Behind the scenes at Labs
Showing results for 
Search instead for 
Did you mean: 

Labs helps Docker with Project Moby



By Curt Hopkins, Managing Editor, Hewlett Packard Labs

Last week during the keynote at DockerCon in Austin, Texas, Docker  announced the Moby Project, including its LinuxKit. Researchers from Hewlett Packard Labs and HPE have been working closely with Docker on this, leveraging their experience with container security to create the new Linux- okernel.

Docker’s Bradley Wong described Project Moby as “the creation of a lightweight, secure, portable base OS that can be leveraged to run Docker and containers on top.”

According to Solomon Hykes, writing on the Docker Blog, Moby provides “a library of components, a framework for assembling them into custom container-based systems and a place for all container enthusiasts to experiment and exchange ideas” with the aim of taking containers mainstream.

Labs and HPE have provided the project with a new Linux kernel, the Linux-okernel, which provides silicon-enforced isolation to protect against kernel exploits without requiring a hypervisor.

Labs Distinguished Technologist Nigel Edwards explained why this innovation bumps up the security level of Docker substantially.

Containers provide an excellent user-space isolation mechanism, but all containers started by the same container engines share a common kernel. If there is a bug in the kernel, container isolation can be broken. In the last five years there have been over 500 kernel security bugs. The best form of mitigation is to run all containers in separate virtual machines. However, that is inefficient in terms of wasted resources and complex to manage as virtual machines impose a significant additional management burden. The HPE Linux kernel is transparent to the container engine requiring no recompilations or rebuild of containers, but is able to confine kernel tampering by malicious actors using the same processor mechanisms that virtual machines use – ‘Silicon-enforced isolation.’

Making containers secure is integral to advancing the containerization movement and HPE has leveraged its extensive experience in this realm with ContainerOS, within which the Linux-okernel was developed.

Docker’s Justin Cormack described LinuxKit as “a secure, lean and portable Linux subsystem that can provide Linux container functionality as a component of a container platform.” It also includes “includes the tooling to allow building custom Linux subsystems that only include exactly the components the runtime platform requires.”

Security is integral, according to Cormack, and LinuxKit abides by the National Institute of Standards and Technology’s draft Application Container Security Guide, using “container-specific OSes instead of general-purpose ones to reduce attack surfaces.”

LinuxKit makes it easy for system builders to experiment with new kernel and system features, particularly new security features. It provides a place for the community to collaborate and develop features prior to uploading them into the main Linux kernel.

“Security is a fundamental requirement for HPE customers and it needs to be built on solid foundations” said Edwards. “That means it must be built on hardware features. Our work and this collaboration provides our customers with the highest possible security for running container applications. The linux-okernel provides unique protection facilities for container deployed in bare-metal environments.”

Nigel Edwards on ContainerOS

0 Kudos
About the Author


Managing Editor, Hewlett Packard Labs

Online Expert Days - 2020
Visit this forum and get the schedules for online Expert Days where you can talk to HPE product experts, R&D and support team members and get answers...
Read more
HPE at 2020 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2020
Read more
View all