kran77 - Fotolia
Container infrastructure a silver lining amid Intel CPU flaw fixes
Containers aren't immune to Meltdown and Spectre vulnerabilities, but they could lighten the operational burden of fixes for IT pros.
Container infrastructure can help IT pros deploy updates as they fortify their systems against Meltdown and Spectre CPU vulnerabilities.
Sys admins everywhere must patch operating systems to reduce the effects of the recently discovered Intel CPU flaws, which hackers could exploit to access speculative execution data in virtual and, potentially, to other VMs that share the same host or root access.
However, those who run container infrastructures estimate a milder impact of this additional work than the undertaking for those who must patch VM-based infrastructures, especially manually, to combat Meltdown and Spectre.
"Most of the fixes out so far are kernel patches, and since containers share the kernel, there are fewer kernels to patch," said Nuno Pereira, CTO of IJet International, a risk management company in Annapolis, Md.
VMware has pledged to issue fixes at the hypervisor level, and cloud providers such as Google and Amazon say they've patched their VMs, but it's wise to patch the kernels, as well, Pereira said.
Security best practices dictate containers run with least-privilege access to the underlying operating system and host. That could limit the blast radius should a hacker use the Meltdown and Spectre vulnerabilities to gain access to a container. But experts emphasize that container infrastructure isn't guaranteed immunity to the vulnerabilities, as container-level segmentation alone doesn't fully defend against attacks.
"No one should expect that just a container layer will mitigate the issue," said Fernando Montenegro, an analyst with 451 Research. "This issue highlights that security assumptions we've made in the past have to be revisited."
Ultimately, Intel and other chipmakers, such as AMD, will have to issue hardware- or firmware-level fixes to eliminate the Meltdown and Spectre vulnerabilities. It's not clear what those will be yet, but enterprises with container orchestration in place will have a leg up, as they accommodate those widespread changes.
"Most folks running containers have something like [Apache] Mesos or Kubernetes, and that makes it easy to do rolling upgrades on the infrastructure underneath," said Andy Domeier, director of technology operations at SPS Commerce, a communications network for supply chain and logistics businesses based in Minneapolis. SPS uses Mesos for container orchestration, but it is evaluating Kubernetes, as well.
Containers are often used with immutable infrastructures, which can be stood up and torn down at will and present an ideal means to handle the infrastructure changes on the way, due to these specific Intel CPU flaws or unforeseen future events.
"It really hammers home the case for immutability," said Carmen DeArdo, technology director responsible for the software delivery pipeline at Nationwide Mutual Insurance Co. in Columbus, Ohio.
DevOps performance concerns
Fernando Montenegroanalyst, 451 Research
Infrastructure automation will help, but these vulnerabilities arose from CPU technology that drastically improved performance, with more efficient caching and pre-fetching. This means patches and infrastructure updates to mitigate security risks can slow down system performance.
PostgreSQL benchmark tests in worst-case-scenario situations show OS patches alone may degrade performance by 17% to 23%. Red Hat put out an advisory to customers stating its patches to the Red Hat Enterprise Linux kernel may reduce performance by 8% to 19% on highly cached random .
"For Spectre, my understanding is that you need code changes and/or recompilation of userspace programs themselves to [fully] resolve it, so it is likely to be a long slog," said Michael Bishop, CTO at Alpha Vertex, a York-based fintech startup.
No one knows how future hardware fixes will affect CPU performance, which raises concerns for large enterprises that have grown accustomed to quick system builds in a DevOps continuous integration and delivery process. Reports have started to emerge that the performance change will affect the time it takes to compile programs, which is of particular concern to developers who want to make quick, frequent updates to apps.
"I remember when build jobs would run for hours, and we could go back to a developer mindset of, 'Get things perfect,' if feedback loops start to take too long," Nationwide's DeArdo said. "Eventually, that would impact lead time and productivity."
Beth Pariseau is senior news writer for TechTarget's Data Center and Virtualization Media Group. Write to her at [email protected] or follow @PariseauTT on Twitter.