Nabla Containers: New Format from IBM Designed for Strong Isolation on Cloud Hosts

Nabla Containers: New Format from IBM Designed for Strong Isolation on Cloud Hosts

Framework Installs with Docker to Add Unikernel Techniques Based on Solo5 & runnc

IBM recently launched a new container standard that functions as a type of plugin alternative to Docker's native format with the intention of creating more isolated sandbox environments for cloud architecture. Similar to the gVisor framework released by Google this year, Nabla Containers seeks to reduce the number of attack vectors that can be targeted by exploits for apps operating in production at scale. Rather than functioning as a true competitor to Docker, Nabla basically works as an alternative format that can be installed on the same hardware and software platforms (i.e. public/private cloud hosts) to provide more robust security. Nabla uses library OS/unikernel techniques via the Solo5 project middleware that reduces the number of Linux system calls required to 9 when operating a container. The main difference is that Nabla uses runnc as "the OCI-interfacing container runtime," whereas gVisor (another new hardened container sandbox alternative) is built around runsc and Docker containers are based on runC as the universal container runtime. Docker donated the code for runC to the Open Container Project in 2015 "as a standalone tool, to be used as plumbing by infrastructure plumbers everywhere." The Solo5 project was originally started by Dan Williams at IBM Research during work to port the MirageOS to support the Linux KVM hypervisor. The main components of Solo5 are the kernel, ukvm, a testing suite, and a set of tools which support various virtualization requirements across different operating systems & hardware devices. Nabla Containers will mostly appeal to programmers and developers who have a drastic need to reduce the number of system calls permitted to a VM in production to implement higher levels of security, although this will require custom formatted disk images that are not cross-compatible with Docker's runC code.

Continue

Kata Containers, KubeVirt, & Virtlet: VM Solutions for Multi-Tenant Applications

Kata Containers, KubeVirt, & Virtlet: VM Solutions for Multi-Tenant Applications

OpenStack Releases New Platform Software Merging Intel Clear Containers & Hyper.sh runV

One of the most interesting announcements made at the KubeCon in Austin this year was the unveiling of Kata Containers, a combination of the new Intel Clear Container software and Hyper.sh's runV technology. Clear Containers are part of Intel's Open Source Initiative and linked to the Clear Linux project, a light-weight distro optimized for cloud servers and IoT devices. HyperHQ was founded by Xu Wang, Simon Xue, & Feng Gao in Beijing in 2014, producing a hybrid container/hypervisor technology that allows for virtual machines (VMs) to run in Docker/Kubernetes deployments with extremely fast boot times and better security isolation for multi-tenant requirements. Arjan van de Ven, who works with the Intel Clear Containers group, wrote that this framework can launch a secure container with a running VM in "under 150 milliseconds" and that "the per-container memory overhead is roughly 18 to 20MB (this means you can run over 3500 of these on a server with 128GB of RAM)." The further development of Kata Containers will be governed by the OpenStack Foundation as part of the Open Cloud Initiative and the project has already developed a significant amount of support from IT industry majors (99cloud, AWcloud, Canonical, China Mobile, City Network, CoreOS, Dell/EMC, EasyStack, Fiberhome, Google, Huawei, JD.com, Mirantis, NetApp, Red Hat, SUSE, Tencent, Ucloud, UnitedStack, & ZTE). Due to the increasing popularity of using Docker & Kubernetes as web standards on cloud servers in DevOps, there is a large demand from enterprise companies for these solutions which allow for multi-tenant apps to be run with better security in containers as well as allowing developers to build solutions with multiple operating systems running simultaneously in different pods. Other solutions to this problem are KubeVirt (a Kubernetes plugin for better VM support) and Virtlet (produced by Mirantis for use with OpenContrail and Calico). Programmers and systems administrators can use software defined networking tools and the Kubernetes Pod API to create innovative solutions for modernizing legacy software applications or new strategies for complex web & mobile apps hosted in a private/public cloud.

Continue