Hyperizing Docker Containers with rock solid security

Introduction

One of the questions we have been asked is what is the secret sauce in our enterprise edition as all our stuff is opensource.

Hence this is one of our secret sauce. Yes if you want to run secure docker containers by using a hypervisor like KVM, contact us @info@megam.io. If you are from the hosting industry we will put you in touch with our partner DET.io (jonathan@det.io).

In this article we will provide the opensource way of doing stuff on your own.

Lets get started too launch the docker container in secure isolated with a very fast launch using hypercontainers.

Introducing HyperContainer

HyperContainer is a Hypervisor-agnostic Docker Runtime that allows you to run Docker images on any hypervisor (KVM, Xen, etc.).

 HyperContainer = Hypervisor + Kernel + Docker Image

By containing applications within separate VM instances and kernel spaces, HyperContainer is able to offer an excellent Hardware-enforced Isolation, which is much needed in multi-tenant environments.

HyperContainer also promises Immutable Infrastructure by eliminating the middle layer of Guest OS, along with the hassle to configure and manage them.

Setup HyperContainer

This initial section contains everything you need to setup the hypercontainer on one of your baremental server.

Now if your have a several servers, you can contact us, the enterprise edition is a lifesaver.

Step - 1 Install HyperContainer

The Prerequisites are,

Hypervisor: at least one of

[Linux] QEMU KVM 2.0 or later [Linux] Xen 4.5 or later (for Xen support)

We will use KVM here. Supose your server doesn’t have the any hypervisor you need to install the following

  sudo apt-get install qemu-system

Now the install hypercontainer on your server,

 wget https://hyper-install.s3.amazonaws.com/hyper-latest.tgz
 tar -xvzf hyper-latest.tgz

Then cd into the hyper-pkg directory

./bootstrap.sh
./install.sh

Next we start the hyperd service

sudo service hyperd start
Step - 2 Pull Docker Images

To pull the docker images from docker registry by using these command

hyper pull tutum/hello-world

Now the container pulled in sub-millseconds.

To list the docker images

hyper images

REPOSITORY            TAG   IMAGE ID     CREATED        VIRTUAL SIZE
tutum/hello-world   latest  4b95f40f2f4d   2015-12-14 16:16:44   17.0 MB
Step -3 Network setup

By default the hypercontainer uses hyper0 bridge but we wil have to use our own subnet (own bridge)

Lets setup a bridge named one in your server.

brctl addbr one

Once you have created a bridge you need to change the configuration file under in /etc/hyper/config

Kernel=/var/lib/hyper/kernel
Initrd=/var/lib/hyper/hyper-initrd.img
Bios=/var/lib/hyper/bios-qboot.bin
Cbfs=/var/lib/hyper/cbfs-qboot.rom
Bridge=one
BridgeIP=xxx.xxx.x.x/24

Then restart the hyperd service

service hyperd restart
Step - 4 Run the HyperContainer
hyper run --name test -d tutum/hello-world

The hypercontainer runs in an isolated space in an independent kernal.

To list the running hypercontainers

hyper list
POD ID            POD Name           VM name                 Status
pod-IlLsHBTYGQ      tutum1       vm-FXBRjvEgJY              running

Conclusion

These are the very simple steps to successfully launch a docker container in a secure isolated space.

Again if you have a lot os server rack, we have the solution. Contact us @ hello@virtengine.com

About the Author

VirtEngine by DET.io

VirtEngine by DET.io
VirtEngine specializes in building Virtualization Software and powering Cloud Service Providers / Hosting Providers..
Follow @VirtEngine
Read More

Meet VirtEngine at HostingCon India 2016!

Virtualization platform VirtEngine will be exhibiting in HostingCon India 2016! Continue reading

Installing VirtEngine on CentOS

Published on October 18, 2016

Cassandra Replication - HA

Published on July 14, 2016