Securely deploy containers to production

An overview of Aptera containers

Published April 2016

To create and secure containers, Apcera leverages a combination of Linux kernel namespaces and cgroups for process controls (CPU, memory, user isolation), mount namespace and chroot-ing process for file system isolation, user namespaces for hardware isolation, and a combination of network namespace and iptables rules (on the host side) for controlling network ingress/egress to the container.

Apcera offers a platform that takes on this challenge cross-public and private infrastructures. Not only does it handle a diverse set of workloads hosted on and off-prem in private and public clouds, but it does so with a policy engine at its core. This lets an network operations group set policies to control the network access to, from and within the system while still allowing the users to configure the connectivity they need without any manual intervention. The platform handles this independent of where application are actually run and handles the intricacies associated with keeping network traffic flowing even when workloads fail. This paper discusses the features of the platform that make this all possible.