Cloud is a native of sophisticated theory to build a skyscraper, but the need to reinforce the masonry.
When the container is a native cloud technology as one of the foundations of the next generation of cloud computing, it does not mean that the container itself stop evolution. In fact, in order to Docker represented by the traditional container in the face of multi-tenant scenario that security problems at once exposed, this time, it was nostalgic for the benefits of virtualization.
Thus, the use of virtualization technology, "secure container" concept came into being, and turn this change, it is Kata Containers, long ago, it had just spent two years.
The new Kata Containers bring security and isolation for virtual machines for us, compatible with the container API interface, along with a container of the same level of performance, which means that the use of the secure container time is ripe.
In contrast to this it is that last month, Docker's enterprise business to be packaged for sale, allegedly sold a total financing rounds down the price or even less.
All companies use containers in a production environment, from the beginning has now necessary to examine their security policies, and to develop a migration plan from container to container security.
All this is how it happened? I listen to you one by one.
Docker's defeat
November 13, 2019, private cloud infrastructure companies Mirantis in its official blog announced the acquisition of Docker's enterprise-class business, including taking over its more than 700 clients, which marks the Docker commercial exploration company from 2013 fiasco .
People do not understand the history of the development of the container view, this result is difficult to understand, Docker container boom is the pioneer, the container is opened by this round of cloud computing technology evolution, why obviously stand on the outlet, and still not fly?
This series of fans Docker founder of the operations of course can not get away, but in fact, Docker's fate today, four years ago decided.
2013 years ago, in fact, the industry has not found ways to open cloud computing native, GAE as well as an earlier version of Cloud Foundry PaaS representatives will bring everyone into the pit, leaving only a feather. Until Docker open source, we only dream wake up, they are not in the wrong direction, but the application distribution and delivery means can not.
However, Docker company will open source its core code beginning of the heart is not just for the benefit of the industry, which is trying to attract business customers in this way. Docker Docker company will be registered as a trademark, aroused the vigilance of the community, a variety of homemade container project after another.
In order to end this chaos, in June 2015, an open container OCI was established to promote the organization, aimed at developing an open standard container format and run around, Docker As a founding member, intended to be the standard-setting authority in her power.
However, everyone is really about Docker in the commercial and communities on both sides of the swing attitude scared, after 2014 Kubernetes release, quickly attracted a group of members, including Red Hat, including, and in 2015, just one year later in July, Kubernetes released version 1.0, with its accompanying CNCF native cloud computing foundation.
Born CNCF declaration cloud computing center of gravity technology evolution shifted from container to container arrangement, followed by 2016, Kubernetes published interfaces CRI container operation, provided that they meet this interface, Kubernetes can be run container through it, it is not Docker has nothing to do critical of.
In this way, containers from Docker become a standard interface, provided that they meet the criteria, do not control what is behind the operation.
Combination of container and Kubernetes, he used very happy in their own cluster, but when the cloud vendors try to offer container services to the public, multi-tenant security problem arises.
AWS choice
To understand the problem, we must first understand the principle of the container.
The nature of Linux container is a process isolation technology, through cgroup and namespace, container applications only use a given resource, non-aggression between different containers.
From the perspective of the container application point of view, it can only see the given computing and storage resources for its customized system, but from the outside of the container system point of view, it is a run of a process.
If these vessels belong to the same user that not what, but if it is a cloud service, a machine which runs a number of different users of the process, just think there is a feeling of air leakage around!
From a technical perspective, AWS in its official blog is so describe the security risks:
Since the operating system kernel vulnerabilities, Docker component design flaws, as well as improper configuration can lead to Docker container from escaping, thereby obtaining the host authority. Due to frequent security loopholes and escape, in public cloud environments container application had to be run in a virtual machine, multi-tenant security to meet isolation requirements. The distribution, management, operation and maintenance of these traditional virtual machines and containers lightweight, flexible, resilient contrary to the original intention, while resource utilization, but also keep waste operating efficiency.
This is the problem of multi-tenant cloud native inside, by its very nature is a container security issues. A few years ago, the introduction of cloud vendors in the rapid progress of cluster services Kubernetes, but in terms of providing a single container-managed but the pace is slow, because the issue has yet to be resolved.
In addition, multi-tenant problems exist not only in the public cloud, private cloud also exists in the company's internal, different departments, teams of application, should be strong isolation, in order to avoid a traffic problem affects the entire company. But in the past, we use the momentum of the container is very strong, pretend you do not see this issue Bale.
For multi-tenant issues, although the community gradually have some solutions, but because not very mature, but also the lack of a landmark event pushed them to the foreground. Finally, in December 2018, AWS shot.
As we all know, AWS cloud computing industry leader, but the native container to cloud the wave of this wave, AWS has become the role of followers, it is certainly not willing to, ultimately, it gives his own safety in container the answer, again walking in front of all cloud vendors.
AWS answer is Firecracker , a lightweight virtual machine (MicroVM), this lightweight is relative to the virtual machine is fully functional, which is represented by QEMU, claims to be able to simulate all hardware devices. Firecracker will be able to place the province are saved, eventually leaving an extremely delicate operation, only the protection of the protected areas.
In terms of performance, Firecracker and containers have been very close, its initial intent is to provide protection for Serverless service of AWS Lambda, performance must keep up; from the terms of the security, the protection of places, it offers virtual machine level of protection, whether from internal and external vulnerabilities and attacks can be protective.
AWS also launched a containerd Firecracker implementation, which means that the method can be used to drive a standard container Firecracker, illustrated by the virtual machine to solve the security container that road is feasible.
However, AWS has its own set of ecological integrity, Firecracker also part of this ecosystem, although it is open source, community and can not do out of the box, and Kubernetes there are some incompatibilities.
At this time, the turn of Kata Containers played.
For virtualized cloud native
Kata Containers, formerly known as Hyper runV and Intel Clear Container, both of which are trying to use virtualization technology to solve container security issues.
Both are May 2015 cloth, and later found another similar technology path, the founder of both sides to come together a total, or merge it, so Kata Containers was born.
At that time, is experiencing strong offensive Kubernetes and CNCF OpenStack Foundation, at a glance the potential applications Kata Containers, so at the same time open to the changed strategic infrastructure, Kata Containers will be accepted as the second top open infrastructure projects with OpenStack same level.
However, Kata Containers some time after the birth of years, but not by the community of developers promising .
There are two important reasons, the first is that while Kata from the first day will be integrated with Kubernetes as the highest priority target, but earlier versions Kubernetes only consider how to run the container, let Kubernetes technical support requires additional effort to make some non-container was runC vessel also appears to be rising, so Kubernetes manage virtual machines is a more alternative approach.
Second, Kata although successful in the virtual machine so that the interface is compatible with most of the container, but poor performance, wherein a main reason is that it uses QEMU docking system interface level as mentioned above at the bottom, and comprising a QEMU item millions of lines of code, tens of thousands of documents, although Kata efforts be streamlined, but it will bring additional performance loss, or so security is not sensitive applications difficult to accept.
Things turn for the better is that the release AWS Firecracker, when, Firecracker only support AWS own Serverless service, but obvious to all, Serverless support, the container still far away? Firecracker let us pay more attention to container security issues, Kata Containers began to receive more attention.
Meanwhile, Kata also take advantage of the latest developments include the open source community, including the Firecracker, further reducing the cost: for example, as part of the support Firecracker applicable scene VMM, as well as developing its own rust-VMM cloud-hypervisor, sandbox agent in turn replaced by the light the amount of rust-agent, so that the memory footprint is reduced from more than a dozen MB to 1.1MB, enhance visible, and this cost has been acceptable.
On the other hand, under the impetus of Kata Containers and communities, Kubernetes began to accept the security container, and run Kubernetes in Kata no longer need to do additional processing.
In Kata Containers anniversary of the occasion, it gives its own definition for cloud-native virtualization .
The reason for the emphasis on virtualization, because it is the essence of virtualization technology used, but compared to traditional virtualization, Kata Containers is taking a completely different direction, the cloud is suitable for native virtualization scenario under.
But why is it called safe container it? Now back to the beginning of the introduction of our multi-tenant problems after using Kata Containers, when you start a container, in fact, is to start a virtual machine, but the function of this virtual machine lifecycle, performance and containers are exactly the same.
Duck test says that if an animal walks like a duck, talks like a duck, looks like a duck, peck like a duck, then we think it is a duck. Put Kata Containers, too.
Docker's own technology roadmap, not a good solution to the security problem, so when CRI and appear safe container, its commercial exploration had not meant to have a good outcome.
Future Kata Containers and safe containers
Software world, there are many uncertainties, but we can be sure that security issues will happen.
So, how to deal with security problems? Linus said this sentence:
Security solutions that allow only those positive (leading to security problems) the Bug occur, but by an additional spacer layer to block live them.
—— LinuxCon NA 2015, Linus Torvalds
To solve the problem once and for all vessel safety, you may only want to add an extra layer of insulation, which is Kata Containers ideas.
It is worth mentioning that the security container is not the only Kata Containers and Firecracker this route, Google launched the gVisor another route, it is a more pure isolation layer, the upper application of all access to the system have been isolating layer treatment and then in response to the request a few host.
Kata Containers After two years of work, the industry began to follow, such as Baidu cloud intelligent, calculated in terms of function, container services, began to try to edge computing.
2019, Kata Containers founder joined ants gold dress, the ants did not interfere with Kata Containers development path, Kata is still a community-driven open source project, Kata Containers also began landing in ants and internal Ali.
Kata Containers future will continue to optimize its performance, of course, more importantly, the container and the virtual machine is like two ends of a balance, Kata Containers need to constantly explore, to find that balance.
AWS has proven safe container is one of the key technologies in public clouds landing Serverless, Similarly, the edge computing will also be a typical application scenarios of the security containers.
With the AWS cloud as well as follow-up of various manufacturers can be expected in 2020 will usher in the explosive containment landing.
Reference article :
-
Kata Containers practical application of intelligent cloud in Baidu
-
Depth analysis AWS Firecracker principle chapter - virtualization and container runtime technology
Author: Xu Chuan
Original: to Docker represented by the traditional container to the occasion of life and death