We’re pleased to announce that Red Hat Enterprise Linux Atomic Host 7.4 is now generally available. Red Hat Enterprise Linux Atomic Host is a lightweight, container-optimized version of Red Hat Enterprise Linux. Red Hat Enterprise Linux Atomic Host couples the flexible, modular capabilities of Linux containers with the reliability and security of Red Hat Enterprise Linux in a reduced footprint, to decrease the attack surface and provide only the packages needed to light up hardware and run containers. Here’s a look at some of the major changes in 7.4.
Continue reading “What’s New in Red Hat Enterprise Linux Atomic Host 7.4?”
In Part 1, we created a working BIND container with local data storage. We can make changes on the local system that will get picked up in the running container. In this part, we’ll explore how we can manage the service from the host with
Continue reading “Containing System Services in Red Hat Enterprise Linux – Part 2”
At the 2017 Red Hat Summit, several people asked me “We normally use full VMs to separate network services like DNS and DHCP, can we use containers instead?”. The answer is
Continue reading “Containing System Services in Red Hat Enterprise Linux – Part 1”
Recently, I spotted a question on a mailing list asking how to move container images from an internal/build registry to a production one. To put it another way: how would you copy images from registry A to registry B? I’m going to show you a really easy way to do this with skopeo.
Continue reading “Skopeo Copy to the Rescue”
We’re excited to announce our latest step in the further optimizing of Red Hat Enterprise Linux (RHEL) for containers with the release of the RHEL Atomic base image. This image is much smaller than the current RHEL base image, giving just enough to get started on building your application or service.
We carved out python, systemd, and yes, even Yum is gone – leaving you with only the bare bone essentials like glibc, rpm, bash, and their remaining dependencies. This leaves us with an image that’s just under 30MB compressed, 75MB on disk; composed of 81 packages.
Continue reading “Introducing the Red Hat Enterprise Linux Atomic Base Image”
A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS. This CVE reports that if you
execd into a running container, the processes inside of the container could attack the process that just entered the container.
If this process had open file descriptors, the processes inside of the container could
ptrace the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.
Continue reading “SELinux Mitigates container Vulnerability”
In my previous article I wrote about how it was possible to move from checkpoint/restore to container migration with CRIU. This time I want to write about how to actually migrate a running container from one system to another. In this article I will migrate a runC based container using runC’s built-in CRIU support to checkpoint and restore a container on different hosts.
I have two virtual machines (rhel01 and rhel02) which are hosting my container. My container is running Red Hat Enterprise Linux 7 and is located on a shared NFS, which both of my virtual machines have mounted. In addition, I am telling runC to mount the container
Continue reading “Container Live Migration Using runC and CRIU”
A few weeks ago, I wrote a blog on removing capabilities from a container. But what if you want to add capabilities?
While I recommend that people remove capabilities, in certain situations users need to add capabilities in order to get their container to run.
One example is when you have a app that needs a single capability, like an Network Time Protocol (NTP) daemon container that resets the system time on a machine. So if you wanted to run a container for an ntp daemon, you would need to do a
--cap-add SYS_TIME. Sadly, many users don’t think this through, or understand what it means to add a capability.
Continue reading “Container Tidbits: Adding Capabilities to a Container”
Linux containers, and their use in the enterprise, are evolving rapidly. If I didn’t know this already, what I’m seeing at conferences like ContainerCon would confirm it. We’ve moved on from “what are containers, anyway?” to “let’s hunker down and get it right.”
Recently, I attended and spoke at LinuxCon/ContainerCon Europe. Like LinuxCon/ContainerCon North America, many of the keynotes touched on Linux container work going on in the community. At the European edition there was a particularly strong focus on Linux container security and networking. At least six sessions were focused on kernel security, orchestration security, and general container security. Four talks focused on container networking. Along with container security and networking, there were a lot of sessions about cloud native and containerized applications.
Continue reading “Evolution of Containers: Lessons Learned at ContainerCon Europe”
Did you know there is an option to drop Linux capabilities in Docker? Using the
docker run --cap-drop option, you can lock down root in a container so that it has limited access within the container. Sadly, almost no one ever tightens the security on a container or anywhere else.
The Day After is Too Late
There’s an unfortunate tendency in IT to think about security too late. People only buy a security system the day after they have been broken into.
Dropping capabilities can be low hanging fruit when it comes to improving container security.
What are Linux Capabilities?
According to the capabilities man page,
capabilities are distinct units of privilege that can be independently enabled or disabled.
The way I describe it is that most people think of root as being all powerful. This isn’t the whole picture, the
root user with all capabilities is all powerful. Capabilities were added to the kernel around 15 or so years ago to try to divide up the power of root.
Continue reading “Secure Your Containers with this One Weird Trick”