Which of the following is not a primary construct that supports containerization? (Wentz QOTD)
A. Partition kernel resources into namespaces
B. Limit the resource usage of a collection of processes
C. Connect containers across multiple hosts using overlay networks, e.g., VXLAN
D. Isolate containers through the bare metal hypervisor
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Isolate containers through the bare metal hypervisor.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Containerization is an application-level virtualization technology that shares the same OS kernel instead of virtual machine-based virtualization managed by the hypervisor. The underlying OS features are namespaces, groups, AppArmor, etc.
- Namespaces are the most essential construct to partition kernel resources.
- C-groups limit, account for, and autheticate the resource usage of a collection of processes.
- It’s common to connect containers using bridge networks, host networks, overlay networks (e.g., VXLAN), Macvlan networks, or third-party network implementations. Docker networking provides a good overview.
- AppArmor is a well-known Linux kernel module that enforces container security.
Containerization can be implemented on a bare metal server without a hypervisor or virtual machines. Common container deployments are shown as follows.
- Secure Application Cloudification with Docker
- What Are Namespaces and cgroups, and How Do They Work?
- What even is a container: namespaces and cgroups
- Building Container Networks with Vxlan
- DEEP DIVE INTO DOCKER OVERLAY NETWORKS : PART 2
- DEFINITION bare-metal hypervisor
以下哪個不是支持容器化的主要結構？ (Wentz QOTD)
C. 使用覆蓋網絡（例如 VXLAN）跨多個主機連接容器