Secure Your Containers with this One Weird Trick

Did you know there is an option to drop Linux capabilities in Docker? Using the docker run --cap-drop option, you can lock down root in a container so that it has limited access within the container. Sadly, almost no one ever tightens the security on a container or anywhere else.

The Day After is Too Late

There’s an unfortunate tendency in IT to think about security too late. People only buy a security system the day after they have been broken into.

Dropping capabilities can be low hanging fruit when it comes to improving container security.

What are Linux Capabilities?

According to the capabilities man page, capabilities are distinct units of privilege that can be independently enabled or disabled.

The way I describe it is that most people think of root as being all powerful. This isn’t the whole picture, the root user with all capabilities is all powerful. Capabilities were added to the kernel around 15 or so years ago to try to divide up the power of root.

Continue reading “Secure Your Containers with this One Weird Trick”

ARMing IoT with Linaro LITE

Linaro has announced a new project focused on IoT – LITE, or Linaro IoT and Embedded. This project will focus on developing core technology to be used in IoT devices and gateways.

Linaro is a consortium focused on the Linux ecosystem for ARM based systems — see www.linaro.org for details. Much of their work to date has been focused on Android phones and tablets. Active development efforts include server and networking as well as Digital Home. The Digital Home project focuses on set-top boxes and home gateways. Linaro’s goal is to avoid fragmentation of the ARM ecosystem by providing a common foundation that can be used to build a wide range of value-added applications.

LITE extends existing Linaro projects by addressing both

Continue reading “ARMing IoT with Linaro LITE”

Notes from the Field – A Summary of the KVM Forum

I attended the KVM Forum in August of this year, and as a new Red Hatter with a lot of VMware experience, it was eye opening. I am seeing a lot of interest in Red Hat Virtualization from my customers, and so I wanted to understand the platform at a much deeper level. KVM is the technology that underpins the Red Hat Virtualization platform. A number of themes emerged for me as I attended sessions and enjoyed the hallway track. This was a forum for developers by developers, so infrastructure types like myself were far and few between but that did not impact my enjoyment of the conference. In fact, as a technical guy coming from a server background, I learned a lot more than I would have learned from a typical infrastructure focused conference. Below, I will highlight some topics that stood out to me.

Continue reading “Notes from the Field – A Summary of the KVM Forum”

Peace in Our Time: Bringing Ops and Dev Together

Frustrated by long delays getting new code into production? Worried that developers are adopting unapproved technologies? In an increasingly automated, containerized world it’s time to adapt your processes and policies so that developers can utilize the latest and most appropriate technology — and operations have full awareness of everything running in their environment.

The Problem and How to Solve It

IT processes, driven by business reliance on Mode 1 applications, have not been designed nor are equipped to handle rapid change. This creates friction between management and operations on one side, and developers on the other. For example, when developer teams want to employ new or different tools than the standards accepted by operations it often creates friction. It doesn’t have to be this way, though.

In this post, we are going to take a deeper look at the collaboration that happens between development and operations when building and working with the “latest and greatest” technology stack.

Continue reading “Peace in Our Time: Bringing Ops and Dev Together”

From Checkpoint/Restore to Container Migration

The concept to save (i.e. checkpoint / dump) the state of a process, at a certain point in time, so that it may later be used to restore / restart the process (to the exact same state) has existed for many years. One of the most prominent motivations to develop and support checkpoint/restore functionality was to provide improved fault tolerance. For example, checkpoint/restore allows for processes to be restored from previously created checkpoints if, for one reason or another, these processes had been aborted.

Over the years there have been several different implementations of checkpoint/restore for Linux. Existing implementations of checkpoint/restore differ in terms of  “what level” (of the operating system) they are operating; the lowest level approaches focus on implementing checkpoint/restore directly in the kernel while other “higher level” approaches implement checkpoint/restore completely in user-space. While it would be difficult to unearth each and every approach /  implementation – it is likely fair to

Continue reading “From Checkpoint/Restore to Container Migration”

PCI Series: Requirement 6 – Develop and Maintain Secure Systems and Applications

This post is the fifth installment in my PCI DSS series – a series dedicated to the use of Identity Management (IdM) and related technologies to address the Payment Card Industry Data Security Standard (PCI DSS). This specific post is related to requirement six (i.e. the requirement to develop and maintain secure systems and applications). The outline and mapping of individual articles to requirements can be found in the overarching post that started the series.

Section six of the PCI DSS standard covers guidelines related to secure application development and testing. IdM and its ecosystem can help in multiple ways to address requirements in this part of the PCI-DSS standard. First of all, IdM includes a set of Apache modules for

Continue reading “PCI Series: Requirement 6 – Develop and Maintain Secure Systems and Applications”

Red Hat Keeps the Lights on with Red Hat Virtualization

Red Hat has been a technology industry leader for many years. We are not just creators of innovative open source technologies, but we are also consumers of our own technologies. At Red Hat, nearly all of our core IT infrastructure runs on Red Hat Virtualization. From our development environment all the way to production. Several of our mission critical applications are powered by Red Hat Virtualization including our email systems, identity management, subscription manager, customer service portal, and many more applications. Since we are a global company, we have deployed thousands of VMs that need to be up and running 24/7, and we chose Red Hat Virtualization to get the job done.

Continue reading “Red Hat Keeps the Lights on with Red Hat Virtualization”

Integrating Red Hat Virtualization and Red Hat OpenStack Platform with Neutron Networking

As applications are designed, redesigned, or even simply thought about at a high level, we frequently think about technical barriers along side business needs. Business needs may dictate that a new architecture move forward, but technical limitations can sometimes counter how far forward – unless there is something to bridge the gap. The new Neutron network integration between Red Hat Virtualization (RHV) and Red Hat OpenStack Platform (RHOSP) provides such a bridge for business and technical solutions.

Continue reading “Integrating Red Hat Virtualization and Red Hat OpenStack Platform with Neutron Networking”