SELinux Mitigates container Vulnerability

A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS. This CVE reports that if you execd into a running container, the processes inside of the container could attack the process that just entered the container.

If this process had open file descriptors, the processes inside of the container could ptrace the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.

Five Reasons to Switch from vSphere to Red Hat Virtualization

It’s time to upgrade or to renew your VMware vSphere licenses. This decision is not easy for a few reasons such as:

You might be hesitantly considering paying for an upgrade and ELA renewal because you believe there is no (other) choice.

I have good news for you. There is a reliable and enterprise choice and switching has never been easier with the recent release of

Red Hat IT Integrates JBoss Fuse and A-MQ on Red Hat Virtualization

We are continuing our series on how Red Hat Keeps the Lights on with Red Hat Virtualization.  Please read our previous blog post if you missed any of the series. In this blog post, I will highlight how Red Hat IT uses JBoss Fuse and JBoss A-MQ to integrate our internal systems that support Accounting, Consulting, Engineering, Finance, Legal, Marketing, Operations, Sales and Training departments. Our internal Enterprise Service Bus (ESB) flows over 100,000 messages a day between these systems with wildly differing interchange and data formats. Our entire ESB deployment runs on virtual machines backed by Red Hat Virtualization. This deployment enables us to scale on demand to meet the changing needs of our business needs and integrated systems.  

Container Live Migration Using runC and CRIU

In my previous article I wrote about how it was possible to move from checkpoint/restore to container migration with CRIU. This time I want to write about how to actually migrate a running container from one system to another. In this article I will migrate a runC based container using runC’s built-in CRIU support to checkpoint and restore a container on different hosts.

I have two virtual machines (rhel01 and rhel02) which are hosting my container. My container is running Red Hat Enterprise Linux 7 and is located on a shared NFS, which both of my virtual machines have mounted. In addition, I am telling runC to mount the container

Digital Foundations – Challenges CIOs Must Embrace

When building anything substantial, such as a house or bridge, you start by laying down a solid foundation. Nothing changes this aspect of building brick by brick when you move from traditional constructions to application development and architecting your supporting infrastructure. Throw in Cloud terminology and you might think that the principles of a solid foundation are a bit flighty, but nothing is further from the truth.

When looking to manage an organization’s journey into their digital future, CIOs are dealing with a lot of challenges. Challenges that they face on the road to digital transformation can be daunting as first glance, but must be embraced to properly navigate the road to success.

Digital Foundations

Let’s take a look in this first article at the challenges CIOs must embrace before diving into how to

PCI Series: Requirement 8 – Identify and Authenticate Access to System Components

This post continues my series dedicated to the use of Identity Management (IdM) and related technologies to address the Payment Card Industry Data Security Standard (PCI DSS).  This specific post is related to requirement eight (i.e. the requirement to identify and authenticate access to system components). The outline and mapping of individual articles to requirements can be found in the overarching post that started the series.

Requirement eight is directly related to IdM. IdM can be used to address most of the requirements in this section. IdM stores user accounts, provides user account life-cycle management

Container Tidbits: Adding Capabilities to a Container

A few weeks ago, I wrote a blog on removing capabilities from a container. But what if you want to add capabilities?

While I recommend that people remove capabilities, in certain situations users need to add capabilities in order to get their container to run.

One example is when you have a app that needs a single capability, like an Network Time Protocol (NTP) daemon container that resets the system time on a machine. So if you wanted to run a container for an ntp daemon, you would need to do a --cap-add SYS_TIME. Sadly, many users don’t think this through, or understand what it means to add a capability.

PCI Series: Requirement 7 – Restrict Access to Cardholder Data by Business Need to Know

This is my sixth post dedicated to the use of Identity Management (IdM) and related technologies to address the Payment Card Industry Data Security Standard (PCI DSS).  This specific post is related to requirement seven (i.e. the requirement to restrict access to cardholder data by business need to know).  The outline and mapping of individual articles to the requirements can be found in the overarching post that started the series.

Section 7 of the PCI DSS standard talks about access control and limiting the privileges of administrative accounts.  IdM can play a big role in addressing these requirements.  IdM provides several key features that are related to access control and privileged account management.  The first one is

Red Hat IT runs OpenShift Container Platform on Red Hat Virtualization and Ansible

Red Hat IT makes extensive use of our own product offerings to effectively manage and to scale our large IT infrastructure. Red Hat Virtualization plays a key role in Red Hat’s overall IT infrastructure, as mentioned in a recent blog by the head of our IT Platform Operations team, Anderson Silva: Red Hat Keeps the Lights on with Red Hat Virtualization