cancel
Showing results for 
Search instead for 
Did you mean: 
DerekYeo
Mission Specialist
Mission Specialist
  • 4,763 Views

Container Security with Docker

Jump to solution

Hi all,

Does Openshift container use other container alternatives than Docker? This is because I am researching on Symantec Security product for container on docker. 

Regards,

Derek

Labels (3)
1 Solution

Accepted Solutions
beelandc
Flight Engineer Flight Engineer
Flight Engineer
  • 4,746 Views

Users have had the option to use the CRI-O container engine in OpenShift since version 3.7 as Tech Preview and 3.9 as Generally Available (supported). However, OpenShift 3.x defaults to docker as the underlying container engine

As of OpenShift 4, the platform now defaults to CRI-O as the underlying container engine

CRI-O (and OpenShift) still support the docker container image format.

I'm not familiar with the Symantec Security product for docker containers, but I would imagine that it would be incompatible with the CRI-O runtime.

For more information on why OpenShift 4 switched to CRI-O, check the links below:

  1. http://crunchtools.com/docker-support/
  2. http://crunchtools.com/why-no-docker/
  3. https://www.redhat.com/en/blog/red-hat-openshift-container-platform-4-now-defaults-cri-o-underlying-...
  4. https://cri-o.io/
  5. http://crunchtools.com/why-no-docker/
  6. https://www.projectatomic.io/blog/2017/06/6-reasons-why-cri-o-is-the-best-runtime-for-kubernetes/

View solution in original post

7 Replies
beelandc
Flight Engineer Flight Engineer
Flight Engineer
  • 4,747 Views

Users have had the option to use the CRI-O container engine in OpenShift since version 3.7 as Tech Preview and 3.9 as Generally Available (supported). However, OpenShift 3.x defaults to docker as the underlying container engine

As of OpenShift 4, the platform now defaults to CRI-O as the underlying container engine

CRI-O (and OpenShift) still support the docker container image format.

I'm not familiar with the Symantec Security product for docker containers, but I would imagine that it would be incompatible with the CRI-O runtime.

For more information on why OpenShift 4 switched to CRI-O, check the links below:

  1. http://crunchtools.com/docker-support/
  2. http://crunchtools.com/why-no-docker/
  3. https://www.redhat.com/en/blog/red-hat-openshift-container-platform-4-now-defaults-cri-o-underlying-...
  4. https://cri-o.io/
  5. http://crunchtools.com/why-no-docker/
  6. https://www.projectatomic.io/blog/2017/06/6-reasons-why-cri-o-is-the-best-runtime-for-kubernetes/
flozano
Moderator
Moderator
  • 4,735 Views

About the container image format, it is actually the one defined by the Open Container Initiative. It is backwards-compatible with the docker container image format.

I am not aware of the Symantec product and I am curious about what it brings to container security. There is a training offering about container security: it is Red Hat Security: Securing Containers and OpenShift (DO425).

For a nice introduction about the overall landscape of container security, I recommend the following whitepaper: "Ten layers of container security"

https://www.redhat.com/en/resources/container-security-openshift-cloud-devops-whitepaper

beelandc
Flight Engineer Flight Engineer
Flight Engineer
  • 4,721 Views

Good point on the image format. Thanks for clarifying!

0 Kudos
DerekYeo
Mission Specialist
Mission Specialist
  • 4,732 Views

I see. So in this case, can I still use S2I to build the container images or I need to use Buildah tool? Thanks!

0 Kudos
beelandc
Flight Engineer Flight Engineer
Flight Engineer
  • 4,720 Views

You still have the ability to use S2I with OpenShift 4. However, under the covers, OpenShift is now using buildah inside a builder pod to create the resulting image.

https://blog.openshift.com/openshift-4-image-builds/

0 Kudos
flozano
Moderator
Moderator
  • 4,707 Views

You can use either 'podman build' or 'buildah bud' to build container images using a Dockerfile under RHEL8 or RHEL7 with container tools. And as said before Dockerfile builds work on OpenShift 4 using 'oc new-app' and buildconfigs the same way they worked with OpenShift 3. The fact that OpenShift 4 uses buildah internally instead of docker is just an implementation detail form the point of view of an OpenShift user.

Rik_NL
Flight Engineer Flight Engineer
Flight Engineer
  • 4,700 Views

This is what i get from the Symantic website on your question:

Symantec CWP enables organizations to discover and secure workloads across multi-cloud environments.

  • Continuous visibility of workloads deployed across AWS, Azure, and Google Cloud Platform (GCP)
  • Automatic discovery of software services on workloads
  • Automatic identification of workload security postures
  • Real-time visibility into infrastructure changes”

This product line does not work AFAICS with our Openshift offerings. It also does little for when creating an image. It has no real connection to the choice of container runtime (docker, cri-o, rkt etc).

For protecting Openshift workloads (after DO180/DO280) you could take a look at Red Hat Security: Securing Containers and OpenShift .

Important to note is to take care of bits in transit, so using secure connections between nodes, deploying with a service mesh for end-to-end TLS, running container with non-root privileges, and storing bits at rest, so storing images in a secure registry that has capability to do vulnerabiblity scanning (like Quay). 

Buildah or docker build on its own do not make for a ‘secure’ image and container. This is where the Red Hat runtimes come into play to help you get safer images by lowering the attack surface.

In the end, security is not a button to press or a feature you add, it is a vital process you need to get in place to design and run your workloads save. There are tools available at all stages of the journey. Before picking a tool (like the abovementioned Symantec), first learn how the different components are interlocked. This is why we have the comprehensive learning portfolio at Red Hat. 

Enjoy the journey

Join the discussion
You must log in to join this conversation.