Containerization

The use of operating system containers, hereafter simply “containers,” is becoming the de facto standard for application deployment. Containers are a different form of process isolation than virtual machines and play a somewhat different role.

Containerization is a class of technology that permits isolation to occur either on physical or virtual machines. Containers do not perform CPU virtualization but rather use the facilities of the operating system kernel to sub-divide the machine into containers. Roughly speaking, each container shares a portion of the operating system with the host but has control over their own resources such as filesystems, networking, and memory. Thus, a container has many of the same properties as a real machine but is implemented using the lower overhead of the operating system’s process mechanism instead of CPU emulation, simulation, or virtualization.

Since containers operate within virtual machines and are, in effect, inheriting many of the properties of a process, they have no special status within the CMS TRA. Containers must be deployed within the CMS TRA Multi-Zone Architecture. A single container may not incorporate more than one zone. Container technology must be hardened like any technology within the CMS Processing Environment consistent with the guidance of CMS ARS Security Control CM-6.

Containers are covered in more detail in CMS TRA Application Development, Containers and Microservices.