F3.3 Contain Challenges Flashcards
What is one aspect VMs are better than Containers?
VMs are more secure
Are containers or VMs more suitable for micro-services, why?
Containers. They are lightweight and do NOT require a full OS image for each copy like VMs do
What are some threats that containers can come across?
- Applications inside containers taking control over the container
-Containers taking over other containers
- Containers taking over host
____ perform the job of isolating and virtualizing system resources for a collection of processes. _____ can solve the ‘inter-container protection’ and ‘protecting the
host from containers’ security issues
Linux kernel features
- Namespaces
_____ are Linux features that control the accountability and limitation of resource usage.
_____ solve ‘inter-container protection’ and ‘protecting the host from containers’ security
issues
Linux kernel features
- CGroups
______ are Linux features that turn the root and non-root dichotomy into fine-grained
access control. This poses a great danger because an attacker will be able to control the
entire system. Using ______, containers will not need to have full root privilege
Linux kernel features
- Capabilities
_____ is a Linux kernel feature that filters system calls
to the kernel. ______ is more fine-grained than capabilities since different _______ profiles can be applied to different filters. This helps reduce the number of system calls
coming from containers
Linux kernel features
- Seccomp (Secure Computation Mode)
____ allow a wide variety of security models to be implemented on the Linux
kernel. This means that a user can select the preferred implementation rather
than being forced to use the one that came with the OS.
Software-based solutions
- Linux security modules (LSMs)
LSMs
____ seamlessly protects containers from the underlying layers (e.g., cloud provider or host machine).
Hardware-based solutions
- Intel SGX
_____ exploits the out-of-order execution in modern processors to extract information about the OS and other containers
Meltdown
____ is another serious threat to containers, as it tricks other applications into accessing arbitrary locations in their memory
Spectre
Researchers showed that _____ contain many high-risk vulnerabilities
(30% to 90%), indicating a real issue with such images.
Docker images
As we have seen earlier, many of the security issues in containers arise from using unverified images. For example, Docker default installation does not check for image authenticity.
Notary can be used to verify Docker images’ authenticity; it is, however, a centralized solution
What could be a solution?
A better solution is to use decentralized verification, which could be done using BLOCKCHAIN
A _____________ is part of the architecture that is used to orchestrate
multiple container-based applications on heterogeneous computing nodes
Container Scheduler
There are two distinct types of container placement approaches, explain them
- Queuing: The queuing approach can be abstracted as a FIRST-IN-FIRST-OUT or priority-based method, where the container placement decision is made on a container-by-container basis.
- Concurrent: Computing requests are first shared and then placement decision is made
What are 3 reasons to migrate a container?
- An end device/user has changed location,
- To balance the workload within the cluster of edge nodes, or
- An edge node can suddenly become unavailable, such as an unexpected shutdown, and a running application needs to be migrated to continue an
already started computation.
What are the two types of container migration?
Cold and Warm
Explain Cold container migration
The container(s) and base images are together transferred
to another node in a SINGLE-STEP process
What is container migration?
Relocating an already running service to another edge nodeE
Explain Warm container migration
Images are first replicated on the target node ahead of the migration in a timely manner. Afterward, the running applications are frozen, saved on the source node disk, and then offloaded to the target node
on top of the already deployed images, making a MULTI-STEP process
The container placement and migration problem in edge computing can be modeled
using ______________, as it consists of a set of decision variables, decision constraints, objective functions, and model assumptions
Optimization Modeling
The _______ problem exists when there are more container applications than
the edge node CPU capacity can accommodate
Knapsack
Container placement can be viewed as a queuing system where containers are
queued or buffered before placement.
- This type of system can be modeled using the queuing-aware ______ optimization framework.
- The ______ optimization framework has proven to be useful when dealing with
NETWORK QUEUES
-The state of a system at an instant in time can be described using a non-negative
multidimensional function called a ______- function. The function is defined in such
a way that it grows when the system moves towards undesirable and unstable states
Lyapunov
What kind of algorithm does the Kubernetes scheduler use?
Greedy
- _________ refers to an approach that seeks an optimal or near-optimal solution as quickly as
possible but does not guarantee that it is the most optimal. - ______ algorithms assist to balance the trade-off between time complexity of computation and accuracy
Heuristic
