You asked me: how to solve the safety problem after the transformation of the container platform?


BoCloud Bo Yun WeChat official account [you ask me answer] small column, will collect and organize the problems and problems encountered by IT in the construction of enterprises, and make targeted answers by the Bo Yun products and technology team. Every Friday, you can issue the columns for your IT, and hope to provide ideas and methods for the construction of enterprise’s enterprises. No matter which industry it builder you are, if you have any problems in the construction of container cloud platform, microservice architecture transformation, Devops platform construction, multi cloud management platform construction and other technical aspects, you are welcome to comment and ask questions directly.

Here is a selection of this week’s questions:

Netizen 1:How to solve the safety problem after the transformation of the container platform?

The security boundary of the traditional single application is clear, and the installation of agent can solve the problem of a large number of monitoring Trojan invasion. However, the shared kernel and stateless characteristics of the container platform make the security and convenience unclear. The traditional security products can not monitor the network in the container because of the network, so how to solve the security problem after the transformation? Is it through tripartite products?

Boyun product team:For security issues, we can refer to the commercial container cloud platform solutions to provide multi-dimensional security design to ensure the system data security, environmental security, network security, operation security and other comprehensive requirements. In addition to the security measures provided by the container host operating system itself (Linux namespace, security enhanced Linux (SELinux), cgroups, function and security computing mode (seccomp), the following measures can also be provided at the security level in the commercial container cloud solution:

  1. It supports the access of HTTPS security protocol, the deployment and management of non root users, and the security restriction of terminal access.
  2. It provides role-based access control function, manages the permissions of extracting and pushing specific container images, and ensures tenant isolation and resource isolation.
  3. Automatic security testing functions are integrated into the build or CI process, such as applying security scanning to ensure image security.
  4. Network isolation: with the help of network namespace, each container set can obtain its own bound IP and port range, so the container set network on the node can be separated from each other; A container platform that uses routers or firewalls to control outgoing traffic, so as to use IP white list to control (for example, control database access).
  5. API management / endpoint security and single sign on (SSO).

Netizen 2:Are there many enterprises in the insurance industry that have container cloud projects? What is the situation now?

Boyun product team: * * in the future, insurance will shift from mainly relying on sales to relying on dynamic big data risk control from beginning to end. Nowadays, the “Internet” thinking plus the latest scientific and technological means have profoundly affected and even shocked every industry, and the insurance industry is no exception. From the management mode, business process, business mode, risk control mode, to marketing mode, product development, customer service and other aspects, the insurance industry is being deeply affected. All of these mean internal changes for insurance companies.

At present, insurance companies at home and abroad have launched a new generation of information system construction plan. It aims to build a “it productivity” with fast delivery ability, security, customer-centered and meeting the needs of current and future development through new technologies such as container cloud, micro services, Devops, application big data, Internet of things and artificial intelligence, so that enterprises can quickly and flexibly cope with the changes of business development and realize business and service innovation.

In response to this question, I would like to give you some examples. As we all know, the insurance business is becoming more and more diversified, especially various promotional activities, so there are high requirements for the rapid expansion of the system. In the insurance industry, operation promotion, good start promotion and other activities are frequently released, especially “second kill” as a means of promotion, which is undoubtedly a great challenge to the performance limit and flexibility of the insurance company’s system. If the system allocates resources according to the peak value of “second kill”, then the resource utilization rate is low, which is undoubtedly a huge waste. Therefore, it resources and services are required to expand rapidly and flexibly.

So the construction of container cloud platform must be one of the plans in the IT construction planning of the insurance industry in the future. At present, the construction of container cloud in the domestic insurance industry is still in the initial stage, and few enterprises have the courage to try, most of them are in the stage of research and testing. However, with the explosive growth of business and the diversification of application services in the next 1-3 years, It is believed that major insurance companies will make efforts in the construction of container cloud PAAS platform.

Netizen 3:With more and more applications of docker, what is the core difference between docker and virtual machine?

Boyun product team: the virtualization technology of VMware / openstack has opened a new door for us. It turns out that we don’t need to manage physical machines so much, but we can use virtualization technology and assist various tools to better realize the management of resources and improve the utilization rate of resources. When there is no container technology, in order to realize the rapid release and operation of the application, there are two problems

1. The application is released in the form of virtual machine image: compared with container image, it will be much larger because it contains the kernel and operating system files. In addition, the process of image construction and editing is not as convenient as container image.

2. Service scheduling is implemented with the granularity of virtual machine: because there are more processes in the virtual machine, on the one hand, it will cause a waste of resources; on the other hand, there is no container way to evaluate the resource occupancy rate, which is more scientific and accurate.

If there is no virtualization, kubernetes, the container choreography system, is directly connected to the physical machine. If it is said that in the case of private cloud, flexible resource allocation and recycling can be realized through a series of physical machine nanotube tools, then in the public cloud scenario, manufacturers will take out their physical servers for users to freely apply for allocation, For users, the cost will only be high, so it is very difficult to promote. Of course, for specific needs, public cloud vendors directly provide users with specific hardware servers, or even hosting data centers, which is another scenario.

In general, virtualization technology makes the management objects in the data center from static physical machine programming to dynamic virtual machine, while container technology realizes application packaging, construction, deployment, scheduling and operation on the basis of virtualization technology, The combination of the two makes the IAAs / PAAS concept of cloud computing come true.

Netizen 4: what is the relationship between micro service and container?

Boyun product team: microservice is an architectural style and a way to develop large and complex software applications with a set of small services.

Container is a runtime technology, which allows many applications to run on virtual machines, physical machines and so on in isolation. At the same time, the appearance of layered container image technology and container choreography technology like kubernetes makes it very simple for operation and maintenance personnel to manage hundreds of application instances.

So we can see that using container technology as the basis of microservice architecture is a very natural choice.

Recommended Today

What is “hybrid cloud”?

In this paper, we define the concept of “hybrid cloud”, explain four different cloud deployment models of hybrid cloud, and deeply analyze the industrial trend of hybrid cloud through a series of data and charts. 01 introduction Hybrid cloud is a computing environment that integrates multiple platforms and data centers. Generally speaking, hybrid cloud is […]