IBM unveiled the Nabla container platform as a new avenue in using isolation to increase container security. The launch follows that of the Intel-based Kata Container platform that also promises greater container security through increased isolation.
Gosia Steinder, a research fellow at IBM Research, said work on Nabla was based on the perception that containers were less secure or less isolated than virtual machines (VMs). Nabla tackles this by limiting the amount of interaction – or system calls – a Nabla container can have with other containers or the host. This reduces the attack surface for a potential attack.
“We wanted to challenge the notion that containers were less secure than VMs,” Steinder explained. “We wanted to come up with better criteria on what isolation is and how it can be applied to containers.”
This design differs from traditional Docker-based containers that allow for a host kernel to be shared by running containers, which leads to more interaction between the host and running container pods. “We have invested a lot in unikernal technology and realized it would be a good path for increasing security and isolation for containers,” Steinder said.
Analysts have noted that isolation techniques are vital for boosting container security but remain sparsely used in production environments.
“Security is a particularly challenging issue for production container deployments,” Gartner noted in a recent report. “The integrity of the shared host OS kernel is critical to the integrity and isolation of the containers that run on top of it. A hardened, patched, minimalist OS should be used as the host OS, and containers should be monitored on an ongoing basis for vulnerabilities and malware to ensure a trusted service delivery.”
Adrian Lane, CTO at Securosis, in a recent webinar suggested that organizations should more aggressively segregate containers to limit access for their creation and access rights for a running container. He noted that only around 10 percent of organizations are currently doing this, and that he often sees pushback when segregation is suggested.
One reason for the pushback is that adopting greater container isolation often requires more steps that can slow down the implementation process. This is also currently the case for Nabla, which requires images specific to the platform. This means users cannot reuse an image from another container directory – like Docker – to construct an application in Nabla.
Steinder admitted that Nabla in its current iteration does require a different image format, but the leaner nature of that format could lead to increased performance.
She also noted that the Nabla community was actively reaching out to the broader container ecosystem in order to stress test the platform. “We believe community involvement will be critical,” Steinder said. “Cloud is being decided by the open source community and we want to get feedback.”
That work also includes evolving Nabla so that it can be orchestrated under Kubernetes, which is the basis for IBM’s broader container efforts.
The open source Kata Container platform recently unveiled its 1.0 version. The platform implements isolation by running a dedicated kernel within each container. This cuts off the ability for a hacker to migrate an attack on a single container through a kernel to other running containers.
The Kata container platform basically acts as a lighter-weight VM that can operate in a container environment. The project is based on code from Intel’s Clear Containers and Hyper.sh’s runV technologies, and was initially managed through the OpenStack Foundation.
Steinder said that Nabla differed most from Kata in that it was not just a lightweight VM. “We don’t use a hypervisor for communication between a host and a container,” she noted, adding that the Nabla platform can run leaner because it does not need to make that hypervisor connection.
Google recently open sourced its gVisor sandboxed container runtime. The platform provides secure isolation for containers while being more lightweight than a virtual machine (VM). It can also integrate with Docker and Kubernetes to allow for sandboxed containers in production environments.
James Bottomley, a distinguished engineer at IBM Research, noted in a blog post that testing showed Nabla in certain deployment models had throughput approaching that of traditional Linux-based Docker containers. Those same tests showed Nabla performed close to that of Kata and far outpaced that of gVisor.
Another approach to bolster container security is being led by Sylabs. It recently launched an enterprise-focused platform that uses the Singularity container design.
Sylabs CEO Gregory Kurtzer explained that Singularity offers better security due to the ability to run a container without granting users control of a root-owned daemon process or kernel feature; easier mobility of content within a container through the use of a single-file format that includes the runtime environment; and support for high-performance hardware commonly used by research labs.