HPE Prescribes New ContainerOS for the Ills of Container Security
“Containers ease the deployment and management of applications and their dependencies,” wrote CoreOS Principal Security Engineer Matthew Garrett last September, “but the isolation that containers provide also results in increased security by reducing the degree to which applications can interact.”
In introducing a key software component of his company’s new “composable infrastructure” platform Wednesday afternoon at Discover 2015 in London, Hewlett Packard Enterprise CTO Martin Fink also mentioned container isolation and security.
“Some people think containers have some drawbacks,” said Fink, “namely, security and isolation, as well as managing at scale.
“We started to transform to hybrid infrastructure,” Fink stated at one point, referring to the combined history of the former HP Corp. and its customers, “and we think the problem here is scale. Think about this for a few minutes: Your business will continue to demand faster insights from more data. More data will mean more apps. More data and more apps means more infrastructure. And in turn, that means more developers, more administrators, more energy.
“If you play this out, none of these things scale,” he reasoned.
Management on a Chip
This was the flip side of a portion of Fink’s speech building up the power of containers as the counterpart of homo sapiens on the evolutionary scale, with VMware-era virtualization looking decidedly more Cro-Magnon. The major highlight of HPE Discover 2015 this week has been the introduction of a new class of server architecture called Synergy, whose hybrid cloud stack will be implemented by way of a new version of its OneView management platform literally imprinted in custom hardware.
Synergy was announced Tuesday, leaving some attendees to question how OneView would deal with the matter of container orchestration. HPE is obviously partnering with Docker Inc. Would it also form similar partnerships with Google for Kubernetes, or with Mesosphere for its DCOS? Or would it handle the orchestration matter on its own?
“Some people think containers have some drawbacks,” the CTO said at one point. “Namely, security and isolation, as well as managing at scale.”
Some HP officials here told The New Stack that the answers to these questions would be deferred until Stage 3 of a four-stage company “Transformation” scheme, with Synergy representing Stage 2, and the formation of HPE itself from the old HP Corp. representing Stage 1. But Wednesday, attendees were introduced to the idea — if not the technology itself — of ContainerOS, which Fink depicted as the first container technology of the post-homo-sapiens era.
Following in the wake of CoreOS and VMware Photon, HPE will be producing its own Linux kernel for containers.
“We’re enhancing the Linux kernel to use the same silicon features that virtual machines use to create the security and isolation that all of you know, love, and trust so much,” he told an audience of IT professionals and some CIOs. “But now we can give you that security and isolation at the container level without the need of the overhead of the virtual machine. We’re enhancing our leading-edge file system so that we can give you a single global namespace across tens of thousands of containers. And finally, we’re developing the management and operations capabilities so that your operations team can manage tens of thousands of containers easily, and can fall in love with containers just as much as your developers have.”
Same Platform, Second Verse
Fink did not go into technical specifics about ContainerOS, nor were details made available online, or via any other means, by HPE. On Wednesday, we had been told on more than one occasion by other HPE officials, in response to our questions, that they could go no further into detail without first letting Fink make this announcement.
But here’s what we can surmise from the bits and pieces that Fink did eventually reveal: By “the same silicon features virtual machines use” for security and isolation, an HPE engineer at the show confirmed to The New Stack on Thursday that Fink was referring to Intel VT, a set of hardware-based libraries used by Intel CPUs to enable process isolation at a level way below the operating system kernel. (AMD produces a counterpart technology, at one time called AMD-V, although that company’s research efforts have slowed dramatically since the company was scaled down. Still, AMD is a principal sponsor of HPE’s European conference this year, so Fink may have omitted any specific reference to Intel in deference to AMD.) Intel introduced process isolation features to its VT service (still referred to by its original code name “Vanderpool”) in 2012, and VMware now relies upon Intel VT to seamlessly expose BIOS functions and other low-level hardware resources to guest VMs.
“Isolation of CPU, memory, and I/O now is done at a hardware level,” reads a January 2014 VMware white paper [PDF], “with the hypervisor managing how much of the hardware resources a virtual machine can use, similar to a choreographer or traffic officer. This part of the hypervisor is called the virtual machine monitor (VMM). With the ability to leverage these CPU extensions, the attack surface of the hypervisor shrinks considerably.”
When VMware introduced its two container platforms in September (vSphere Integrated Containers and Photon Platform), both would not only inject containers with the company’s own Photon OS, but also wrap them in envelopes called jeVM (not a typo), designed to make containers appear as VMs in vSphere. Both these mutations would also enable Intel VT to service these capsules of code as though they were VMs. Intel’s Clear Containers project, introduced earlier in the year, utilizes a very similar scheme, for exactly the same purposes.
HPE’s container management system would, of course, extend beyond its Synergy hardware platform and into mainstream enterprise server lines such as ProLiant. Another HPE engineer told The New Stack Thursday that the company intends for OneView, both for software and as “composer modules” (hardware) for Synergy servers, to eventually support multiple hypervisors such as KVM and Microsoft Hyper-V. No timetable was given for these extensions, but for now, HPE will support VMware’s ESX (vSphere) hypervisor, as well as Docker containers.
Yet unlike vSphere Integrated Containers, one HPE product marketing manager told The New Stack Thursday, the OneView/Synergy scheme would not wrap Docker containers, or any other containers (OCI format), in a protective coating. (He actually winced at our mention of jeVM, as if biting into a lemon.) Co-existence between VMs and containers on the same infrastructure would be achieved through process isolation, which an HPE engineer told The New Stack would definitely be achieved using Intel VT.
Yet on Wednesday, CTO Martin Fink dropped a bombshell. Or, as we overheard some describing it here the following day, he certainly dropped something.
The company’s “leading-edge file system,” as Fink put it, is very likely HP-UX, which hails back to the days when “U” stood for Unix. Fink said his company would expand its file system in order to incorporate, presumably, all containers running in a cluster into a single namespace. Such a move may not appear to strip containers of their isolation – at least, not from the containers’ point of view. But it may present containers with a kind of “virtual isolation,” for lack of a better word, serviced by way of Intel VT.
Put another way, it would replace Docker and other containers’ isolation with Intel and VMware isolation, probably in order to achieve the same goal Intel and VMware have tried to achieve independently: facilitate a single environment where VMs and containers cohabit the same environment.
Isolation is one of the virtues of containerization – the capability to run workloads in namespaces that are separate from the kernel. It’s not a perfect security solution in itself, but it’s part of the whole point of containers in the first place. Granted, the sealed nature of the isolated environment has made headaches for developers looking to build security and monitoring tools – headaches that companies such as Sysdig have addressed in recent months by injecting monitoring agent code into the container’s kernel prior to deployment.
What Martin Fink appears to be describing, however, is a cohabitation solution for the first and second generations of virtualized workloads and a cure for the headaches security personnel have faced – a solution that would strip containers of their native isolation in order to make them manageable using the same security and admin tools as for the first generation.
“Combine the ContainerOS with HPE Synergy,” said Fink, “and you get secure, isolated, and dynamic composition and re-composition of your infrastructure and apps at scale.”
One HPE engineer told The New Stack that Fink’s revelations on Wednesday were the first that the container engineering team had heard of this universal namespace scheme, or of any notion of stripping containers of their native isolation. The engineer did describe the container process isolation provided by Intel VT, but explained to us that enabling this isolation would not require any changes to containers, or to the platform on which containers run.
While the engineer agreed that certain theoretical deficiencies may remain with Docker container security, to the extent that it relies upon isolation alone, he also agreed that such theories do not appear to have been successfully exploited in the wild. He went on to suggest that leveraging Intel VT offers an additional benefit, rather than a replacement for one. But he was puzzled by the universal namespace revelation, and pondered what, if any, additional benefit such an addition — if it can be called an addition — might offer.
Title image “Mind the Gap” by Robert S. Donovan, through Creative Commons 3.0 license.