Containers are a fundamental element in application virtualization where the same shared OS kernel is exposed virtually to multiple discrete applications. Which of the following statements about containerization and container technology is correct? (Wentz QOTD)
A. Containers are vendor-neutral so that a Linux host can run containers built for Windows
B. Containers require a hypervisor to support application virtualization
C. Containers provide a higher level of isolation than virtual machines
D. Containers may disrupt the existing software development methodologies
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Containers may disrupt the existing software development methodologies.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Hypervisor
Containers don’t require a hypervisor to support application virtualization. A container can be deployed to bare metal without a virtual machine managed by the hypervisor. A hypervisor, aka virtual machine monitor/manager (VMM), is “the virtualization component that manages the guest OSs on a host and controls the flow of instructions between the guest OSs and the physical hardware.” (NIST SP 800-125)
Isolation
Virtual machines provide a higher level of isolation than containers. Applications are deployed in containers that share the same host OS kernel, while applications deployed on virtual machines are isolated to a higher degree so that they have to communicate through networks. However, applications in containers have better performance than in virtual machines.
OS-family Specific
With containers, multiple apps share the same OS kernel instance but are segregated from each other. The OS kernel is part of what is called the host operating system. The host OS sits below the containers and provides OS capabilities to them. Containers are OS-family specific; a Linux host can only run containers built for Linux, and a Windows host can only run Windows containers. Also, a container built for one OS family should run on any recent OS from that family.
Source: NIST SP 800-190 (Application Container Security Guide)
Software Development Methodologies
The introduction of container technologies might disrupt the existing culture and software development methodologies within the organization. Traditional development practices, patching techniques, and system upgrade processes might not directly apply to a containerized environment, and it is important that employees are willing to adapt to a new model. Staff should be encouraged to embrace the recommended practices for securely building and operating apps within containers, as covered in this guide, and the organization should be willing to rethink existing procedures to take advantage of containers. Education and training covering both the technology and the operational approach should be offered to anyone involved in the software development lifecycle.
Source: NIST SP 800-190 (Application Container Security Guide)
Reference
容器(containers)是應用程序虛擬化中的一個基本元素,其中多個不同的應用程序可透過虛擬化共享同一個作業系統內核。 以下哪項關於容器化及容器技術的敘述是正確的? (Wentz QOTD)
A. 容器是供應商中立( vendor-neutral )的,因此 Linux 主機可以運行為 Windows 構建的容器
B. 容器需要虛擬管理程序(hypervisor)來支持應用程序的虛擬化
C. 容器提供比虛擬機更高級別的隔離(isolation)
D. 容器可能會破壞現有的軟件開發方法
Containers require a hypervisor to support application virtualization
Pingback: 容器化及容器技術(containerization and container technology) – Choson資安大小事