Provisioning of HAT container


#1

What is the recommended approach to the provisioning of HAT container (from a security and cost perspective)?

  1. Multiple containers (Dockers) sharing the Linux kernel in a VM (Linux Container - Shared Kernels), or
  2. Single container (Docker) with isolated Linux kernel in a VM (Container per VM - Duplicated Kernels)

Thanks.


#2

hi @laichwang1,

  • Option 2 naturally provides a higher isolation and hence security guarantee, however we feel it would be prohibitively expensive.

  • Option 1 is what HATDeX uses in their infrastructure - multiple Docker containers, one container per HAT. Since HAT is a trusted application itself with code open for review by the community and runs on top of Java virtual machine (JVM) any isolation breaches are extremely unlikely.

One of the main purposes of Docker containers in today’s cloud architectures is the isolation and security it provides when compared to running multiple applications sharing a single Linux host, and we follow the best practices of such deployment.