Container Live Migration Using runC and CRIU

In my previous article I wrote about how it was possible to move from checkpoint/restore to container migration with CRIU. This time I want to write about how to actually migrate a running container from one system to another. In this article I will migrate a runC based container using runC’s built-in CRIU support to checkpoint and restore a container on different hosts.

I have two virtual machines (rhel01 and rhel02) which are hosting my container. My container is running Red Hat Enterprise Linux 7 and is located on a shared NFS, which both of my virtual machines have mounted. In addition, I am telling runC to mount the container

Continue reading “Container Live Migration Using runC and CRIU”

Container Tidbits: Adding Capabilities to a Container

A few weeks ago, I wrote a blog on removing capabilities from a container. But what if you want to add capabilities?

While I recommend that people remove capabilities, in certain situations users need to add capabilities in order to get their container to run.

One example is when you have a app that needs a single capability, like an Network Time Protocol (NTP) daemon container that resets the system time on a machine. So if you wanted to run a container for an ntp daemon, you would need to do a --cap-add SYS_TIME. Sadly, many users don’t think this through, or understand what it means to add a capability.

Continue reading “Container Tidbits: Adding Capabilities to a Container”

Red Hat Virtualization: Bridging the Gap with the Cloud and Hyperconverged Infrastructure

Red Hat Virtualization offers a flexible technology for high-intensive performance and secure workloads. Red Hat Virtualization 4.0 introduced new features that enable customers to further extend the use case of traditional virtualization in hybrid cloud environments. The platform now easily incorporates third party network providers into the existing environment along with other technologies found in next generation cloud platforms such as Red Hat OpenStack Platform and Red Hat Enterprise Linux Atomic Host. Additionally, new infrastructure models are now supported including selected support for hyperconverged infrastructure; the native integration of compute and storage across a cluster of hosts in a Red Hat Virtualization environment.

Continue reading “Red Hat Virtualization: Bridging the Gap with the Cloud and Hyperconverged Infrastructure”

Evolution of Containers: Lessons Learned at ContainerCon Europe

Linux containers, and their use in the enterprise, are evolving rapidly. If I didn’t know this already, what I’m seeing at conferences like ContainerCon would confirm it. We’ve moved on from “what are containers, anyway?” to “let’s hunker down and get it right.”

Recently, I attended and spoke at LinuxCon/ContainerCon Europe. Like LinuxCon/ContainerCon North America, many of the keynotes touched on Linux container work going on in the community. At the European edition there was a particularly strong focus on Linux container security and networking. At least six sessions were focused on kernel security, orchestration security, and general container security. Four talks focused on container networking. Along with container security and networking, there were a lot of sessions about cloud native and containerized applications. 

Continue reading “Evolution of Containers: Lessons Learned at ContainerCon Europe”

From Checkpoint/Restore to Container Migration

The concept to save (i.e. checkpoint / dump) the state of a process, at a certain point in time, so that it may later be used to restore / restart the process (to the exact same state) has existed for many years. One of the most prominent motivations to develop and support checkpoint/restore functionality was to provide improved fault tolerance. For example, checkpoint/restore allows for processes to be restored from previously created checkpoints if, for one reason or another, these processes had been aborted.

Over the years there have been several different implementations of checkpoint/restore for Linux. Existing implementations of checkpoint/restore differ in terms of  “what level” (of the operating system) they are operating; the lowest level approaches focus on implementing checkpoint/restore directly in the kernel while other “higher level” approaches implement checkpoint/restore completely in user-space. While it would be difficult to unearth each and every approach /  implementation – it is likely fair to

Continue reading “From Checkpoint/Restore to Container Migration”

PCI Series: Requirement 6 – Develop and Maintain Secure Systems and Applications

This post is the fifth installment in my PCI DSS series – a series dedicated to the use of Identity Management (IdM) and related technologies to address the Payment Card Industry Data Security Standard (PCI DSS). This specific post is related to requirement six (i.e. the requirement to develop and maintain secure systems and applications). The outline and mapping of individual articles to requirements can be found in the overarching post that started the series.

Section six of the PCI DSS standard covers guidelines related to secure application development and testing. IdM and its ecosystem can help in multiple ways to address requirements in this part of the PCI-DSS standard. First of all, IdM includes a set of Apache modules for

Continue reading “PCI Series: Requirement 6 – Develop and Maintain Secure Systems and Applications”

In Defense of the Pet Container, Part 3: Puppies, Kittens and… Containers

In our third and final installment (see: part one & part two), let’s take a look at some high-level use cases for Linux containers as well as finally (finally) defending what I like to call “pet” containers. From a general perspective, we see three repeated high-level use cases for containerizing applications:

  1. The fully orchestrated, multi-container application as you would create in OpenShift via the Red Hat Container Development Kit;
  2. Loosely orchestrated containers that don’t use advanced features like application templates and Kubernetes; and
  3. Pet containers.

Continue reading “In Defense of the Pet Container, Part 3: Puppies, Kittens and… Containers”

Bringing Intelligence to the Edge

In my last post, we discussed how the needs of an enterprise-grade Internet of Things (IoT) solution require a more diligent approach than what’s involved when putting together a Proof of Concept (PoC). In this post, we’ll explore how businesses can leverage their existing infrastructure to create scalable IoT deployments.

While my previous post reviewed a “list of ingredients” needed to build out an industrial-grade IoT solution, the massive scale and reach of IoT solutions for businesses requires some additional considerations, namely

Continue reading “Bringing Intelligence to the Edge”