Ubuntu Wants To Run Containers, Too
Snappy, a lean Linux Ubuntu optimized for container operation, promises stronger security for Linux containers.
9 Google Apps Tips: Productivity Boosters
9 Google Apps Tips: Productivity Boosters (Click image for larger view and slideshow.)
Canonical on Tuesday released Snappy, its version of a Linux host for running containers, which will compete with similar offerings from Red Hat and CoreOS. Canonical, which makes available the Linux Ubuntu operating system, claims Snappy allows faster updates to either a mobile application or the app's operating system -- hence its name.
Perhaps equally important, Snappy will allow users to run Linux containers more securely. Canonical isn't claiming it has solved the Docker or Linux container security issues. But it does treat the operating system as if it's in a sandbox. Each part of the OS may access only those areas of the operating system or related resources, such as file systems, directories, and databases, that it's explicitly authorized to use.
Canonical founder Mark Shuttleworth said in an interview that Snappy is a flavor of Ubuntu Core, the minimalist version of Ubuntu used with mobile application systems or custom Ubuntu systems. One of the main changes in Snappy is that it is assembled in a different manner from other Ubuntus, which typically are assembled as packages of code from repositories, with hundreds of components or packages able to access each other, plus the core operating system kernel, Shuttleworth said.
[The container wars are heating up. See Docker Founder Must Right His Ship.]
Snappy, on the other hand, is assembled with the components isolated from one another. Each system resource may access only those other parts for which it's been granted explicit permission, based on the application's needs. "The security story is fantastic. Each aspect of a Snappy system is isolated from the other," he said.
In effect, an installation of Snappy on the server will act something like application code in a sandbox, with active agents unable to go outside the box, except for one or two or a few permissions set by the policies governing that implementation of the system. Even if malware arrives with a code package, its opportunities to do mischief are limited by Snappy's sandbox rules. It's not foolproof, but it's a greatly reduced attack surface, according to Shuttleworth.
The concept has been implemented before in security-enhanced Linux (SELinux), the version developed for operations in highly secure settings, such as the US Department of Defense. But Snappy is a lean Linux optimized for container operation, amounting to 100 MB compressed download, compared to several hundred MB for most distributions.
It also follows update principles that Canonical established for mobile device systems, where, if an update is not confirmed as completely intact, the system is rolled back to a reliable version. Thus, Snappy is billed as a host system that can be managed as a "transactional" or "image-based" system. It works as planned, or the transaction (update) that changed it is rolled back to a known, prior version.
"This is the smallest, safest platform for Docker deployment ever... It's completely extensible to all forms of container or service," Shuttleworth said. Ubuntu is already a popular form of Linux with developers. It's based on the vendor-neutral Debian distribution, and Shuttleworth claims that six times as many developers are working on Ubuntu as on any other Linux.
Red Hat, a Docker partner, is often found in use with containerized production systems or in cloud-based virtual machine workloads. In producing Snappy, Canonical is positioning itself to serve as an enterprise and cloud host for containerized systems in competition with Red Hat and CoreOS. Its large developer base gives it a position of strength from which to bid for such a role.
Canonical also offers the AppArmor system for maintaining Linux kernel security. It provides rigorous media access control over use of the kernel, shielding a system from unauthorized users and user devices.
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it? Get the Malware Mutation issue of Dark Reading today.
About the Author
You May Also Like