Building Docker Cloud Services with Virtuozzo



Similar documents
WHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security

Cloud Server. Parallels. An Introduction to Operating System Virtualization and Parallels Cloud Server. White Paper.

Proposal for Virtual Private Server Provisioning

PARALLELS CLOUD SERVER

Solution Guide Parallels Virtualization for Linux

Solving I/O Bottlenecks to Enable Superior Cloud Efficiency

Best Practices for Optimizing Your Linux VPS and Cloud Server Infrastructure

Cloud Server. Parallels. Key Features and Benefits. White Paper.

Virtualization for Cloud Computing

Cloud Simulator for Scalability Testing

Cisco Application-Centric Infrastructure (ACI) and Linux Containers

Intel Service Assurance Administrator. Product Overview

Networking for Caribbean Development

2972 Linux Options and Best Practices for Scaleup Virtualization

PARALLELS SERVER BARE METAL 5.0 README

Compromise-as-a-Service

STRATEGIC WHITE PAPER. The next step in server virtualization: How containers are changing the cloud and application landscape

Cloud Security with Stackato

Virtualization and the U2 Databases

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Parallels Virtuozzo Containers

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

Enabling Database-as-a-Service (DBaaS) within Enterprises or Cloud Offerings

evm Virtualization Platform for Windows

Flexiant Cloud Orchestrator with Parallels Cloud Server

PEPPERDATA IN MULTI-TENANT ENVIRONMENTS

Waratek Cloud VM for Java. Technical Architecture Overview

The IT benefits of bare-metal clouds

Extending Microsoft Hyper-V with Advanced Automation and Management from Citrix

ORACLE VM MANAGEMENT PACK

The Virtualization Practice

Why Does CA Platform Use OpenShift?

Virtualization System Security

Software-Defined Storage: What it Means for the IT Practitioner WHITE PAPER

An Oracle White Paper April Network Isolation in Private Database Clouds

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

Rackspace Cloud Databases and Container-based Virtualization

Live Vertical Scaling

Parallels Virtuozzo Containers

Virtualization. Dr. Yingwu Zhu

The Benefits of Verio Virtual Private Servers (VPS) Verio Virtual Private Server (VPS) CONTENTS

PARALLELS SERVER 4 BARE METAL README

Masters Project Proposal

New Features in PSP2 for SANsymphony -V10 Software-defined Storage Platform and DataCore Virtual SAN

DIABLO TECHNOLOGIES MEMORY CHANNEL STORAGE AND VMWARE VIRTUAL SAN : VDI ACCELERATION

7 Ways OpenStack Enables Automation & Agility for KVM Environments

Use Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION

Parallels Virtual Automation 6.1

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES

Use Case Brief CLOUD MANAGEMENT SOFTWARE AUTOMATION

Enabling Technologies for Distributed Computing

Open Data Center Alliance Usage: VIRTUAL MACHINE (VM) INTEROPERABILITY

Introducing Red Hat Enterprise Linux. Packaging. Joe Yu. Solution Architect, Red Hat

Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009

Virtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE

VIRTUOZZO TM FOR LINUX 2.6.1

Pluribus Netvisor Solution Brief

RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: PRICING & LICENSING GUIDE

Maximizing SQL Server Virtualization Performance

Virtual Machines.

WHITE PAPER. Data Center Fabrics. Why the Right Choice is so Important to Your Business

Virtual Hosting & Virtual Machines

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Chapter 14 Virtual Machines

Software-Defined Networks Powered by VellOS

Technical Paper. Moving SAS Applications from a Physical to a Virtual VMware Environment

managing the risks of virtualization

Parallels Virtuozzo Containers 4.7 for Linux Readme

Comparing performance of HyperV and VMware considering Network Isolation in virtual machines

Testing Network Virtualization For Data Center and Cloud VERYX TECHNOLOGIES

Learn the essentials of virtualization security

KVM: Kernel-based Virtualization Driver

Red Hat Network Satellite Management and automation of your Red Hat Enterprise Linux environment

Protecting VMs in a Multi-Tenancy Environment

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Automated deployment of virtualization-based research models of distributed computer systems

Full and Para Virtualization

What is virtualization

Securing Virtual Applications and Servers

Virtualization Support - Real Backups of Virtual Environments

KVM, OpenStack, and the Open Cloud

Enhancing Hypervisor and Cloud Solutions Using Embedded Linux Iisko Lappalainen MontaVista

Google

Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors

The Benefits of Virtualizing Citrix XenApp with Citrix XenServer

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

Cisco Unified Data Center

Parallels Virtuozzo Containers

Cloud Operating Systems for Servers

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Enabling Technologies for Distributed and Cloud Computing

High-Performance Nested Virtualization With Hitachi Logical Partitioning Feature

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Object Storage: A Growing Opportunity for Service Providers. White Paper. Prepared for: 2012 Neovise, LLC. All Rights Reserved.

Sistemi Operativi e Reti. Cloud Computing

Transcription:

Building Docker Cloud Services with Virtuozzo Improving security and performance of application containers services in the cloud EXECUTIVE SUMMARY Application containers, and Docker in particular, are a revolutionary technology that has a chance to dramatically change how developers will build, deploy, and manage their applications, thus generating demand for new cloud services and creating new opportunities for service providers. However, being a new and rapidly developing technology, Docker is still lacking the secure multi-tenancy and resource isolation functionality needed for public clouds. This makes Docker-based services expensive to deliver for both the service provider and the end user due to either the higher infrastructure costs required to introduce an extra layer of resource isolation (like running Docker in virtual machines), the need to designate individual infrastructure resources for each customer to compensate for the lack of proper resource, or the need to invest in building a new solution around Docker. Docker integration with Virtuozzo solves most of these problems, allowing service providers to offer Docker-based services on a proven platform that supports the security demands of public clouds with a console for the delivery and lifecycle of those services. In comparison to virtual machines, Virtuozzo containers provide the same native performance but with higher density that supports more Docker applications per host. ABOUT VIRTUOZZO AND DOCKER Docker is an open platform that gives developers a way to build cloud applications, test them against multiple developer frameworks, and run them in multiple environments and on any number of end points. Unlike traditional application solutions, Docker places an application in a container using the namespace and resource capabilities of an operating system kernel (Linux) and delivering the application with a full set of OS components (libraries, services) that the application is required to run. This process greatly simplifies the and deployment of those applications. Virtuozzo is a high-security, high-performance virtualization platform that combines containers, virtual machines, and software-defined storage to give service providers a single, cost-effective platform for delivering resource-isolated OS partitions and high-availability cloud services to their customers.

Different from Docker application containers, Virtuozzo containers are operating system containers. They allow service providers to securely host dozens if not hundreds of customers on a single physical server, often with root access for every customer and often directly connected to the internet, which makes them targets of security attacks simply due to the vulnerable nature of public VPS services. Virtuozzo containers allow their owners to run Docker containers inside them, combining the benefits of Docker-ized applications with Virtuozzo security and isolation, but without introducing the extra overhead associated with hypervisors that can negatively affect performance. SECURITY AND MULTI-TENANCY OF APPLICATION CONTAINERS A critical capability of any public cloud service is secure multi-tenancy. Commonly, multi-tenancy is achievable either by building multi-tenancy into the service, or by placing multiple instances of single-tenant services into different environments. Natively, a Docker-enabled Linux server is not truly multi-tenant. While multiple Docker users can theoretically coexist on a single server, this is not practical in any public cloud where the provider must assume that tenants could be hostile or compromised. An example is a Docker user s ability to escalate his own privileges to root, which increases the vulnerability of all other users on the same server. Like with many new technologies, security vulnerabilities with Docker are discovered quite frequently, and particularly those that allow a process to escape from the container gaining real root. (See security advisories like CVE-2015-3627, CVE-2015-3629, CVE-2015-3630, and CVE-2015-3631.) Lack of native Docker multi-tenancy may be partially remedied by tools on top of Docker that implement multi-tenancy in the layer and restrict the tenant s access to the hosts by Docker commands only. But this solution is only partial. Firstly, implementation of such tools and their suitability for public cloud including security, performance, and stability of the API is yet to be proven. Secondly, from a security standpoint, an architecture that relies on permission from the layer (that implements tenants) while allowing the tasks to run in privileged mode on the service layer (Docker-enabled Linux host) is considered by many as unsecure by design, essentially amounting to a vulnerability in the layer that compromises the whole stack. When Docker first entered the market in March 2013, Docker applications worked only with open source LXC containers, which then and even today have insufficient stability, resource functionality, and security features for public cloud purposes. A year later, Docker dropped LXC as the default container environment and replaced it with containers built using its own libcontainer userspace library. But like LXC, libcontainer has its own security shortcomings since it also wasn t built with the intention of being secure enough for public cloud computing and is still in its early development stages. These shortcomings can be solved by using a configuration where the open source container holding the Docker application is placed inside a virtual machine, which provides the isolation and security required for running Docker applications safely in a public cloud. By doing this, the virtual machine security characteristics transfer to the Docker applications, so the isolation problem is fixed. However, such isolation is not compatible with the promise of native and bare-metal application performance that Docker can bring because the efficiency and density advantages that are inherent to operating system container virtualization are eliminated.

Today, running Docker containers inside Virtuozzo containers fixes most, if not all, of these issues. If a Docker-specific vulnerability is exploited inside a non-virtuozzo environment, it could possibly elevate the Docker container privileges to the root privileges. However, if the vulnerability happens inside a Virtuozzo container, it would have no impact to the physical host where the containers are running. Docker s lack of multi-tenancy in this scenario is no longer an issue, because Virtuozzo will isolate the tenants in their own virtual servers, effectively adding the tenancy. There is an additional benefit in this nested containers approach. As many public service providers have already invested in acquiring or building their own tools for Virtuozzo (and cloud servers, such as VPS), those same tools can be used to deliver Docker-enabled servers with little or no extra investments. RESOURCE MANAGEMENT Quality of services (QoS) is one of the primary outputs that a cloud service must deliver. There are three main goals of resource in public clouds: Delivering guaranteed amount of resources regardless of overall resources usage. Even in a situation of resources shortage, the tenants must receive minimum resources according to their SLAs. Managing resource fair shares. When multiple tenants compete for resources above their minimum guarantees, the resource system must ensure the resources are fairly shared between tenants. Isolating a noisy neighbor. In a public cloud, it is not uncommon to find a tenant that uses too many resources, often in violation of the service agreement. For example, in a platform intended for web hosting, some users might be running CPU-intensive applications that seriously impact the performance of other well-behaving tenants.

Considering these resource aspects, Docker with Virtuozzo can deliver much better QoS than Docker alone. Let s look at some examples below. MANAGING MEMORY Natively, both Virtuozzo and Docker support limiting the amount of memory available to a container. However, the ways they implement and enforce the memory are quite different. In Docker, one can limit the amount of memory available to a single container by adding the -m option to the Docker command. This limit corresponds to the user memory, i.e., the memory directly allocated by the processes running in a container. However, a container can also allocate memory differently e.g., the kernel memory (allocated indirectly by making kernel API calls) would not be accounted for. This opens up an easy opportunity for a denial of service (DoS) attack that could bring the service down for other tenants on the same host. Running Docker inside Virtuozzo containers gives the following advantages for memory : 1. Complete memory limit that includes kernel memory and swap, effectively preventing DoS (assuming memory limits are set correctly and correspond to available physical memory) 2. Accurate reporting of available memory to an application (natively, a Docker container reports information about physical memory available on the host, and that can make an application attempt to allocate more memory than what is available) MANAGING CPU Docker container CPU resources are managed by assigning CPU share to each container. This ensures that an individual Docker container gets its fair share allocation and assuming the entire host is not oversubscribed guaranteed resources. For running Docker in Virtuozzo, the same type of is available, along with several other critical features: 3. Virtuozzo can enforce CPU limit on a tenant, solving the noisy neighbor problem. 4. Virtuozzo manages resources on a per-system container basis (or per tenant, assuming a ratio of one tenant = one Virtuozzo container). A single container will get its CPU share regardless of how many Docker containers are running inside. In native Docker, CPU shares are managed on a per-container basis therefore, a tenant running 10 small containers will get 10 times more CPU than a tenant running one larger container. 5. Virtuozzo is NUMA-aware and always attempts to place container processes on a single NUMA node. This typically translates to better overall performance as individual Docker containers are running more effectively and leveraging local memory. MANAGING DISK SPACE AND INPUT/OUTPUT OPERATIONS PER SECOND (IOPS) Docker natively has no capability to manage disk consumption for the entire container fleet of a single tenant. Even managing disk quotas of a single container is somewhat cumbersome because of how these disk quotas are implemented for different storage backends used with Docker. Together with Virtuozzo, the storage resources problem is much easier to solve: 6. Virtuozzo has disk quotas that are enforced for the entire system container, regardless of how many Docker containers are running inside or what kind of storage backend they use. This makes disk space consumption much easier to set up and enforce. 7. Virtuozzo has true disk IOPS bandwidth and limits, ensuring that tenants using too much disk IO have a very limited impact on other well-behaving tenants.

CONCLUSION Without a doubt, Docker is a strong technology with amazing potential. It will likely change the way cloud applications are managed in the future. Being a new and rapidly developing technology, Docker in the public cloud can greatly benefit from being deployed in a virtualized environment, and while hypervisor-based deployment is satisfactory, container virtualization with Virtuozzo can deliver much needed security and multi-tenancy requirements without the additional overhead that comes with using hypervisors. FEATURE DOCKER DOCKER IN KVM VM DOCKER IN VIRTUOZZO CPU weights Yes Yes Yes CPU limits - Yes Yes Effective CPU overcommit Yes Limited Yes Effective NUMA - Yes Yes Memory limits User-space only Yes Yes Effective memory overcommit Network traffic Yes Limited Yes - Possible Yes Disk quota Limited Yes Yes Disk bandwidth - Yes Yes Security isolation - Yes Yes Bare metal performance Yes - Yes Docker support in Virtuozzo allows service providers to build Docker-based services now, overcoming possible shortcomings of Docker for public cloud services. This integration delivers much required multi-tenancy and powerful resource capabilities, and strengthens the security of the entire solution. FOR MORE INFORMATION Visit Odin: odin.com/products/virtuozzo Visit Docker: www.docker.com 2015 Parallels IP Holdings GmbH. All rights reserved. Odin and the Odin logo are trademarks of Parallels IP Holdings GmbH.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information