Containers are a standardized form of software comprised of packages of code with all their dependencies mapped carefully. They contain everything required to run applications. Code, runtime, tools, libraries, settings, and more are all contained within the container. This block of software runs on top of an OS as designed regardless of the environment. Developers, then, can use them like Lego blocks to provide systems faster and applications with more agility. They have the advantage of being even more portable than virtual machines (VMs) and requiring fewer resources.
There is constant development work and plenty of news in the container engine space. Below are just a few of the latest news highlights and trends:
Docker is the original commercial container engine. But it hasn’t rested on its laurels. Most recently it acquired Atomist to enhance security. Atomist provides visibility and control across the software supply chain — without disrupting existing workflows and tools. It protects against unwittingly shipping changes that expose users to risk.
“Integrating this into Docker will be invaluable in helping developers shift left on security as they create their applications while satisfying DevSecOps teams,” said Docker CEO Scott Johnston.
Just a few weeks before the Atomist acquisition, Docker also added Tilt, the maker of a development environment as code for teams on Kubernetes. The aim is to use this to reduce the pains of microservice development within Docker.
“Tilt helps developers building apps for Kubernetes get their jobs done faster,” said Johnston. “Integrating Tilt’s features, including live updates and shareable, reproducible development environments, into Docker Desktop will increase development team collaboration and accelerate their release cadence.”
Windows Container Upgrades
Microsoft has recently introduced a number of container upgrades as part of its Windows Server 2022 platform. For example, Windows containers can now maintain a virtualized time zone configuration separate from the host. It also fixed several issues in its container engine that users were complaining about. These included:
- Resolution of a port exhaustion issue when using hundreds of Kubernetes services and pods on a node.
- Improved packet forwarding performance in the Hyper-V virtual switch.
- Better reliability across Container Networking Interface (CNI) restarts in Kubernetes.
- Improvements in the Host Networking Service (HNS) control plane and in the data plane used by Windows Server containers and Kubernetes networking.
Oracle Container Engine
Oracle Container Engine for Kubernetes is an Oracle-managed container orchestration service. It is designed to reduce the time and cost to build modern cloud native applications. The vendor provides the Container Engine for Kubernetes as a free service that can run on higher-performance, lower-cost compute platforms.
One of the most recent developments for this container engine is the Oracle Cloud Infrastructure (OCI) Service Operator for Kubernetes (OSOK). This open source add-on allows Kubernetes users to manage OCI resources such as the Autonomous Database service and the MySQL Database service using a Kubernetes API. As a result, it becomes easier to create, manage, and connect to OCI resources from a Kubernetes environment and using Kubernetes tooling.
Container Security Upgrades
The various container platforms such as Docker and Kubernetes include some native security controls. But like cloud security, the safeguarding of containers has given rise to many different security tools and approaches. Containerized application development, too, often takes advantage of third-party software components that may have vulnerabilities. Thus, containers are susceptible to rogue processes that bypass the isolation that containers are supposed to provide. That opens the door to unauthorized access to other container images. If the container image itself includes a vulnerability, it can then be deployed unwittingly in applications. And then there are misconfigured permissions that could be abused by an attacker.
Thus, there is a lot of attention on container security, these days. The leading vendors and open-source flavors of container technology have all issued upgrades that enhance security. As container usage spreads, expect these engines to include even more built-in security features.
Aqua Security Improvements
Aqua Security, for example, has been steadily increasing the geographies that can be served by its SaaS services. In addition, it recently released its runtime security service for Red Hat OpenShift on IBM Power Systems. The Aqua platform provides visibility into hybrid clouds. It can detect and prioritize, risk, provide supply chain protection, and mitigate attacks on containerized workloads without having to stop them. Recent feature additions include enforcement of container immutability, the ability to scan Red Hat OpenShift hosts running on the IBM Power 10 architecture and find any malware and vulnerabilities, as well as network segmentation enforcement and compliance, and monitoring of file integrity.