Skip to main content

Bringing Security to Container Environments

Containers allow software to run reliably when moved from one computing environment to another.

Gray circle with security shield inside


Containers are a lightweight virtualization technology that allow you to package and isolate applications with their entire runtime environment. They don’t emulate hardware or share the same operating system as the host. Containers allow software to run reliably when moved from one computing environment to another. They behave like standalone systems, and also don’t have any specialized software or custom images.

Containers can replace virtual and physical machines. Whenever a developer needs separate systems, they can actually use containers. Containers behave like independent systems, but are only a few megabytes. By contrast, a virtual machine with its own operating system is typically several gigabytes. Hence, a single server can host more containers than virtual machines. Containers can be instantiated in a few milliseconds, and when they're no longer needed, they can be deleted to free up resources on their hosts.

LXD and LXC Containers

LXC is an interface for the Linux kernel containment features. Through powerful APIs and other simple tools, it enables Linux users to easily create and manage systems or application containers. The goal of LXC is to create an environment that’s as close as possible to a standard Linux installation without the need for a separate kernel.

LXD is a hypervisor used to deploy containers and has no virtualization overhead, so it’s as fast as a bare metal system. LXD containers combine all available kernel security features, and LXD uses LXC’s APIs to manage the containers behind the scenes.

Container Components

LXD’s main components are containers and their configuration, along with devices and snapshots. Images are the sources of all containers. LXD 2.3 network management APIs and command line tools make network management simple. Right out of the box, LXD 2.3 comes with no network defined at all. Rather, “lxd init” will manage IP address configurations to all new containers by default.

LXD 2.9 supports the creation and management of storage pools and storage volumes. Storage pool configuration keys can be set using the LXC tool. LXD supports the use of ZFS, btrfs and LVM or just plain directories for storage of images and containers.

LXD Clustering Mode

LXD can be run in clustering mode, where any number of LXD instances share the same distributed database. It can be managed uniformly using the LXC client or the REST API. The LXD database is replicated using dqlite, allowing all cluster members to have a copy of the entire database at any given time.

First, choose a bootstrap LXD node, which can be an existing LXD instance or a new one. The next step would be to initialize the bootstrap node and join further nodes to the cluster. This can be done interactively or with a pre-seed file.

Containers on LinuxONE

The emergent container acceptance is available for IBM’s enterprise servers, including IBM Z and LinuxONE, which brings scalability, high performance and security to container environments. With up to 141 high performing cores, up to 10TB of memory and up to 160 dedicated I/O processors, IBM LinuxONE can host over 10,000 containers on a single system.

LinuxONE completed a proof-of-scalability test running more than one million workload containers. LinuxONE also adds security isolation between logical partitions running containers and Docker instances, along with on-chip cryptography to protect sensitive data. Together, these security capabilities complement the new security features of Docker Enterprise Edition. In addition, LinuxONE enables software developers to scale their container-based applications to new heights. It also allows IT operations to provide the security, performance and reliability needed by enterprise applications.

For more information on containers, visit the following websites:

Delivering the latest technical information to your inbox.