Ubuntu Core Linux Gets 'Snappy' for Docker Container Security

A new approach for enabling a highly secured and optimized host for container deployment enters public beta.

Download the authoritative guide: Big Data: Mining Data for Revenue

Ubuntu core Linux

Canonical, the lead commercial sponsor behind the Ubuntu Linux distribution, is building new tools to make updating cloud container applications "snappier."

The new product's name is Snappy Ubuntu, according to Dustin Kirkland, product manager at Canonical. Snappy Ubuntu is a version of the Ubuntu Core, which is a minimal Ubuntu Linux operating system.

"The command line utility that handles package and update management in Snappy Ubuntu is — snappy," Kirkland explained to eWEEK.

Snappy Ubuntu is intended to be an optimized base for Docker container applications, which are typically referred to as "Dockerized" apps. Kirkland noted that, as Docker services move into production, the Docker host itself should be lean and very secure.

Docker sits on top of a host operating system, which is the base from which multiple Dockerized apps can be deployed. The goal with Snappy Ubuntu is to be a minimalistic, secure, base operating system.

From an application deployment perspective, applications for Snappy Ubuntu are packaged as "snaps," which provides a mechanism to help ensure package authenticity and security.

"Not only will users be able to validate what they downloaded is exactly what they wanted, they will also be able to validate that the current state on disk matches that at any time," Kirkland said. "The tools for this are not yet included, but are a critical piece of our security design and will become available during our beta program."

Snappy Linux can be secured with AppArmor security profiles. AppArmor is a Linux technology that enforces mandatory access controls on system processes and applications. Ubuntu has been including AppArmor in its Linux distribution since the Ubuntu 7.10 Gutsy Gibbon release in 2007.

"AppArmor profiles in Ubuntu Core are different in the sense that applications, by default, start with a fully confined state that allows them to only access their own resources and elements of the Snappy-core system," Kirkland explained. "This means that, by default, an app has only rights to do the most basic operations available on a Snappy system."

Kirkland added that what is allowed by default is not in the hands of the Snappy/package author, but is defined in a default profile that is carefully designed by the Ubuntu security team and shipped as part of the base system.

"So instead of an app deciding what it can do, they can only select what rights they get out of named profiles that are carefully designed, that will never put other apps or the system at risk of getting compromised by an evil application," Kirkland said. "This means that the user does not have to make any security-sensitive choices, and they can rest assured that an app installed from the app store cannot extract data or compromise other parts of the system."

Snappy is now entering its public beta period and is first being made available on the Microsoft Azure cloud.

Microsoft has been a first class partner to Canonical in supporting Ubuntu guests running in Azure, Kirkland said, adding that Canonical briefed Microsoft about Snappy and Microsoft was enthusiastic about the approach.

"This week's announcement marks Snappy entering a public beta, where we're excited to have open dialogs with the broader Ubuntu community and cloud ecosystem about the Snappy tools," Kirkland said. "We'll communicate our official schedule for productization and support in the coming months."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.