IBM’s Bluemix Containers: Applied Container Security

It’s no surprise to anyone that container security is still a hotly debated and discussed topic across the cloud ecosystem. Much of the debate hinges on an understanding that the full benefit of container technologies is only realized in a container native bare metal deployment, but many implementations are hindered from this by a “safety net” of understood and vetted VM technology. Everyone from developers to IT execs to operators and admins want to know that a true container native future for their cloud virtualization strategy is a “safe bet” that won’t come back to bite them (and their customers, data, critical business processes..) in the end.

To that end, you can easily find blog posts, tech journal write-ups, conference talks, and more recently, a couple highly detailed “best practice” documents on container security topics. As a personal point of reference, a container security talk I gave at Docker London in July received over 8000 views on slideshare in just a few weeks!

One recent addition to the pile of resources on this hot security topic was published recently by The New Stack, a popular site for tech journalism on cloud computing topics, not to mention a regular producer of podcasts, interviews, and pancakes too, in case you visit any popular industry conference these days. The New Stack invited Bryan Cantrill, Joyent’s CTO, recently to discuss the state of container security on a podcast titled “Security Must be a Top Priority with Container Deployments.” I’ve always thoroughly enjoyed Bryan’s engaging style and his thoughts on containers and this podcast does not disappoint. However, at minute 16:00 Bryan stated: “Certainly there is no cloud offering today that allows for two different tenants to run in two different containers on the same host that are mutually untrusted.” This caught my attention because this model, based on the Linux kernel isolation primitives as a substrate, is exactly what IBM’s own bluemix.net container cloud as a service is built upon. We built our cloud container native bare metal because, while much of the industry is busy opining about container security problems, we see it as our mission to jump in and help fix them. Bluemix, therefore, is our flagship demonstration that a container native bare metal cloud can be built. We believe that Linux kernel-based isolation, along with the layers of security capabilities offered by Docker and the Linux ecosystem, some of which was contributed by IBM, are capable of providing this multi-tenant isolation for bare metal containers as required by our customers.

We agree there is still work to do, but we are successfully operating a managed containers-as-a-service offering using these components, with open source contributions from IBM including:

• User namespaces
• App Armor profile improvements
• Improvements to host-mounted filesystem protections
• ..and many bug fixes and configured environmental protections too numerous to list

These open source contributions are in addition to technologies we are developing and delivering via our Bluemix container offering such as:

• Vulnerability Advisor (image scanning)
• Research in Dynamic Introspection
• Multi-tenant protection and capabilities (like a private image registry per tenant)
• ..and more to come

That isn’t to say that we don’t understand the continued need for improvement and development of further security enhancements in the Linux substrate, but we believe and are committed to continuing contributions to this stack of open source layers which are providing a performant and secure isolation layer for what we all call “Linux containers”, and we are offering it as a service to our IBM Cloud customers via Bluemix.

We are also continuing to look at new technologies like the lightweight virtualization work at the OCI/runc layer, and even showed a proof-of-concept at DockerCon Seattle of one such pluggable-runc on our POWER platform with hardware assisted lightweight virtualization. We will continue delivering what we believe is of most value to our customers and provides them with a secure and appropriately isolated tenant environment based on Linux kernel container technologies.

If you haven’t had a chance to try our our Bluemix container cloud offering, note that you can easily get a free-tier 30-day trial account. The Docker client API is fully supported as well as container groups, private registry as noted above, as well as our entire catalog of cloud services, including logging, monitoring, public IP routing, and many other features.

And thanks, Bryan, for providing a launchpad for me to show off what IBM is achieving in the cloud today with our managed bare metal container cloud offering. Still highly respect your thoughts in this area, but I wanted to take the opportunity to say that one company has gone ahead and said “I’ll do it first!”