RHEL 7 Atomic Host Bolsters Container Security

Red Hat last week made Red Hat Enterprise Linux 7 Atomic Host generally available, following a four-month live beta test.

“The beta release was very successful,” said Lars Herrmann, senior director of product strategy at Red Hat. Feedback from customers and partners “helped us refine several features and tools” for the GA version.

Atomic Host is a lean OS designed to run Docker containers, providing all the benefits of upstream distribution and the ability to perform atomic upgrades and rollbacks. It’s the core of Project Atomic, a lightweight OS built from CentOS, Fedora or RPM Package Manager, which is designed to run applications in Docker containers.

Red Hat includes all the components necessary to package and run apps written for RHEL 6 and 7.

Super-Privileged Containers

The most notable change from the beta version is the inclusion of super-privileged containers, Herrmann told LinuxInsider. They allow specialized containers to interact with the host and other containers for management and monitoring tasks, and they include tools for container troubleshooting, as well as rsyslog for logging.

Other additions to the GA version are prioritized installation on bare metal, support for virtual environments, thin provisioning storage for container images, and enhanced functionality for Google’s Kubernetes, Hermann continued.

RHEL 7 Atomic Host is based on RHEL 7, so it has its stability and maturity, as well as its ecosystem of certified hardware partners.

The OS “appears to address a number of concerns with broad strokes, and should be very well received,” Rob Enderle, principal analyst at the Enderle Group, told LinuxInsider.

Keeping RHEL 7 Atomic Host Secure

Atomic Hosts offer security by default through SELinux.

RHEL 7 also uses cgroups and kernel namespaces, isolating each container in a multi-container environment.

Support for super-privileged containers lets host management applications access the host and other containers in a secure manner.

Automated security updates are available on demand.

Red Hat adopted the pull rather than push approach to updates, because “enterprise IT teams require verification of everything that they put on their system,” Herrmann explained. However, the pull can be automated, which effectively makes it a push.

Each container is isolated and ships with all its own runtime dependencies, so updates must be applied individually to each container, Herrmann said. Tools provided with RHEL 7 Atomic Host simplify this process, and Red Hat is working on additional container management capabilities to further streamline patching.

Kernel Namespaces

Kernel namespaces are what give containers their zing. They create barriers between processes at different levels because each different kind of namespace applies to a specific resource.

Take, for example, pid namespaces. Each of these has its own process numbering, and different pid namespaces form a hierarchy. The kernel keeps track of parent and child namespaces; a parent can see its children and affect them, but children can’t see or affect their parents.

Namespaces are used by most OS kernels, including Unix and Windows.

Containers Going Wild?

One major problem with virtual machines is VM sprawl. They are so easy to create that users can pull one up at will, gobbling up server space. Further, they create a security risk, because VMs typically are not registered or tracked, and there is no way of knowing whether they have been decommissioned.

Containers could give rise to the same problem. “For enterprises to fully embrace containers, certification — and therefore provenance — is a must,” Herrmann remarked. Red Hat is working on this with partners.

Nevertheless, RHEL 7 Atomic Host “appears to provide a much stronger way to manage containers and avoid VM sprawl,” Enderle observed, “which is likely one of the strongest reasons to move to this release.”

Richard Adhikari

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Enterprise

LinuxInsider Channels