Red Hat's Atomic Host promises safer, sleeker Docker

RHEL Atomic Host boasts of better controls and security over containers, promotes Docker as a building block for hybrid clouds

Containers -- especially Docker -- are hot properties in IT. It's little wonder Red Hat has elected to ride that wave by producing a variant of its Linux distribution devoted to Docker containers.

Red Hat Enterprise Linux 7 Atomic Host, the latest incarnation of Red Hat's enterprise-grade Linux offering, enters general availability today. One of its stated missions is to "address container security and lifecycle concerns," which have been the subject of Docker's more vocal critics.

RHEL 7 Atomic Host uses an image-based mechanism to obtain and apply updates, as opposed to the more conventional package-management systems used by other Linux distributions. Any changes made through this update mechanism can be rolled back in a single "atomic" step (a term borrowed from the world of transactional databases).

Exactly as Atomic Host does vis-à-vis Docker containers, Red Hat wants to stand out from other Linux vendors using containers and from Docker by providing better security.

Two major features in Red Hat's Atomic Host release involve both containers and security. Red Hat claims Atomic Host can deliver "military-grade security out-of-the-box, effectively isolating each container in a multi-container environment," by way of SELinux, cgroups, and kernel namespaces -- a few of the mechanisms Docker uses to provide container isolation.

With "support for superprivileged containers," Red Hat is trying to address some of the security issues that have sparked dissent within the Docker community. Containers sometimes require elevated privileges, but elevating privileges on any object is always fraught with risk. Rather than wait for Docker to develop a solution, Red Hat has provided a special container control system specifically for containers that need elevated privileges.

Red Hat isn't alone in this respect; other vendors that deal in container solutions are adding complementary layers of security around Docker containers. IBM's yet-to-be-released Docker-powered system for hybrid cloud application deployment will allegedly do this using IBM-written open source tools to provide additional management and security for Docker containers.

Red Hat and IBM also share the ambition of providing hybrid cloud solutions and using Docker to manage workloads locally and remotely. Atomic Host talks up "application portability across the open hybrid cloud," although with a broader range of cloud targets than IBM has been promising. Its targets include "certified hypervisors including Red Hat Enterprise Virtualization, VMware, and Microsoft Hyper-V, and on certified public cloud services like Amazon Web Services and Google Cloud Platform." By contrast, IBM is devoted to using Bluemix for the public end of its hybrid cloud.

Red Hat's Atomic Host announcement comes in parallel with the latest release of Red Hat Enterprise Linux itself, version 7.1, although that product's changes are minor compared to what Atomic Host is introducing. RHEL 7.1 provides improvements for environments using Active Directory, support for one-time authentication with software and hardware tokens, and upgrades the platform to OpenJDK8 and the latest version of the Docker host.

When Atomic Host first appeared in beta in November, it showed that Red Hat wants to steer RHEL toward containers. Rather than come up with an entirely new platform in the same vein as CoreOS and force Red Hat users to move to it, Red Hat has elected to slowly transform its flagship product into a container-oriented system.

Other major Linux distributions, such as Ubuntu and Suse, have also added container support of one kind or another -- even as IT's uses for containers continue to morph.

Copyright © 2015 IDG Communications, Inc.