Ubuntu Wants To Run Containers, Too - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
09:55 AM
Connect Directly

Ubuntu Wants To Run Containers, Too

Snappy, a lean Linux Ubuntu optimized for container operation, promises stronger security for Linux containers.

9 Google Apps Tips: Productivity Boosters
9 Google Apps Tips: Productivity Boosters
(Click image for larger view and slideshow.)

Canonical on Tuesday released Snappy, its version of a Linux host for running containers, which will compete with similar offerings from Red Hat and CoreOS. Canonical, which makes available the Linux Ubuntu operating system, claims Snappy allows faster updates to either a mobile application or the app's operating system -- hence its name.

Perhaps equally important, Snappy will allow users to run Linux containers more securely. Canonical isn't claiming it has solved the Docker or Linux container security issues. But it does treat the operating system as if it's in a sandbox. Each part of the OS may access only those areas of the operating system or related resources, such as file systems, directories, and databases, that it's explicitly authorized to use.

Canonical founder Mark Shuttleworth said in an interview that Snappy is a flavor of Ubuntu Core, the minimalist version of Ubuntu used with mobile application systems or custom Ubuntu systems. One of the main changes in Snappy is that it is assembled in a different manner from other Ubuntus, which typically are assembled as packages of code from repositories, with hundreds of components or packages able to access each other, plus the core operating system kernel, Shuttleworth said.

[The container wars are heating up. See Docker Founder Must Right His Ship.]

Snappy, on the other hand, is assembled with the components isolated from one another. Each system resource may access only those other parts for which it's been granted explicit permission, based on the application's needs. "The security story is fantastic. Each aspect of a Snappy system is isolated from the other," he said.

In effect, an installation of Snappy on the server will act something like application code in a sandbox, with active agents unable to go outside the box, except for one or two or a few permissions set by the policies governing that implementation of the system. Even if malware arrives with a code package, its opportunities to do mischief are limited by Snappy's sandbox rules. It's not foolproof, but it's a greatly reduced attack surface, according to Shuttleworth.

The concept has been implemented before in security-enhanced Linux (SELinux), the version developed for operations in highly secure settings, such as the US Department of Defense. But Snappy is a lean Linux optimized for container operation, amounting to 100 MB compressed download, compared to several hundred MB for most distributions.

It also follows update principles that Canonical established for mobile device systems, where, if an update is not confirmed as completely intact, the system is rolled back to a reliable version. Thus, Snappy is billed as a host system that can be managed as a "transactional" or "image-based" system. It works as planned, or the transaction (update) that changed it is rolled back to a known, prior version.

"This is the smallest, safest platform for Docker deployment ever... It's completely extensible to all forms of container or service," Shuttleworth said. Ubuntu is already a popular form of Linux with developers. It's based on the vendor-neutral Debian distribution, and Shuttleworth claims that six times as many developers are working on Ubuntu as on any other Linux.

Red Hat, a Docker partner, is often found in use with containerized production systems or in cloud-based virtual machine workloads. In producing Snappy, Canonical is positioning itself to serve as an enterprise and cloud host for containerized systems in competition with Red Hat and CoreOS. Its large developer base gives it a position of strength from which to bid for such a role.

Canonical also offers the AppArmor system for maintaining Linux kernel security. It provides rigorous media access control over use of the kernel, shielding a system from unauthorized users and user devices.

Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it? Get the Malware Mutation issue of Dark Reading today.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
12/9/2014 | 1:14:39 PM
Microsoft loves Linux, first to endorse Snappy Ubuntu
It's ironic but Snappy Ubuntu Core, which will run in any cloud supporting Ubuntu, gets its first endorsement from Microsoft. Microsoft's Bob Kelly, corporat VP, is the first Snappy user quoted in the Dec. 9 announcement: "Microsoft Loves Linux, and we're excited to be the first cloud provider to offer a new rendition of one of the most popular Linux platforms in the rapidly growing Azure cloud." The "Microsoft loves Linux" stuff started when new CEO Satya Nadella came to San Francisco Oct. 20 and said: "Microsoft loves Linux Twenty percent of Azure is already Linux. This something I want everyone to recognize."InformationWeek asked why Azure doesn't run Red Hat Enterprise Linux. The answer is still unclear... some competitive factor and ill trust between the two companies. Azure is willing, Nadella said. 
Charlie Babcock
Charlie Babcock,
User Rank: Author
12/9/2014 | 1:03:26 PM
Read-only files, once uploaded
Uploaded applications to a Snappy Ubuntu Core host will be read-only code, kept separate from the opeating s system. Once it's there, it can be replaced by an update, but it can't be modified by any other method. It's another security protection, developed initially for mobile phone apps. Applies to the host opertaing system as well, I believe.
Get Your Enterprise Ready for 5G
Mary E. Shacklett, Mary E. Shacklett,  1/14/2020
Modern App Dev: An Enterprise Guide
Cathleen Gagne, Managing Editor, InformationWeek,  1/5/2020
9 Ways to Improve IT and Operational Efficiencies in 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/2/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Flash Poll