Container technology: benefits and security
The boom in cloud computing has quickly led to the development of the container technology as an alternative to virtual machines to optimize resources, as well as to simplify the deployment and reproducibility of services over the internet. Recall first that a virtual machine uses specific computer resources: it is allocated cores, RAM, storage space, and requires the installation of an operating system.
A container, on the other hand, is an abstract layer that contains only the software elements needed to run a specific application. A container therefore comprises a set of files (code, runtime, system tools, library and parameters) which can be run in isolation from the host environment with just a few links to communicate with it.
It is then understood that the space needed to store these objects can be smaller.
We therefore end up with objects that are easily downloadable, installable, executable, and always providing the same behavior for the service regardless of the host system.
How is a containerized application built? How to adapt it to the load? Finally, what confidence can one have in the security of this technology? Ventio gives you some elements to understand!
Several platforms exist for application virtualization. We can cite two examples:
- Docker is probably the most famous with multiple repositories on its image library dockerhub with application-ready containers,
- Singularity of similar use, born at Stanford, is particularly suited to high-performance computing and popular with universities and research centers.
These two platforms are similar in principle. They are based on Linux operating systems and have some nuances on access rights.
At Ventio, we have a know-how on the design of Docker containers, and it is quite simple to make these containers compatible with Singularity, allowing good interoperability between platforms.
The general idea is to simplify and render repeatable repetitive configuration tasks. To create an application, we will therefore specify the base image (typically that of the kernel used), and from there we will gradually list the commands to be performed to configure the system.
Once this series of commands has been determined, the container is built, then it is run with an entry point (a program launched when the container starts up), possibly specifying whether it needs any folders or files present on the system host. It is also possible to compose several containers between them by specifying their links.
Access to repositories with ready-to-use containerized applications
There are a lot of applications on the dockerhub, for example for making an online file server, for identity management services, or for scientific computing. Some examples of these ready-to-use applications on which Ventio has an expertise:
- Nextcloud – a full service for file hosting
- Keycloak – an identity and access management application
- Gitea – self-hosted Git service
- Jupyterhub – a multi-user service for Jupyter notebooks for computer programming in Python
- Pytorch ou Tensorflow – containers for artificial intelligence and deep learning
- Matlab – for scientific computing
In summary, there are plenty of tools available, open source or licensed, that can simplify the task of users by providing ready-to-use, reusable, reproducible, and transition-friendly systems to the cloud. A must to innovate in the digital era! These services can be deployed in seconds or minutes, on demand and only for the time needed … A step towards rationalizing IT resources.
Orchestration – scaling up and load balancing
How to manage several services in parallel and adapt the services to the load? We are talking about orchestration, a very popular system of which is Kubernetes. K8s of its little name is an open-source system for automating deployments of containerized applications. It allows dynamic scaling according to user needs. No need to manage in detail the servers on which the applications are installed, K8s automatically manages the evolution of the cloud infrastructure and distributes the load in real time.
Container security and trust in the cloud
With the flexibility offered, especially with application container technology, more and more organizations are turning to the cloud. Having your private cloud may not be an affordable solution, and companies may turn to hosting and resource providers. However, this raises questions of security and trust, as the data or hosted services may contain strategic or personal information.
Some points related to security:
- For containerized applications developed in-house, one can, for example, set up private repositories with access control if they want to guarantee confidentiality and availability.
- To ensure availability and confidentiality, one can also choose one or more providers who have the required levels of security and approval, for example when hosting sensitive health data.
- To ensure the integrity of the applications, digital signature methods can be implemented or used. The example of Singularity, which is especially careful about this aspect with its format SIF (Singularity Image Format), can be given.
- With containers, we allow links to the host system. Pay attention to the network configuration and to the folders and files that are made accessible!
New systems, new vulnerabilities. It will of course be necessary to ensure that the systems are up to date, to verify the rights of the applications and to assess the need to use encryption techniques. Indeed, without special consideration, a containerized application can end up by default with too high privileges and working on insufficiently protected data, which will constitute an easily exploitable flaw …
At Ventio, we have expertise in the security aspects of containers to avoid pitfalls when using these easy-to-access technologies. We develop containerized services with a high level of security hosted by trusted suppliers. Ventio is approved by the French Ministry of the Economy and Finance under the Innovation Tax Credit (2020-2024). As such, you can obtain a 20% tax credit if you are eligible in France on our prototyping services for new information technology products and services.