This application relates to software containers, and more particularly to security features for software containers.
Virtual machines (VMs) have gained popularity for a variety of computing needs. A virtual machine is a software implementation of a machine that executes programs like a physical machine. A typical virtual machine includes an entire operating system that runs on top of a host operating system, and one or more applications that run within that operating system. Use of VMs enables an administrator to run several operating system instances at the same time on a single server. A specialized application called a hypervisor manages the virtual machines that run on a given server. Running multiple operating system instances on a single machine, however, is resource-intensive.
More recently, software containers are being used as an alternative to running multiple virtual machines. A software container includes a software application plus all of the dependencies required to run the application bundled into one package. The dependencies may include libraries, binaries, and/or configuration files, for example. By containerizing the application and its dependencies, differences in operating system distributions and underlying infrastructure are abstracted away, making it easy to migrate an application between various environments (e.g., development, testing, and production). Multiple containers can be run in isolation from each other on a single host operating system as well, which provides an alternative to running multiple virtual machines (and their accompanying operating systems) on a single server. Because containers allow an administrator to virtualize a single application rather than an entire operating system, running a given quantity of containers is less resource intensive than running the same quantity of VMs.
One platform for building and running software containers is DOCKER. DOCKER provides a so-called “Chinese wall” protection model between containers and the host. This method ensures isolation of container resources (e.g., files, network accessibility, etc.) from the hosting environment and from other containers running on the same host. DOCKER permits security administrators to define an access control policy that provides exceptions to the “Chinese Wall” model, allowing the sharing of resource between containers and the host (e.g., sharing data between containers). However, creating these access control policies is a manual task that differs between container platforms and security products.