Containers / Security

Red Hat Enterprise Linux 7.4 Adds OverlaySF to Boost Container Security

3 Aug 2017 2:00am, by

Security figures prominently in the latest version of Red Hat Enterprise Linux, released Tuesday. The company previewed the latest features in RHEL 7.4 back in May.

“Our challenge is to make sure Red Hat Enterprise Linux can run everywhere, in whatever environment the customer needs to run. That extends from bare metal to virtualized environments, to private and public clouds as well as container environments and Atomic Host,” said Steve Almy, Red Hat’s principal product manager for RHEL.

Red Hat’s previous refresh, RHEL 7.3, became generally available last November.

One way RHEL 7.4 is improving container security, whether on Atomic Host or a base RHEL system, is by enabling OverlaySF, used in Docker and containers, to run in a SELinux-enabled mode. Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel. It’s used to protect system services and isolate them to protect them from misuse. OverlayFS is a read-only file system that enables the layering of multiple containers.

Docker and Red Hat got into it earlier this year over the way Red Hat consulting engineer Dan Walsh characterized SELinux as the answer to bug in the open source runC container runtime engine. Walsh seemed to suggest that users did not need to upgrade to Docker 1.12.6 because SELinux supposedly would cover the vulnerability. Walsh has explained previously how Docker can work with SELinux for improved security.

Two other features help guard against employee carelessness or malicious intent.

USB Guard allows sysadmins to set restrictions on users, device types and manufacturers to prevent the introduction of malware and data leakage.

For instance, the company’s technical marketing team found a device that looks like a USB device that you’d pick up at a trade show. It presents itself as a keyboard, opens a web browser, then starts entering information into that URL.

You could set USB Guard to not allow mounting of devices or you could allow mounting of devices as read-only. The system would not write data out to it, Almay said.

Another new feature, Network-bound disk encryption, enables a decryption password to be available on the local network. If that hard drive, say on a laptop, were taken off site — if somebody walks out with a physical device — that network would no longer be available and would no longer provide the decryption credentials required.

Auditing, Live Security Updating

RHEL 7.4 also improves auditd filtering capabilities to help sysadmins sift through piles of information from audit logs to correlate events to understand what happened during critical events.

Its container features include also supports package layering with the inclusion of rpm-ostree, which allows admins to add packages, such as monitoring agents and drivers, to the host layer in an update.

“One of the key values in Atomic Host is the ability to use it as an entity and upgrade it completely, atomically,” Almay said. “It allows customers who are 95 percent satisfied with what we’ve put in the Atomic Host image to layer their extra 5 percent on top of that.”

RHEL 7.4 also introduces as a technology preview LiveFS, which allows users to install security updates and layer packages without a reboot.

Since Red Hat’s acquisition of Ansible in October 2015, customers “want Ansible everywhere,” according to Almy. At the time Red Hat said Ansible would be fully integrated into its platform.

“Dipping its toes in the water,” it’s introducing as a technology preview Ansible roles that allow configuration of five sub-systems — kdump (kernel crash dump), email (postfix), selinux, timesync and networking. They provide a common management interface for automated workflows that can be created once and used multiple times across large RHEL deployments. More Ansible integration is expected later.

RHEL 7.4 also supports NVMe Over Fabric to provide flexibility and improved performance with NVMe storage devices on both Ethernet or Infiniband fabric infrastructures.

It’s also decreasing boot times with support for Amazon Web Services’ Elastic Network Adapter (ENA) to enable new network capabilities.

Red Hat is a sponsor of The New Stack.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.