Container Migration Around The World

In this article I want to talk about a runC container which I want to migrate around the world while clients stay connected to the application.

In my previous Checkpoint/Restore In Userspace (CRIU) articles I introduced CRIU (From Checkpoint/Restore to Container Migration) and in the follow-up I gave an example how to use it in combination with containers (Container Live Migration Using runC and CRIU). Recently Christian Horn published an additional article about CRIU which is also a good starting point.

In my container I am running Xonotic. Xonotic calls itself ‘The Free and Fast Arena Shooter’. The part that is running in the container is the server part of the game to which multiple clients can connect to play together. In this article the client is running on my local system while the server and its container is live migrated around the world.

This article also gives detailed background information about 

Continue reading “Container Migration Around The World”

What’s New in Red Hat Enterprise Linux Atomic Host 7.4?

We’re pleased to announce that Red Hat Enterprise Linux Atomic Host 7.4 is now generally available. Red Hat Enterprise Linux Atomic Host is a lightweight, container-optimized version of Red Hat Enterprise Linux. Red Hat Enterprise Linux Atomic Host couples the flexible, modular capabilities of Linux containers with the reliability and security of Red Hat Enterprise Linux in a reduced footprint, to decrease the attack surface and provide only the packages needed to light up hardware and run containers. Here’s a look at some of the major changes in 7.4.

Continue reading “What’s New in Red Hat Enterprise Linux Atomic Host 7.4?”

Introducing the Red Hat Enterprise Linux Atomic Base Image

We’re excited to announce our latest step in the further optimizing of Red Hat Enterprise Linux (RHEL) for containers with the release of the RHEL Atomic base image. This image is much smaller than the current RHEL base image, giving just enough to get started on building your application or service.

We carved out python, systemd, and yes, even Yum is gone – leaving you with only the bare bone essentials like glibc, rpm, bash, and their remaining dependencies. This leaves us with an image that’s just under 30MB compressed, 75MB on disk; composed of 81 packages.

Continue reading “Introducing the Red Hat Enterprise Linux Atomic Base Image”

SELinux Mitigates container Vulnerability

A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS. This CVE reports that if you execd into a running container, the processes inside of the container could attack the process that just entered the container.

If this process had open file descriptors, the processes inside of the container could ptrace the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.

Continue reading “SELinux Mitigates container Vulnerability”

Container Live Migration Using runC and CRIU

In my previous article I wrote about how it was possible to move from checkpoint/restore to container migration with CRIU. This time I want to write about how to actually migrate a running container from one system to another. In this article I will migrate a runC based container using runC’s built-in CRIU support to checkpoint and restore a container on different hosts.

I have two virtual machines (rhel01 and rhel02) which are hosting my container. My container is running Red Hat Enterprise Linux 7 and is located on a shared NFS, which both of my virtual machines have mounted. In addition, I am telling runC to mount the container

Continue reading “Container Live Migration Using runC and CRIU”

Container Tidbits: Adding Capabilities to a Container

A few weeks ago, I wrote a blog on removing capabilities from a container. But what if you want to add capabilities?

While I recommend that people remove capabilities, in certain situations users need to add capabilities in order to get their container to run.

One example is when you have a app that needs a single capability, like an Network Time Protocol (NTP) daemon container that resets the system time on a machine. So if you wanted to run a container for an ntp daemon, you would need to do a --cap-add SYS_TIME. Sadly, many users don’t think this through, or understand what it means to add a capability.

Continue reading “Container Tidbits: Adding Capabilities to a Container”

Evolution of Containers: Lessons Learned at ContainerCon Europe

Linux containers, and their use in the enterprise, are evolving rapidly. If I didn’t know this already, what I’m seeing at conferences like ContainerCon would confirm it. We’ve moved on from “what are containers, anyway?” to “let’s hunker down and get it right.”

Recently, I attended and spoke at LinuxCon/ContainerCon Europe. Like LinuxCon/ContainerCon North America, many of the keynotes touched on Linux container work going on in the community. At the European edition there was a particularly strong focus on Linux container security and networking. At least six sessions were focused on kernel security, orchestration security, and general container security. Four talks focused on container networking. Along with container security and networking, there were a lot of sessions about cloud native and containerized applications. 

Continue reading “Evolution of Containers: Lessons Learned at ContainerCon Europe”