Sponsored by

BITSIN A BOXContainers, a UNIX one-trick pony,

make a comeback

Containers make a comeback Containers bring age old advantages to new technologies by displacing the inefficiencies of virtualization and bringing speed and scalability to cloud-centric applications. Frank J. Ohlhorst reports.

Containers might seem like a recent development in the world of enterprise IT and are being touted as the cure for

a multitude of modern IT ills, however, they are anything but new. The basic concept of the container has been around since the UNIX operating system days of the 1970s, where containerization was the path to a new way of handling application development. Yet, those early iterations of containers proved to be problematic, hard to manage and hardly portable. Simply put, containers were little more than a one trick pony that was able to do its one trick very well, but little else.

Times change and containers evolve, bringing forth software abstraction capabilities that are now being used to solve a multitude of problems that virtualization and other technologies cannot, leading towards rapid adoption of containers and the associated orchestration tools. After all, what’s not to like? Containers allow applications to spin up effortlessly, respond well to scalability needs, bring forth application portability and offer several other advantages.

But what exactly are containers? To better understand what containers mean to modern IT requires understanding the origins of containers and how the technology evolved

over the decades. Containers are on the cusp to becoming a viable replacement for hardware abstraction and virtualization tools, which have become popular in data centers worldwide. Containers were developed to create a level of abstraction between the host operating system and applications with the intention of increasing efficiency and bringing enhanced security to workloads.

In essence, containers create an isolated environment where services and applications can run, without interfering with other processes, creating something akin to a sandbox to test applications, services and other processes. The original idea was to isolate completely the container’s workload, preventing it from impacting production systems. In other words, developers were able to test their applications and processes on production hardware without risking disruption to actual services.

Eventually, containerization evolved, adding the ability to isolate users, files, networking and much more, allowing a container to have its own IP Address and be logically isolated

on the network, as well as from other processes on a production system. Fast forward to today and many of the issues that plagued containers, such as orchestration and management, have been addressed by new technologies. Those technologies include orchestration products such as Docker, Mesos, Kubernetes, Platform9

and others, which have helped to bring containers into the spotlight for modern data center operations. However, it takes much more than orchestration and management tools to further containers into the enterprise.

Containers in PracticeRaj Mehta, CEO and president of InfoSys

2

Co

ntain

ers

5XOf companies currently

running containers,

the average company

quintuples its Docker

usage within 9 months

of launching their

programs

– Datadog

www.scmagazine.com | © 2017 Haymarket Media, Inc.

OUR EXPERTS: Containers Brad Bishop, systems administrator, Lamar University

Sagi Brody, CTO, WebAir,

William Brown, information security officer, Engaging Solutions

Christian Lind, IT director, Nebraska Cancer Specialists

Raj Mehta, CEO and president, InfoSys International

International, an enterprise services firm, adds to the narrative on containers, noting: “One major concern with containers comes down to security. The ease at which containers can now be added to production systems creates a dynamic where IT can go crazy with containers. Without the proper management and provisioning tracking, there is a risk for container sprawl and shadow IT rearing its ugly head.”

Mehta might very well be onto something. When virtualization became popular, many IT departments strove to virtualize multiple operating systems, creating numerous virtual machines that were forgotten or fell out of purview of IT management. That in turn created a situation where unmanaged machines were left running, unpatched and ultimately creating security issues.

Brad Bishop, systems administrator at Lamar University, says that “containers have allowed us to add services and applications to our existing systems, and in many cases we have been able to consolidate virtual machines. However, without effective management, containers can be created and forgotten, creating problems.”

It is those management and security concerns perhaps that have hampered the adoption of containers, creating an opportunity for those that have to master the intricacies of keeping containers under control. Says Christian Lind, IT director at Nebraska Cancer Specialists, “We cannot afford to take security risks of any type; our organization has to adhere to compliance regulations and privacy rules. That means we need to rely on experts that are willing to mitigate the risks that containers may present.

“However, containers offer great potential,

one that can enhance security by isolating processes and allowing us to more effectively secure and monitor those processes,” Lind adds. “With containers, we can get a better

feel for expected application behavior, including what interacts with that container, what loads are placed upon it, and how active it is. That data provides baselines, which can be used to identify anomalous behaviors, indicating a potential security threat.”

Mehta expands on Lind’s thoughts. “The trick here is to effectively

manage containers and institute automation along with policies to control containers, which should prevent sprawl, as well as ensure patches are applied and security is maintained,” he says. “If we do not orchestrate containers properly, businesses

will experience the same types of problems that virtual machines introduced.”

It is not just a business environment that needs to scale. “In a college environment, we have to constantly scale up and down based upon the demand put on our IT systems from student population changes,” Bishop adds. “The ability to spin up containers instantly gives us the needed elasticity to deal with constantly changing loads, however more loads mean more traffic and looking for security anomalies becomes more complex.”

The consensus here ties container orchestration to successfully securing systems

3

8B The number of Docker

container downloads

has surpassed 8 billion

– Expanded Ramblings

www.scmagazine.com | © 2017 Haymarket Media, Inc.

Raj Mehta, CEO and president, InfoSys International

Containers have allowed us to add services and applications to our existing systems”

– Brad Bishop, systems administrator, Lamar University

Co

ntain

ers

4

$2.7BEstimated size of

the container market

by 2020; most of it

running Docker

technology

– 451 Group

that scale up or down. Or more simply put, once containers move from the sandbox into production, they have to be secured, monitored and managed. Security aside, there are other practical concerns that surround choosing whether or not to use containers.

“One of the misconceptions around adopting containers is that someone must choose between containers or virtual machines, but that is not the case,” Lind says. “The choice should be based on how workloads are deployed. In other words, the real question to ask is should I deploy workloads traditionally, or should I use containers?” The focus, Lind says, should be on the workload and not infrastructure.

Sagi Brody, chief technology officer at WebAir, a technology services firm, says “Deciding on containers is only one part of the transformation process. IT managers also need to decide if they will deploy those

containers on bare metal or on a virtual machine or even into the cloud. Luckily, the portability of containers means that none of the above are poor choices and the flexibility offered means you can move workloads from one infrastructure type to another.”

The Docker ApproachWhile containers bring forth numerous options and offer varying levels of flexibility,

containers alone cannot meet the needs of IT systems today but are only one part of the abstracted infrastructure, experts agree. For containers to be used properly, they must be managed and orchestrated, as well as be integrated into the appropriate infrastructure

to function successfully. Containers have many dependencies on underlying operating systems running on bare metal, or even virtual machines running on top of bare metal providing the foundation for the operating system.

Currently, Docker is one of the leading methodologies to orchestrate containers, using the ideology of a platform to

make it much easier and safer to deploy containers. Developers can use Docker to pack, ship and run any application as a lightweight, portable, self-sufficient container that can run on many different systems. “Docker containers give you instant application portability,” Brody adds.

Perhaps calling Docker a platform is a misnomer. Docker actually refers to several different things. The word “Docker” can be attributed to the open source community project called Docker, or it can refer to the tools developed by that project, or it can refer to the company, Docker Inc., the company behind the Docker Project. RedHat defines it best with this explanation:

• The IT Software “Docker” is containerization technology that enables the creation and use of Linux containers

• The open source Docker community works to improve these technologies to benefit all users - freely

• The company Docker Inc. builds on the work of the Docker community, makes it more secure and shares those advancements back to the greater community. It then supports the improved and hardened technologies for enterprise customers.

www.scmagazine.com | © 2017 Haymarket Media, Inc.

Co

ntain

ers

Sagi Brody, chief technology officer, WebAir

One of the misconceptions around adopting containers is that someone must choose between containers or

virtual machines”– Christian Lind, IT director,

Nebraska Cancer Specialists

5

9.25 hrs The average lifespan

of a container decreased

from 13 hours to 9.25

hours in 2016

– New Relic

What Docker is and what Docker does are the key points here, Bishop summarizes, noting “Docker containers can be deployed in the cloud, on virtual machines or even on bare metal systems, as long as the appropriate OS is installed. That is what makes Docker so powerful; it removes the legacy roadblocks that containers have suffered from in the past.”

Truth be told, Docker has undergone its own evolution, with new features and capabilities being added, as well as support for more systems. Mehta added “The latest iterations of Docker make it a natural fit for DevOps. Docker brings a level of simplicity to the process that enhances DevOps applications such as Chef, Vagrant, Puppet, and Ansible.”

With that in mind, Docker, the technology as opposed to the company of the same name, brings many advantages to the world of containers, especially when paired with DevOps:

• Continuous Deployment and Testing: Docker offers consistency across varied environments. Normally, there are some differences between development, testing, and production environments. Docker addresses those differences by offering a consistent environment through the full development process, since all configurations and dependencies are internalized to the container.

• Multi-cloud Support: Docker brings portability to containers, all major cloud computing platforms have embraced support for Docker, making it easier to move workloads and applications across cloud services.

• Version Control and Standardization: Docker containers work like GIT repositories, which in turn means that changes are committed when ready and

triggers basic version control across images created. That means minor changes can be quickly rolled back if problems are

encountered. What’s more, those rollbacks can be accomplished in a matter of minutes, reducing any downtime due to a faulty application change. (GIT is a version control system.)

• Isolation and Segregation: Docker isolates and segregates applications and resources, meaning that an ill-behaved containerized process or application will not harm other applications or the underlying

infrastructure. Docker containers will only use the resources that are assigned to them, preventing leakage into other processes and applications.

• Security: Isolation means added security; no Docker container can look into processes running on other containers. Docker keeps containers segregated and isolated, while giving the administrator full control over traffic flow and management within that container. Every container gets its own set of resources, including processing, networking, storage and memory.

William Brown, information security officer from IT consulting firm Engaging Solutions, echoes some of the security advantages offered by Docker. Brown says, “The ability to isolate processes and applications from one another leads to a more secure system. Also, the ability to quickly rollback updates and changes makes it easier to resolve security issues that may have been introduced by an application change.”

Docker Security Best PracticesAs with any enterprise technology, there are best practices that should be adhered to for ensuring reliability, availability and security. Docker is no exception, and over its meteoric

www.scmagazine.com | © 2017 Haymarket Media, Inc.

William Brown, information security officer, Engaging Solutions

Co

ntain

ers

rise to fame, many that make up the brain trust of the Docker Project have come to offer best practices that will help to ease adoption and smooth over any bumps that might appear on the path container nirvana. Yet, security remains a major concern, with some claiming that containers will never achieve the same level of security as virtual machines.

Mehta recommends to users: “Make sure you only use trusted images. Some developers take short cuts and assemble images instead of creating them from scratch. Developers should rely on a trusted registry of base images and have controls in place to make sure nothing untoward is introduced into those images.”

Brody adds, “You should always secure your runtime environment, which means you should apply namespace and groups permissions to isolate access and make sure controls are in place to manage what each process can modify.”

“Vulnerability scanning offers one of the best preemptive steps to prevent vulnerabilities from being introduced into deployed applications,” Brown says. “Taking a proactive approach proves worthwhile, especially if security policies, such as vulnerability scans, are well defined and implemented throughout the complete development cycle.”

Lind notes that “Docker, as well as some of your containers, may need root access to a system, which potentially creates a massive security issue. Here, secrets management becomes an issue. Since containers can spread across multiple systems, there comes a time when you must embed credentials for logins, API access, and so forth. Those

credentials can be tokens, passwords or other authentication elements. So it proves critical to make sure those secrets are appropriately managed, meaning that only privileged users can access those containers. Accomplishing that may require the use of secrets management tools and also ensuring that TLS encryption is used.”

Expanding on the issue of container security, Brown notes that “an often overlooked security practice comes in the form of network segmentation. More simply put, developers need to create security layers between containers and within containers — something that can be accomplished by enforcing namespace permissions to isolate access to filesystems, resources and processes, as well as restricting paths of inbound and outbound network connections. Ultimately, the isolation offered by containers can be leveraged to enhance security.”

No container can be secure if security is not thought of as a holistic process, the experts agree. With that in mind, those adopting containers should take a long, hard look at what it takes to harden the host operating system. While containers can isolate processes, and segregate interactions with the host OS, that same host OS can be susceptible to security issues.

Hardening the host OS goes a long way towards creating a secure system and also addresses many of the vulnerabilities that can creep into containers, VMs and other processes. Patching and monitoring of the host OS are critical steps for building a secure enterprise and without those considerations there can be no hope for a secure container running on that host.

Docker: Not the Only Game in TownWhile the Docker trinity (project, product, community) can take the most credit for bringing the concept of containers to the mainstream, there are certainly others playing the container game, many of which may prove to be acceptable alternates. That

6

10%

Estimated number

of large enterprises

that currently use

containers in

production

– Forrester

www.scmagazine.com | © 2017 Haymarket Media, Inc.

Co

ntain

ers

Make sure you only use trusted images.”

– Raj Mehta, CEO and president, InfoSys International

said, many of the best practices and concepts surrounding Docker still apply.

Alternatives to Docker include:• Open Container Initiative (OCI): OCI promotes open standards for containerization and counts many major supporters in its membership, including Docker, as well as Google, Amazon, Facebook, IBM, and Red Hat

• Kubernetes: As an open source project, Kubernetes has quickly become a leading contender for container management. The Kubernetes orchestration platform builds on years of internal experience with Omega and the earlier Borg, which is arguably the largest container management system in the world.

• CoreOS and rkt: CoreOS is a commercial organization that grew from successful open source projects. Its CoreOS Linux distribution is a minimalist operating system tailored for running development containers. Its etcd distributed key value store provides the centralized store of cluster state for Kubernetes clusters. It also runs quay.io, a hosted suite of image repository and container build automation tools. Most recently, the company has been making news with rkt, a container format and runtime alternative to Docker that embodies a different architectural philosophy.

• Apache Mesos and Mesosphere: Mesos is a cluster management system and control plane for efficient allocation of computing resources between application delivery platforms. Mesosphere is an enterprise software OEM that sells a “data center operating system” also built on Mesos and providing cluster management, container orchestration, service discovery and build automation for elastic computing.

• Canonical and LXD: Canonical, the

maintainer of the Ubuntu Linux distribution, recently announced LXD, a “container hypervisor” for Linux. LXD builds on the capabilities of LXC by adding to it a systemwide daemon with an API for LXC container management and an OpenStack Nova plug-in for managing virtual LXD hosts in the cloud.

Regardless of the alternative chosen, adopters will still need to consider issues such as security, management, orchestration, and support. Containers appear to be here to stay and there is probably no stopping the rapid rate of adoption. Even so, it is still important to perform due diligence and make sure that selected container products meet all the needs of the business processes targeted.

Proactivity is only one part of the security process, there are times when security personnel must be reactive as well, but reacting to an emerging threat takes monitoring, reporting and real-time data analysis. Brown recommends that system managers make sure that they monitor container operations, actively analyzing traffic for anomalies, and creating baselines for container behaviors. That ongoing monitoring proves to be a team effort that ties together developers, operations staff and of course, security practitioners. n

For more information about ebooks from SC Media, please contact Stephen Lawton, special projects editor, at stephen.lawton@haymarketmedia.com. If your company is interested in sponsoring an ebook, please contact David Steifman, VP, publisher, at 646-638-6008, or via email at david.steifman@haymarketmedia.com.

7

#1 App Docker is most

widely used by

companies running

PHP applications

(33%), followed by

Java (31%)

www.scmagazine.com | © 2017 Haymarket Media, Inc.

Co

ntain

ers

8

Sp

on

sor

www.scmagazine.com | © 2017 Haymarket Media, Inc.

Mas

thea

d EDITORIAL VP, EDITORIAL Illena Armstrong illena.armstrong@haymarketmedia.com SPECIAL PROJECTS EDITOR Stephen Lawton stephen.lawton@haymarketmedia.com CUSTOM PROJECTS COORDINATOR Samantha Lubey samantha.lubey@haymarketmedia.com

DESIGN AND PRODUCTION ART DIRECTOR Michael Strong michael.strong@haymarketmedia.com

SALESVP, PUBLISHER David Steifman (646) 638-6008 david.steifman@haymarketmedia.com VP, SALES Matthew Allington (707) 651-9367 matthew.allington@haymarketmedia.com

Founded in 2011, CloudPassage® was the first company to obtain a U.S. patent for

universal cloud infrastructure security and has been a leading innovator in cloud security

automation and compliance monitoring for high-performance application development

and deployment environments. CloudPassage Halo® is an award-winning workload

security automation platform that provides universal visibility and continuous protection

for servers in any combination of data centers, private/public clouds and containers. The

Halo platform is delivered as a service, so it deploys in minutes and scales effortlessly.

Fully integrated with popular infrastructure automation and orchestration tools such as

Puppet and Chef, as well as leading CI/CD tools such as Jenkins, Halo secures the enter-

prise where it’s most vulnerable—application development and workload deployment.

Today, CloudPassage Halo secures the critical infrastructure of many of the leading

global finance, insurance, media, ecommerce, high-tech service providers, transportation

and hospitality companies.

For more information, visit us at www.cloudpassage.com.

https://www.cloudpassage.com/