Whether you have considered trying to secure an application by putting it into a “sandbox” or wondered how a Software as a Service (SaaS) provider keeps your application and data isolated from other customers, you have been contemplating software containers. Containers are an increasingly popular method of separating an application from the operating system and the physical infrastructure it uses to connect to the network. The container is instantiated within the kernel of the operating system and virtualizes the instance of the application. Most people do not realize how popular containers have become and where they are being used today.
Decades ago, UNIX administrators established one way of controlling the security of a software package. They put it into a “chroot jail”. Chroot (a shortening of the words change root) is the name of a UNIX command that changes the directory that a process is allowed to use and contains any child processes that are spawned. If this software gets compromised, then this chroot technique will limit the privilege escalation that is possible. This was considered a best practice for many years, but the key issue with this approach was that it could be bypassed if the program was running with root privileges. Chroot also does not provide several functions that many may consider essential, such as: memory/disk quotas, I/O/CPU rate limiting, checkpointing and network isolation.
In the past we had one physical server and we would run one application on each physical server. Then the industry embraced server virtualization where many Virtual Machines (VMs) would run on one physical server. Initially, there was a host Operating System (OS) for each physical server and the hypervisor ran on top of that host OS (e.g. Type 2 hypervisor). Organizations realized that they could eliminate that superfluous host OS and run the hypervisor on the "bare-metal" (e.g. Type 1 hypervisor).
As more VMs were getting deployed, organizations had each application run on its own virtual server and each application essentially had its own dedicated resources (CPU, memory, I/O, network configuration). However, that server virtualization model requires a separate OS (and licensing) for each application. If all businesses care about is the applications, then why not try to get the applications to each run in their own computing instance?
Then came along the idea of using a software container to isolate the application. Using containers reduces the requirement to have a licensed OS for each application. In this way, each application is managed in-and-of-itself, gets only the resources it needs, and can be secured separately from other applications.
Linux Kernel Containment:
Linux Containers (LXC) is a more modern method of virtualizing an application. LXC leverages cgroups to isolate the CPU, memory, file/block I/O and network resources. LXC also uses namespaces to isolate the application from the operating system and separates the process trees, network access, user IDs, and file access. LXC is considered a technique that falls between chroot and a virtual machine. Now with the version 1.0 of LXC, unprivileged containers are more secure because they run as regular unprivileged users.
Linux containers are flexible because it allows the administrator to virtualize a single application rather than virtualizing the entire operating system in a Virtual Machine (VM). Therefore, no operating system licensing is required or needed. LXC also offers very low overhead because the applications use their normal system calls and connections to interfaces and no emulation is being performed. However, if you wanted to run software containers within a lightweight Linux OS, you might consider CoreOS. LXC also used by Heroku Dynos which is a cloud Platform as a Service (PaaS) system that was acquired by Saleforce.com several years ago.
Docker is built on top of LXC and adds image management and deployment assistance for virtualizing applications. Docker provides for automation and rapid provisioning of LXC cgroups without requiring a VM. Docker provides an API that extends the functionality of LXC for building Platform as a Service (PaaS) offerings. As you can imagine, the Docker open-source system could be used for a whole host (no pun intended) of purposes.
Docker is only about a year old (originally was dotCloud), but it has gained in popularity and is now integrated with other tools such as: Ansible, Chef, OpenStack, Puppet, and Salt. Docker is included with RHEL 7.0, OpenShift PaaS, Google Compute Engine (GCE), Deis, and now Amazon Web Services (AWS) Elastic Beanstalk. Now Docker is becoming the de-facto Linux standard for virtualizing applications.
Other Places Containers are Used:
Mobile phones also use containers to separate and run their apps securely. In fact, Android phones like the Nexus One use LXC on the Android kernel. McAfee provides a Secure Container for Android. Apple iPhones also use containers to compartmentalize applications and their data.
Mobile Device Management (MDM) utilities are used by companies to secure personal devices entering the enterprise network domain; a la Bring Your Own Device (BYOD). Many of these MDM systems also include containers for the corporate applications and data. In the event of a lost device or an employee leaving the organization, the company data and the confidential applications could be wiped. Citrix XenMobile MDM provides application containerization (Citrix MDX) and data containerization (Citrix ShareFile).
Sandboxed Browsers are another way of thinking about application virtualization and how to secure one application at a time. Sandboxie is a program that can create sandbox functionality on Windows-based systems.
Cisco Secure Desktop (CSD) (recently deprecated) has been part of the Cisco ASA firewall and AnyConnect SSL-based VPN for many years. CSD was used to secure the data and services running during VPN connection and then deleted when the VPN connection was terminated. This is a similar concept to a container.
Cisco UCS Director Fenced Container is a method of grouping VMs into a separate enclave. This product has the word “container” in the name, but it is not providing containerization for a specific application. Rather, it is grouping VMs into a security domain/zone/enclave.
The Cisco Nexus 9000 actually runs a Linux kernel and the OnePK agent runs within an LXC Container. This helps isolate the OnePK connectivity to the OnePK controller from the NX-OS kernel. Administrators also have the ability to have 64-bit Linux containers on the switch processor
We are likely to see more software-based containers being used in the future. Businesses tend to only care about the application and the business value that application provides. Business care less and less about the physical hardware and operating systems that are used to support the application. If containers can provide improved security for mission-critical applications and do so with very low overhead, then organizations are going to use containers more frequently. LXC and Docker have become incredibly popular in the past 12 to 18 months and we are seeing the impact they are having in the cloud market. We will continue to witness these types of disruptions as software becomes more important and hardware wanes in popularity.