security also means watching how the containers use
Introduction
application programming interfaces (APIs). It only takes small errors in how
an API call is made to allow a malicious attack to load a new container or
Container Choices change the contents of an existing one to access the root environment with
high privileges. When running containers on enterprise systems, invest in API
monitoring and management tools, such as those from Akana, Apigee or CA
Technologies.

Next Article
Glossary
Page 60 of 99
E-guide
In this e-guide CoreOS brings different approach to

container security
Introduction
Trevor Jones, News Writer
Container Choices The container market continues to heat up, as the security-centric rkt
reached its first production-ready release last week.
Virtual container managment A little over a year after the open source project was first made available,
version 1.0 of the rkt container application runtime focuses on security and a
stripped-down role in application deployments, marking yet another option
for users to deploy Linux containers.
Glossary CoreOS is positioning rkt as a much more modular component into the
overall application framework than Docker, which has expanded its push
beyond just formatting and packaging containers to constructing an entire
platform for building and running containerized applications.
Rkt will still work with the Docker image, and other ecosystem partners have
put out add-on features for the 1.0 release around monitoring, networking,
and a container registry for its runtime images and to convert Docker
images to rkt images. Through a partnership with Intel, users also can launch
rkt as a virtual machine for additional security overhead.
CoreOS plans to integrate rkt into Tectonic, its commercial Kubernetes

platform. Kubernetes and other orchestration tools also compete with
services such as Docker Swarm.
Page 61 of 99
E-guide
Deis, a division of Engine Yard and an open source platform as a service

In this e-guide provider, has Docker containers in production for large enterprises, but it
runs into problems after prolonged usage at scale. The Docker team has
Introduction
been supportive in fixing the problems, but as Docker keeps adding surface
areas to the Docker client, it gets further away from the simple rock-solid
container engine Deis wants, said Gabriel Monroy, CTO at Engine Yard,
Container Choices based in San Francisco.
"We just want something that [does] one thing and does it well," he said.
Deis has done scale testing and prototyping with rkt, and plans to eventually
Virtual container security swap out Docker for rkt for runtime, while maintaining the Docker image
format, Monroy added.
Glossary Project Calico, an open source networking stack sponsored by Metaswitch,

supports Docker and rkt, although it sees the later as better suited to
production at scale, said Christopher Liljenstolpe, director of solutions
architecture at Metaswitch Networks, based in London. Docker, he
explained, has more mechanisms wrapped around it, while rkt requires fewer
running components.
"Docker very much wants to provide a fully integrated vertical stack, and
that's the way they've built things," he said. "CoreOS [is] much more about
modular. You can take want you want and leave the rest."
Containers have been one of the most talked-about technologies in IT since

Docker burst onto the scene in 2013 and released its first commercial
version a little over a year later. CoreOS garnered attention in late 2015
Page 62 of 99
E-guide
when it released rkt, while criticizing the security of Docker as a container

In this e-guide engine.
CoreOS CEO Alex Polvi has raised concerns about the Docker model that
Introduction
requires a majority of operations to run through the Docker daemon -- a
view he maintains with the 1.0 release.
Container Choices
"Without a rewrite of Docker, that will forever be a major area of security
issues," he said. "We built rkt to address an architectural issue that can't be
Virtual container managment addressed with a light patch to Docker."
Rkt follows the Unix philosophy of privilege separation, according to Polvi.

Users have the option of eliminating the need to run an API server as root, or
talk to the Internet to upload and download images.
Glossary
On the same day rkt 1.0 was released, Docker 1.1 was made available, with a
heavy focus on container security and more fine-grained access control.
Docker declined to comment specifically on the CoreOS claims. Both

companies take security very seriously, despite coming at it from different
perspectives, explained Fintan Ryan, an analyst with RedMonk, based in
Portland, Maine. Customers will pick the option that best fits their needs, but
a fairer comparison -- and more intense competition -- will come with the
software that sits on top of containers.
"The market is going to be absolutely huge for all this stuff, so there'll
definitely be a couple different ways to do it," Ryan said.
Page 63 of 99
E-guide
Docker and CoreOS are fighting for the same IT dollars, but they're also
In this e-guide working together alongside some of the biggest tech vendors in the world to
establish a standard around container formats and runtimes through the
Introduction
Open Container Initiative.
Analyst firm 451 Research asked 198 senior IT pros who their primary
Container Choices container supplier is, with 64% saying Docker, compared with only 10% for
rkt, according to the New York-based company's third quarter of 2015
edition of its Voice of the Enterprise survey on cloud computing.
When new technology as popular as Docker comes along, the door opens
Virtual container security for alternatives in the marketplace, said Jay Lyman, research manager at
451. Rkt has helped keep Docker honest in its progression and promoted a
greater focus on container security.
Glossary
"This is the classic open source software competitor disciplining the other
projects," Lyman said. "It helps Docker and helps rkt when there is more
than one viable alternative."
Trevor Jones is a news writer with TechTarget's Data Center and

Virtualization media group. Contact him at tjones@techtarget.com.
Next Article
Page 64 of 99
E-guide
In this e-guide Securing Docker containers should top

IT's to-do list
Introduction
Container Choices Container technology, especially Docker, continues to make its way into the
enterprise. Just as they would be for any other technology, IT pros are
tasked with building a strategy for securing Docker containers.
There are a few Docker security vulnerabilities to note. First, running
containers and applications with Docker means running the Docker daemon,
which requires root privileges. But, this means you're giving those processes
the keys to the kingdom -- and this is just one example of how containers
Glossary can alarm an IT security professional.
Other concerns include container flexibility, which makes it simple to

execute multiple instances of containers. Many of these containers can be
at different security patch levels. Moreover, while often compared to
virtualization, Docker is not as good at segregation; the containers are
largely isolated. IT pros new to containers don't always have a good
understanding of container development and production. As a result, those
who manage and secure containerized applications need to learn those
skills quickly.
Container security models are similar to those of other distributed systems,

but the best practices and tools are new. For example, encryption, identity
management and role-based security work fine with containers, but there
are new tools and systems that play an important role in securing Docker.
Page 65 of 99
E-guide
In this e-guide Tools and best practices for securing

Docker containers
Introduction
Docker Content Trust (DCT), a new feature from Docker, can help IT pros
Container Choices ensure Docker security. DCT uses a public key infrastructure (PKI)
approach, and has two distinct keys: an offline (root) key and a tagging (per-
repository) key that are created and stored client-side the first time a
publisher pushes an image.
Virtual container security This takes care of the biggest vulnerability, which is using malicious
containers. DCT also generates a timestamp key that protects against
replay attacks, which means running signed, but expired, content. This
Glossary
solves the problem mentioned above about containers having different
security patch levels.
To address concerns around container security, many companies, including

Docker, have released security benchmarks for Docker. This set of
standards offers guidelines for securing Docker containers. The 118-page
document includes 84 best practices for deploying Docker containers, along
with a checklist that summarizes them all.
So, what if you're charged with securing Docker containers and don't know
where to start? Here are a few suggestions:
Read the Docker security benchmark documentation mentioned

above. Focus on how the suggestions and best practices relate to
Page 66 of 99
E-guide
how you've deployed your container-based applications. This is really

In this e-guide the best bang for your buck, considering most Docker security issues
come from bad design.
Introduction
Consider your specific security requirements. This will drive your
selection of tools and approaches. Many enterprises that move to
Container Choices containers either under- or over-secure their container-based
applications.
Test as much as you can. Containers are new, so we need to figure
out what works and what doesn't, and the only way to do that is
Virtual container security through security-related tests, such as penetration testing.
Container security will likely evolve as virtualization security did. While

Glossary
security was a concern with the first VM deployments, years of good
security practices, architectures and tools have proven effective. The same
should go for securing Docker containers.
Next Article
Page 67 of 99
E-guide
In this e-guide Shore up vulnerabilities to secure ECS,

Docker containers
Introduction
George Lawton, Contributor
Container Choices The Amazon EC2 Container Service takes advantage of Docker
infrastructure to run and manage containers across a cluster of Elastic
Compute Cloud instances. Docker and AWS have made strong
Virtual container managment commitments to improve container security, but new practices must be
adopted to secure ECS against weaknesses that leave an enterprise's
Virtual container security software infrastructure vulnerable.
Containerized applications are developed and released in a fast-paced

Glossary software development lifecycle. They are frequently constructed from
existing code libraries and deployed through automated processes.
Consequently, organizations need to adopt practices that address the novel
characteristics of container development, testing and deployment models.
Enterprises carefully craft security policies, but they don't always translate
to a container-based software development pipeline.
Containers provide a different abstraction than VMs when it comes to

managing software building blocks. They have different capabilities and
levels of control than traditional applications. Amazon Elastic Compute
Cloud (EC2) Container Service, or ECS, operates at a level above containers
that is analogous but not identical to a traditional VM hypervisor.
ECS is based on a model of containers, tasks, container instances and

clusters. The containers are essentially stored software code blocks that
Page 68 of 99
E-guide
can be provisioned. Tasks enable developers to logically group and perform

In this e-guide operations on a collection of containers. Container definitions specify the
images and require CPU, memory and port infrastructure. Task definitions
Introduction
describe individual container definitions and versions, which can be
addressed by a name and version for the aggregate.
Container Choices Container instances are VM instances against which tasks are scheduled.
This whole process is managed by ECS agents. A cluster is a collection of
container instances that provides the required resources for a collection of
containers.
Virtual container security Use VPCs to secure ECS

Glossary
Docker processes have root access to the file system, which could
compromise other containers running on the same server. One strategy is to
use an Amazon Virtual Private Cloud (VPC), which can isolate computer and
network resources. ECS includes the ability to automate the deployments of
containers into VPCs to isolate them from other containers, protecting
Docker instances from each other.
Another good practice is to set up security groups on machines in a

particular cloud to provide further protection against unforeseen security
vulnerabilities. Security groups can also restrict inbound and outbound
traffic to a group of machines or a single machine based on rules.
Page 69 of 99
E-guide
In this e-guide Automate access security
Introduction It's important to implement a strategy for automating access control to the
ECS infrastructure. Amazon simplifies this process through its Identity and
Access Management (IAM) service, which makes it easier to set up, manage
Container Choices
and update roles to help secure ECS and other services.
Virtual container managment The process of changing access keys is a best practice because it limits the
amount of time that a compromised key can be used by hackers. When
some applications are running outside of EC2, this must be performed
Virtual container security programmatically and can sometimes cause applications to break.
It is also important not to use root access keys to make these changes. If
Glossary
this key is compromised, a hacker could essentially gain access to an
enterprise's entire AWS infrastructure. Amazon has published some best
practices for programmatically managing keys. IAM can do this
automatically for EC2 applications and with fewer chances of an application
going offline.
Audit container libraries
Containerized applications are generally constructed from existing software

libraries to reduce coding time and enable business agility. While the
majority of software libraries are secure, vulnerabilities are constantly being
detected in many libraries, sometimes many years after the library has been
Page 70 of 99
E-guide
published. For example, the Heartbleed, Poodle and Shellshock

In this e-guide vulnerabilities were found after the underlying code was already in wide use.
As a result, the enterprise needs to develop a security policy around

Introduction
detecting these vulnerabilities and updating containers that contain them.
This is not a trivial task, as new software libraries are not always compatible
Container Choices with other components used by the containers. Information on new
vulnerabilities is published on common vulnerability and exposure (CVE)
databases like the National Vulnerability Database, published by the National
Institute of Standards and Technology (NIST).
Virtual container security Some tools can help automate the auditing process and make it easier to
notify security personnel and developers when problems are detected. For
example, Amazon has announced a partnership with Twistlock to automate
Glossary Amazon registry of container images; this makes it easier to incorporate
auditing into an organization's continuous integration process. Twistlock
also offers the ability to monitor containers in operation to detect malicious
activity.
Consider other approaches to secure ECS
CoreOS and Docker have also released scanners that compare the code in
container instances against a database of known vulnerabilities. CoreOS
released the Clair service, which compares container content against
various CVE databases maintained by NIST, Red Hat, Ubuntu and Debian.
Docker Content Trust is an implementation of the Notary open source
software for certifying the validity of Docker images retrieved from public
Page 71 of 99
E-guide
archives. The use of digital signing infrastructure prevents enterprises from

In this e-guide downloading container images that hackers have compromised.
One practice is to regularly rebuild container images with the latest updates.
Introduction
But this can also create new problems with side effects and instabilities that
could go unnoticed. Another practice is to analyze new images in real time
Container Choices on a regular basis using vulnerability scanners. But this requires
implementing security into the development process. However, this is an
important step if the developers modify libraries to improve application
performance or implement new features.
Virtual container security One of the biggest challenges with cloud security is that it only takes one
open door to compromise an enterprise. Automating the management of
security keys, auditing containers and testing new code can all help close
Glossary these doors. But organizations need to consider integrating security reviews
into the development, operations and testing processes to mitigate the risk
of security breaches.
Next Article
Page 72 of 99
E-guide
In this e-guide Linux container security is on the

evolutionary fast track
Introduction
Jim O'Reilly, Cloud consultant
Container Choices It's been a well-known fact for many years that the standard hypervisor
approach to virtualizing a server has a basic flaw in its architectural premise
-- it requires each virtual machine to run a separate operating system
Virtual container managment instance. Hypervisors are designed to enable any operating system to run in
a VM, allowing for a greater degree of flexibility. This also means that
Virtual container security Windows instances can exist alongside Linux instances in the same
machine.
Glossary Once we reach scale levels found in cloud providers, it becomes apparent
that there is no real need to mix OSes on any given server, as there are so
many instances, segregating them doesn't impact flexibility. With this
realization comes the understanding that the hypervisor method wastes a
great deal of memory and I/O cycles, since as many as hundreds of copies
of the OS could exist on any given server.
The container approach
The idea that we can live with a single shared copy took a while to reach
market. This is the container approach, which allows the OS and any
applications to be shared. The resulting savings in DRAM enable many more
Page 73 of 99
E-guide
instances to exist on any given server, often reaching three to five times the
In this e-guide instance count for hypervisors.
With containers running within that single copy, we lose one of the
Introduction
protections Intel built into the hardware. Multi-tenancy requires barriers to
keep instances out of the memory space of other instances. This logical
Container Choices separation adds a degree of Linux container security, ensuring that if one
VM is compromised, other VMs on the same host are not also at risk. If this
feature wasn't available in hypervisor-based systems, the cloud would never
have grown to its current size.
Virtual container security Intel provides hardware assists to solidify multi-tenancy in their processors.
Unfortunately, moving to containers meant these can no longer be used,
leaving the containers exposed to boundary-crossing exploits.
Glossary
The Docker daemons run as root, and changing the root settings requires
major modifications to Docker. Such changes include running the containers
inside VMs, placing control of the Docker daemon in the hands of trusted
users only, and using UNIX sockets. This is assisted by the recent addition of
a user namespace feature, which allows IT to separate access privileges for
containers and the Docker daemon, preventing the containers from
accessing the root.
Page 74 of 99
E-guide
In this e-guide Putting containers and hypervisors

together
Introduction
In May of 2015, Intel brought Clear Containers to the market. These provide
Container Choices a very streamlined hypervisor designed to host the containers. With an
overhead of between just 10 to 20 MB per instance, we get back the
protection that hypervisors provide without the space burden of running
multiple copies of the OS stack. At the same time, Linux DAX zero-copy
sharing between the host and guest and kernel samepage merging facilitate
Virtual container security access to the OS image in DRAM.
Docker images are also a point of attack. These are build templates for the
Glossary
container, which are interpreted by the Docker daemon running in root.
Again, there is an opportunity for exploitation, so Docker has recently
released Docker Content Trust, which uses tools to guarantee the validity of
an image. This involves hardware authentication of the image using Notary --
an open source tool -- and The Update Framework to validate the content
and verify who published it.
Docker also has an official repository for independent software vendors to

present safe images to users. These images can be accessed via the
Docker Hub site, allowing organizations to verify Linux container security
policies before use. This significantly increases the protection that Docker
users enjoy, since these images are from known sources, fully validated,
characterized from a security viewpoint and tested as an entity.
Page 75 of 99
E-guide
In this e-guide What does this mean for Linux container

security?
Introduction
Taken together, these improvements should ideally make containers as safe

Container Choices as hypervisors. However, the container approach is very new and still
evolving. Only time will tell, but there's hope because containers have some
advantages.
First and foremost, containers are much easier to update than traditional
Virtual container security approaches, meaning software gets updated properly and quickly. Testing
the result is also easier, so attacks exploiting old code shouldn't occur. This
is a critical weakness in many large clusters today, since updating involves
Glossary
different teams and can be disjointed and often late.
Another major protection comes from containers being isolated from each
other and from physical devices. This reduces the attack surface
considerably. It's also good practice to use read-only file systems for images
and other data wherever possible. Though that's true in all computing, the
container approach shares image data more often, allowing for tighter
control on fewer images.
Linux container security in Docker continues to evolve, as does the

underlying containers approach. Compared to the hypervisor evolution, the
Docker roadmap appears very focused and crisp. Also, provided that
containers are built on a hypervisor such as Clear Containers, they look to
Page 76 of 99
E-guide
be as robust as standard hypervisor virtualization and enjoy superior

In this e-guide security control.
Next Article
Introduction
Container Choices
Glossary
Page 77 of 99
E-guide
In this e-guide Glossary

Choosing a virtual container option and management tools is great, but it's
Introduction hard if you don't know the right terms.
Container Choices Containers as a Service (CaaS)

Margaret Rouse, WhatIs.com
Containers as a service (CaaS) is a form of container-based virtualization in
which container engines, orchestration and the underlying compute
resources are delivered to users as a service from a cloud provider. In some
cases, CaaS is also used to describe a cloud provider's container support
Glossary services.
With CaaS, users can upload, organize, run, scale, manage and stop
containers using a provider's API calls or web portal interface. As is the case
with most cloud services, users pay only for the CaaS resources such as
compute instances, load balancing and scheduling capabilities -- that they
use.
Within the spectrum of cloud computing services, CaaS falls somewhere

between Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).
However, CaaS is most commonly positioned as a subset of IaaS. The basic
resource for CaaS is a container, rather than a virtual machine (VM) or a
bare metal hardware host system, which are used to support IaaS
environments.However, the container can run within a VM or on a bare metal
system.
Page 78 of 99
E-guide
Public cloud providers including Google, Amazon Web Services (AWS), IBM,
In this e-guide Rackspace and Joyent all have some type of CaaS offering. For example,
AWS has its Amazon EC2 Container Service (ECS), a high-performance
Introduction
container management service for Docker containers on managed Amazon
EC2 instances. Amazon ECS eliminates the need for users to have in-house
container or cluster management resources. Google's Container Engine
Container Choices service offers similar cluster management and orchestration capabilities for
Docker containers.
The key difference between providers' CaaS offerings is typically the
container orchestration platform, which handles key tasks, such as
Virtual container security container deployment, cluster management, scaling, reporting and lifecycle
management. CaaS providers can use a variety of orchestration platforms,
including Google Kubernetes, Docker Machine, Docker Swarm, Apache
Glossary
Mesos, fleet from CoreOS, and nova-docker for OpenStack users.
CaaS offerings are usually used by application developers deploying new

applications.
Next Article
Page 79 of 99
E-guide
In this e-guide Open Container Initiative

Introduction
The Open Container Initiative (OCI) is a collaborative project hosted under
the Linux Foundation designed to establish common standards for
Container Choices containers. The initiative, which has a lightweight, open governance
structure, was first unveiled as the Open Container Project at DockerCon on
June 22, 2015, and was later renamed as the Open Container Initiative.
The Open Container Initiative has support from a long list of prominent
Virtual container security companies, however the project will remain independent from any particular
commercial organization. Founders include Amazon Web Services, Docker,
CoreOS, Microsoft, VMware, EMC, Nutanix, Red Hat, IBM, Goldman Sachs,
Glossary
and Google. Docker was pivotal in founding the initiative, donating draft
specifications and much of its existing code for its image format and
container runtime. The formation of OCI was driven by the rapidly rising
interest in container-based virtualization, particularly as a way to increase
application portability across multiple environments.
The core goals for the project are to ensure standards for containers and
future container platforms that preserve the flexible and open nature of
containers. Specifically, the OCI says containers should not be bound to a
specific client or orchestration stack, not be tightly associated with any
particular vendor and are portable across a wide variety of operating
systems, hardware and architectures.
Next Article
Page 80 of 99
E-guide
In this e-guide
Google Container Engine (GKE)
Introduction Margaret Rouse, WhatIs.com
Google Container Engine (GKE) is a management and orchestration system

Container Choices
for Docker container and container clusters that run within Google's public
cloud services. Google Container Engine is based on Kubernetes, Google's
Virtual container managment open source container management system.
Organizations typically use Google Container Engine to:

Create or resize Docker container clusters
Glossary Create container pods, replication controllers, jobs, services or load
balancers
Resize application controllers
Update and upgrade container clusters
Debug container clusters
Users can interact with Google Container Engine using the gcloud command
line interface or the Google Cloud Platform Console.
Google Container Engine is frequently used by software developers creating
and testing new enterprise applications. Containers are also used by
administrators to better meet the scalability and performance demands of
enterprise applications, such as web servers.
Google Container Engine is comprised of a group of Google Compute

Engine instances, which run Kubernetes. A master node manages a cluster
Page 81 of 99
E-guide
of Docker containers. It also runs a Kubernetes API server to interact with

In this e-guide the cluster and perform tasks, such as servicing API requests and
scheduling containers. Beyond the master node, a cluster can also include
Introduction
one or more nodes, each running a Docker runtime and kubelet agent that
are needed to manage Docker containers.
Container Choices Google Container Engine users organize one or more containers into pods
that represent logical groups of related containers. For example, these
groups could include logfile system containers, checkpoint or snapshot
system containers or data compression containers. Similarly, network
proxies, bridges and adapters might be organized into the same pod.
Virtual container security Generally, identical containers are not organized into the same pod. Users
create and manage these pods through jobs.
Glossary If a pod of related containers become unavailable, access to those
containers may be disrupted. Most applications in containers require
redundancy to ensure that pods are always available. Google Container
Engine includes a replication controller that allows users to run their desired
number of pod duplicates at any given time.
Groups of pods can be organized into services, allowing non-container-

aware applications to access other containers without needing additional
code. For example, if a business has three pods that are used to process
data from a client system, setting up the pods as a service allows the client
system to use any of the pods at any time regardless of which pod is
actually doing the work.
Page 82 of 99
E-guide
Google currently charges a flat fee for Container Engine services depending
In this e-guide on the number of nodes in a cluster. A cluster of five nodes or less is
currently free, and a cluster of six nodes or more is currently priced at $0.15
Introduction
per-hour per-cluster. However, cloud pricing is extremely competitive and
changes frequently, so it's important for prospective users to investigate
current pricing and discount opportunities before implementing containers.
Container Choices
Next Article
Glossary
Page 83 of 99
E-guide
In this e-guide Amazon EC2 Container Registry

Introduction
Amazon EC2 Container Registry (Amazon ECR) is an AWS product that
stores, manages and deploys private images of Docker containers, which
Container Choices are managed clusters of Elastic Compute Cloud (EC2) instances. Amazon
ECR allows a developer to save configurations and quickly move them into a
production environment.
Amazon ECR provides a command-line interface and APIs to manage

Virtual container security repositories and integrated services, such as Amazon EC2 Container
Service, which installs and manages the infrastructure for these containers.
A developer can use the Docker command line interface to push or pull
Glossary
container images to or from an AWS region. Amazon ECR can be used
wherever a Docker container service is running, including on-premises
environments. AWS Elastic Beanstalk also supports Amazon ECR for multi-
Amazon ECR automatically encrypts container images at rest with Amazon

Simple Storage Service (S3) server-side encryption and allows
administrators place restrictions on Amazon Identity and Access
Management users or roles to limit access to each repository. The container
registry stores container images in S3 for high availability. Amazon ECR also
transfers container images over HTTPS for additional protection.
Next Article
Page 84 of 99
E-guide
In this e-guide VMware vSphere Integrated Containers

(VIC)
Introduction
Container Choices VMware vSphere Integrated Containers (VIC) is a platform that enables
administrators to deploy and manage containers within virtual machines
(VMs) from within VMware's vSphere virtual machine management software.
Virtual container managment VSphere Integrated Containers can also be used to describe the individual
isolated container instances hosted within the platform.
VMware first introduced the concept behind vSphere Integrated Containers
as a technology preview called Project Bonneville. The technology uses a
Glossary set of daemons and drivers to speed the deployment of containers within
virtual machines (VMs). Project Bonneville coupled a light-weight Linux
operating system (called Project Photon) with a VMware technology called
Instant Clone, which allows for the rapid duplication of VM images.
Administrators can monitor and manage vSphere Integrated Containers
through their existing vSphere Web Client using a plug-in that enables
control of the virtual container hosts.
VMware vSphere Integrated Containers introduces a new concept known as

a virtual container host (VCH). The VCH is a logical construct that
represents a collection of tools and hardware resources (CPU, RAM and
storage) that enable the creation and control of container services. Virtual
container hosts also provide access to the Docker API and can hold
container images downloaded from the Docker Hub. Docker components
Page 85 of 99
E-guide
run from within the container host, and are not duplicated per container
In this e-guide instance.
When an administrator creates a new container, it runs on a light-weight VM

Introduction
created within the logical virtual container host. Virtual container hosts can
contain several of these light-weight VMs, and therefore many individual
Container Choices container instances. Administrators can create multiple VCHs to logically
separate groups of containers (for testing, development or production),
similar to way that vSphere can logically separate pools of hardware
resources and services into multiple virtual data centers.

Next Article
Glossary
Page 86 of 99
E-guide
In this e-guide LXD (Linux container hypervisor)

Introduction
LXD is an open source project designed to provide a set of Linux container
management tools. LXD is an Apache 2 licensed open source project
Container Choices founded by Canonical.
The aim of the open source project is to provide administrators with a set of
tools that allows them to deploy, manage and secure containers in much the
same way that a hypervisor enables administrators to manage virtual
Virtual container security machines. Unlike some other container projects, LXD supports live
migration, snapshots, configuration profiles (CPs) and Peripheral
Component Interconnect (PCI) pass-through devices.
Glossary
LXD is currently comprised of three pieces: a daemon, a command-line
client and an OpenStack Nova plug-in. The daemon exports a REST API
locally, and also allows administrators to manage containers over a network.
The command-line client builds on the existing LXC (Linux container)
project, providing lower-level management capabilities for all of one's
containers. It can also connect to multiple container hosts to provide an
overview of all the containers residing on a network, The OpenStack plug-in
enables higher level management functions by allowing administrators to
manage containers as they would VMs within an OpenStack environment.
LXD is not a variant of LXC (Linux Containers), an operating system-level

virtualization environment. Instead, it builds of top of LXC using LXC through
libxc and its Go binding to create and manage containers. LXD is different
Page 87 of 99
E-guide
from Docker and some other popular container platforms in that it provides
In this e-guide operating system containers, as opposed to application containers.
Next Article
Introduction
Container Choices
Glossary
Page 88 of 99
E-guide
In this e-guide Docker Swarm

Introduction
Docker Swarm is a clustering and scheduling tool for Docker containers.
With Swarm, IT administrators and developers can establish and manage
Container Choices a cluster of Docker nodes as a single virtual system.
Swarm mode also exists natively for Docker Engine, the layer between the
OS and container images. Swarm mode integrates the orchestration
capabilities of Docker Swarm into Docker Engine 1.12 and newer releases.
Clustering is an important feature for container technology, because it
creates a cooperative group of systems that can provide redundancy,
Glossary enabling Docker Swarm failover if one or more nodes experience an outage.
A Docker Swarm cluster also provides administrators and developers with
the ability to add or subtract container iterations as computing demands
change.
An IT administrator controls Swarm through a swarm manager, which

orchestrates and schedules containers. The swarm manager allows a user
to create a primary manager instance and multiple replica instances in case
the primary instance fails. In Docker Engine's swarm mode, the user can
deploy manager and worker nodes at runtime.
Docker Swarm uses the standard Docker application programming

interface to interface with other tools, such as Docker Machine.
Docker Swarm load balancing
Page 89 of 99
E-guide
Swarm uses scheduling capabilities to ensure there are sufficient resources

In this e-guide for distributed containers. Swarm assigns containers to underlying nodes
and optimizes resources by automatically scheduling container workloads to
Introduction
run on the most appropriate host. This Docker orchestration balances
containerized application workloads, ensuring containers are launched on
systems with adequate resources, while maintaining necessary performance
Container Choices levels.
Swarm uses three different strategies to determine on which nodes each

container should run:
Virtual container security Spread -- Acts as the default setting and balances containers across
the nodes in a cluster based on the nodes' available CPU and RAM, as
well as the number of containers it is currently running. The benefit of
Glossary the Spread strategy is, if the node fails, only a few containers are lost.
BinPack -- Schedules containers to fully use each node. Once a node

is full, it moves on to the next in the cluster. The benefit of BinPack is
it uses a smaller amount of infrastructure and leaves more space for
larger containers on unused machines.
Random -- Chooses a node at random.
Docker Swarm filters
Swarm has five filters for scheduling containers:
Constraint -- Also known as node tags, constraints are key/value

pairs associated to particular nodes. A user can select a subset of
Page 90 of 99
E-guide
nodes when building a container and specify one or multiple key value
In this e-guide pairs.
Affinity -- To ensure containers run on the same network node, the

Introduction
Affinity filter tells one container to run next to another based on an
identifier, image or label.
Container Choices
Port -- With this filter, ports represent a unique resource. When a
container tries to run on a port that's already occupied, it will move to
Virtual container managment the next node in the cluster.
Virtual container security Dependency -- When containers depend on each other, this filter
schedules them on the same node.
Glossary Health -- In the event that a node is not functioning properly, this filter
will prevent scheduling containers on it.
Next Article
Page 91 of 99
E-guide
In this e-guide Amazon EC2 Container Service

Introduction
Amazon EC2 Container Service (ECS) is a cloud computing service in
Amazon Web Services (AWS) that manages containers. It allows users to
Container Choices run and alter applications or microservices on groups of servers called
clusters through API calls and task definitions. Amazon ECS is a scalable
service that is accessible through the AWS Management Console and
through software developer's kits (SDKs).
Virtual container security Amazon developed ECS in response to the rise of popularity of
containerization, which specifies rules for isolated sets of Elastic Compute
Cloud instances to increase portability and computing performance by
Glossary
running on top of a host operating system. ECS supports Docker, an open
source Linux container service.
ECS enables users to create and run Docker containers for distributed
applications using a set of APIs. ECS evaluates and monitors CPU and
memory output to determine the optimal deployment for a container. AWS
customers can also use the service to update containers or scale them up or
down. Elastic Load Balancing, Elastic Block Store volumes and Identity and
Access Management roles are also supported for further customization.
EC2 Container Service includes two schedulers, which allow users to deploy
containers based on computing needs or availability requirements. Long-
running applications and batch jobs benefit from the use of schedulers for
their responsiveness; ECS also supports third-party scheduling options.
Page 92 of 99
E-guide
Any third-party or private Docker registry can access ECS; the user needs
In this e-guide to only specify the repository in the task definition for ECS to retrieve the
images.
Introduction
There is no additional cost to AWS customers for using ECS, though users
still pay for EC2 instances in the cluster, plus any other billable AWS
Container Choices resources used. ECS limits users to 1,000 tasks per service and 10
containers per task definition.
Virtual container managment Next Article
Glossary
Page 93 of 99
E-guide
In this e-guide Containerization (container-based

virtualization)
Introduction
Container Choices Containerization -- also called container-based virtualization and application

containerization -- is an OS-level virtualization method for deploying and
running distributed applications without launching an entire VM for each
Virtual container managment application. Instead, multiple isolated systems, called containers, are run on
a single control host and access a single kernel.
Because containers share the same OS kernel as the host, containers can
be more efficient than VMs, which require separate OS instances.
Glossary
Containers hold the components necessary to run the desired software,
such as files, environment variables and libraries. The host OS also
constrains the container's access to physical resources -- such as CPU and
memory -- so a single container cannot consume all of a host's physical
resources.
Advantages of containerization
Containerization gained prominence with the open source Docker, which

developed a method to give containers better portability -- allowing them to
be moved among any system that shares the host OS type without requiring
Page 94 of 99
E-guide
code changes. With Docker containers, there are no guest OS environment

In this e-guide variables or library dependencies to manage.
Proponents of containerization point to gains in efficiency for memory, CPU

Introduction
and storage as key benefits of this approach, compared with traditional
virtualization. Because containers do not have the overhead required by VMs
Container Choices -- separate OS instances -- it is possible to support many more containers
on the same infrastructure. As such, containerization improves performance
because there is just one OS taking care of hardware calls.
A major factor in the interest in containers is they can be created much
Virtual container security faster than hypervisor-based instances. This makes for a much more agile
environment and facilitates new approaches, such as microservices and
continuous integration and delivery.
Glossary
Disadvantages of containerization
A potential drawback of containerization is lack of isolation from the host

OS. Because containers share a host OS, security threats have easier
access to the entire system when compared with hypervisor-based
virtualization. One approach to addressing this security concern has been to
create containers from within an OS running on a VM. This approach
ensures if a security breach occurs at the container level, the attacker can
only gain access to that VM's OS, not other VMs or the physical host.
Another minor disadvantage of containerization is each container must use

the same OS as the base OS, whereas hypervisor instances can each run
Page 95 of 99
E-guide
unique OSes. For example, a container created on a Linux-based host could

In this e-guide not run an instance of the Windows Server operating system or applications
designed to run on Windows Server.
Introduction
Implementation
Container Choices
In addition to Docker, CoreOS released a streamlined alternative,
Virtual container managment called Rocket. And Canonical, developers of the Ubuntu Linux-based OS,
announced the LXD containerization engine for Ubuntu, which will also be
integrated with OpenStack. Microsoft also partnered with Docker to create
Virtual container security Windows Server containers and Hyper-V containers.
Next Article
Glossary
Page 96 of 99
E-guide
In this e-guide VMware Photon Platform

Introduction
VMware Photon Platform is a container runtime and management
platform. VMware's Photon Platform is made up of two components: Photon
Container Choices Machine and Photon Controller.
Photon Machine essentially couples a slimmed down version of VMware's

ESX hypervisor (called a microvisor) and VMware's Photon Linux operating
system to create a lightweight container runtime. The Photon Controller
Virtual container security serves as a distributed multi-tenant control plane that provides security and
authentication (in the form of VMware's Project Lightwave) as well as
integration with other container management frameworks and an API.
Glossary
Unlike vSphere Integrated Containers, which can help administrators quickly
and easily integrate containers into an existing vSphere virtualization
deployment, Photon Platform is designed for large scale deployments of
application containers, running workloads such as microservices, that
are specifically developed for the platform. VMware released the Photon
Controller as an open source project in November 2015. Company
executives have said they intend to keep the Photon Machine portion of the
Photon Platform as a proprietary technology and plan to offer it as a
commercially-supported product.
Next Article
Page 97 of 99
E-guide
In this e-guide Docker Content Trust

Introduction
Docker Content Trust is a security feature for Docker containers. Content
Trust, which uses cryptographic keys to ensure container images and their
Container Choices publisher are not comprised, became available with the release of Docker
Engine 1.8 in August 2015.
To verify Docker images and their publisher, Docker Content Trust uses
private and public cryptographic keys, a method of storing and transmitting
Virtual container security data in a particular format so that only authorized parties can access and
read it. With Content Trust, Docker images -- the container files that hold
application components and content -- are signed with their creator's, or
Glossary
publisher's, private key before that image is sent to the Docker repository.
When another IT team member goes to use that image, Content Trust uses
its publisher's public key to verify that the image is the latest version and
hasn't been compromised. As software developers update or change an
image, the cryptographic signature continues to ensure that the content is
original and from a trusted source.
Docker Content Trust uses up to four different kinds of keys to secure

content:
Target and Snapshot Keys: These two keys combined are known as the
"repository key," which is made for each new repository the publisher owns
Page 98 of 99
E-guide
and can be shared with any user who needs to be able to digitally sign off on
In this e-guide content.
Offline Key: This key serves as the root of trust for the repository and the
Introduction
same key can be used for multiple repositories. This key should be kept
offline to protect from threats.
Container Choices
Timestamp Key: This key is used when content is added or removed from
the repository and is meant to prevent replay attacks, which are when users
Virtual container managment run signed, but expired, content.

Docker Content Trust is based on the open source tool Notary, along with
The Update Framework (TUF), a design framework for securing software
update systems.
Glossary
Content Trust is one of several container features from Docker, whose
headquarters are in San Francisco, Calif. Content Trust is used primarily by
developers and IT system administrators.
Page 99 of 99

Virtual Container Technology Options For Management Security

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Virtual Container Technology Options For Management Security

Caricato da

Copyright:

Formati disponibili

E-guide

In this e-guide Container Choices

Docker portability shows promise with

Glossary new cloud integrations

SEATTLE -- Docker portability between private and public clouds is

On premises-to-cloud vs. inter-cloud

"We want to operate a multi-cloud environment according to security risk,"

Meanwhile, an experimental feature released into private beta by Docker

Docker Application Bundles, bundles of containers comprising apps, could

In a recent survey by 451 Research of more than 400 IT decision makers,

integration specifically because they want app portability between services,

In this e-guide Containers vs. VMs: Which should you use

Containers vs. VMs: Understanding the

For enterprises with a variety of software platforms for their applications,

Because containers are usually deployed through management platforms

In this e-guide Choosing containers vs. VMs for public,

The difficulty of deploying and managing containers in a public cloud can

Second, any differences in middleware or OS at the application level will limit

Easing into container technology

It's best to gain familiarity with container technology in private deployments

difference will be related to security and compliance. If you're making a

Virtual container managment

Virtual container security

In this e-guide Containers conflict: IT pros debate Docker

Container Choices SEATTLE -- To VM or not to VM? As enterprise IT contemplates containers,

However, a consultant working with Vitacost and other enterprise clients

For companies that want to use containers in hybrid or public cloud

In this e-guide Have it your way

Introduction Docker itself isn't picking sides, according to a presentation here.

Conversely, commercial software licensing costs are now tailored to

Moreover, VMware resiliency features in particular, such as HA, Distributed

Additionally, enterprises with mixed environments, whether running multiple

Then again, hypervisors do introduce latency for some applications,

virtual servers, Coleman cited the example of Swisscom, which he said

In this e-guide How ECS containers stack up to Google

ECS containers are configured using an abstraction called tasks. Tasks

Diving into Google's container engine

GKE allows admins to specify containers and resource parameters. The

A peek at Azure Container Service

Microsoft is currently offering Azure Container Service in preview mode.

Virtual container managment

Virtual container security

In this e-guide Evaluating Azure Container Service vs.

Container Choices As more organizations use container technology to deploy cloud

For enterprises evaluating Google, AWS or Azure container services, this

DevOps and scalability

DevOps integration, when considering container services in their respective

Scalability is relative to the needs of your applications, so we made

In summary, the Google offering is more advanced overall due largely to

In this e-guide Get started with systemd Linux containers

The best environment to get started with systemd-nspawn, is a test system

Create a directory for systemd-nspawn

Get out of chroot jail

systemd-nspawn -D /var/lib/container/centos7 passwd;

In this e-guide Virtual container management

Virtual container managment

Docker container management received some incremental, but important,

Docker responded in mid-January 2017 to a security vulnerability in runC,

Docker container management adherents said they weren't affected by the

In order to exploit CVE-2016-9962 in an attack, one must first compromise

"Just patching or using SELinux is not enough of an answer," Haletky said.

Container Choices Docker 1.13 incremental, but important