How Linux containers can solve a problem for DOD virtualization

Application containers can help agencies cut down on software licenses and other costs, while streamlining installation and patch cycles.

As the virtualization of U.S. defense agencies commences, the technology’s many attributes – and drawbacks -- are becoming apparent.

Virtualization has enabled users to pack more computing power in a smaller space than ever before. It has also created an abstraction layer between the operating system and hardware, which gives users choice, flexibility, vendor competition and best value for their requirements. But there is a price to be paid in the form of expensive and cumbersome equipment, software licensing and acquisition fees, and long install times and patch cycles.

These challenges have led many administrators to turn to application container technology for answers to their virtualization needs. For this article, we’ll focus specifically on Linux containers, which are made of two core components: the container technology itself and application packaging technology. They enable multiple isolated Linux systems to run on a single control host. Most importantly, they enable the warfighter to have more capabilities in a fraction of the space required by traditional virtualization.

Getting past tradition

In traditional virtualization, each application runs on its own guest operating system. These operating systems need to be individually purchased, installed, and maintained throughout their lifecycles. That can be time-consuming and costly.

With Linux containers, only one Linux operating system needs to be purchased, installed, and maintained. Instead of separating every application by installing them on their own guest operating systems, Linux containers are separated using control groups (cgroups) for resource management; namespaces for process isolation; and NSA-developed Security-Enhanced Linux (SELinux) for security, which enables secure multi-tenancy and reduces the potential for security exploits.

Linux app container 1

The SELinux-based Linux container isolation provides an additional layer of defense for KVM-based virtualized and cloud environments that use SELinux-based sVirt isolation technology. Similar to a Russian nesting doll, many Linux containers are packed in a VM, many VMs in a hypervisor, and many hypervisors in a secure cloud. The result is a fast, efficient, and lightweight solution that is independent of underlying physical hardware; ideal for the military embedded space.

Finally, by eliminating the overhead of a guest operating system for every application, Linux containers enable increased densities of 10x more applications than traditional virtualization. SWaP (size weight and power) is decreased significantly and the need for traditional virtualization is potentially eliminated, as containers can run natively on bare metal with Linux.

The Docker factor

The need for containerized applications to use the same runtime stack as the underlying system is now unnecessary with the open source Docker project. That’s because Docker enables an application to run the same Linux kernel as the underlying container host but use a wholly different runtime stack:

Linux app container 2

Docker also:

  • Provides the ability to package mission applications and their user space runtime dependencies in a standard format. This enables “golden image” warfighter applications to be shared and deployed on Linux hosts from various vendors who also support Docker.
  • Works with Linux container hosts running on physical, virtual or cloud systems. Integrators can develop using agile methods in their cloud and field containerized applications on tactical bare metal appliances without the need of virtualized infrastructure.
  • Lets administrators layer containerized images and put them in an app store-like registry. For instance, the U.S. Army could develop a pre-STIGed Linux container and publish it in an Army app registry for all authorized government and integrator employees’ use. These images could be extended to contain certified layered products and services for Java application servers, Web servers, and more:

Linux app container 3

Integrators could also develop applications based upon these containers and publish them back into the Army registry for use and remixing by the government and other integrators.

The Atomic option

Tactical environments require slimmer containerization footprints that are easier to maintain. Enter Project Atomic.

Linux app container 4



Project Atomic provides an Atomic host that is actually a slimmed down enterprise Linux distribution whose sole job is to run Docker containers. Its name is derived from two plays upon words: “atomic,” for a small footprint as discussed above, and “atomic operations,” which must be performed entirely or not at all. Atomic hosts are compelling for tactical environments because they enable containerized apps to be uniformly “flashed,” or “reflashed” quickly if a system rebuilding or updating. This is quite different from the traditional approach of patching deployed systems, where configurations can drift from being identical over time, making security measurement extremely difficult.

As the U.S. military continues its march toward virtualization, it will need to operate in an environment that runs on more agile solutions. Linux containers fit that bill nicely, enabling Defense Department agencies to take full advantage of virtualization benefits.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.