What is IBM Hyper Protect Virtual Servers?

IBM Hyper Protect Virtual Servers provides a secure virtualized infrastructure for private cloud deployments - protecting the entire lifecycle of critical Linux workloads during their build, deployment and management.

As an application developer or ISV, how can I benefit from IBM Hyper Protect Virtual Servers?

Application developers and ISVs can securely build applications with integrity.

As a cloud administrator or system administrator, how can I benefit from IBM Hyper Protect Virtual Servers?

Cloud administrators or system administrators can help manage their layer of the IT infrastructure without having access to the higher level applications and sensitive data.

As a solution end-user, how can I benefit from IBM Hyper Protect Virtual Servers?

Solution end-users can ensure the provenance of the applications being deployed by validating that applications originate from a trusted source.

What is Secure Service Container Framework?

Secure Service Container framework provides the base infrastructure for an integration of operating system, middleware, and software components into an appliance with extra security. In addition to extra security based on the runq container environment, the host operating system itself is also extremely secure. The Secure Service Container framework works autonomously and provides core services and infrastructure focusing on consumability and security.

What is a hosting appliance?

A hosting appliance is a software appliance built with the Secure Service Container Framework, and adds the capability to securely run containerized workloads.

What is a software appliance?

A software appliance is an integrated software containing an operating system, libraries, and so on to fulfill a single purpose, which can be installed as an appliance image on IBM Z or LinuxONE servers.

Can I deploy an application as is or is containerizing my application required to use IBM Hyper Protect Virtual Servers?

As long as your applications are developed based on Open Container Initiative (OCI) specification, you can use them in IBM Hyper Protect Virtual Servers.

Can I use my own private key to sign the images for the Docker Content Trust?

Yes. You can either use the docker trust key generate command to generate the signing key pair, or use the docker trust key load command to load an existing key for signing. However, passing in an existing key pair would invalidate the Secure Build concept as the private trust key exists(existed) outside of the Secure Build, and therefore someone else could use that key to push a bad image to the same docker repo.

What happens when I run the docker push command against a DCT-enabled repository?

The docker push command establishes trust at the time the first push to the docker repo is done. The command uses DOCKER_CONTENT_TRUST environment variables to determine where to establish the trust with.

Where is the Secure Build container?

The Secure Build container is created on the hosting appliance when you run the securebuild create command.

When is the docker repo key pair generated?

The docker repo key pair is generated on the first build when the docker push command is executed.

What are manifest signing keys?

The manifest signing keys are generated inside the Secure Build server container on first creation of a manifest by a Secure Build instance. It then uses gpg to sign the manifest tar file and will optionally push that signed tar to an external Cloud Object Store. The manifest and public key to validate the signature can also be retrieved from the Secure Build using the cli.

Can the Secure Build server container be used to build an existing docker image on the Docker Hub?

Yes. The newly built image must have a new name so that DCT can be established by the Secure Build server container.