What's new in version 2.1.5
Get a quick overview of what's added, changed, improved, or deprecated in this release.
IBM® Hyper Protect Virtual Servers Version 2.1.5 (available 20 June 2023) introduces the following new features and enhancements:
Hyper Protect Secure Build
You can build trusted container images by using the Hyper Protect Secure Build, and push the images to the remote container registry. The Hyper Protect Secure Build also creates a signed manifest file for each successful build for audit purposes. For more information, see Building your applications with Hyper Protect Secure Build.
Updated image
You can get the IBM Hyper Protect Container Runtime version 2.1.5 image from Passport Advantage. For more information, see Downloading the IBM Hyper Protect Container Runtime image.
Package update highlights:
The version 2.1.5 image is based on Ubuntu 22.04 instead of 20.04 in previous releases. Linux kernel is now 5.15.0-72.79 from previous release's 5.4.0-144.161. For other packages, the default versions that go with this kernel are included.
Support for customer-managed keys through integration with Hyper Protect Crypto Services
Without the feature, the data volume that you attach to your instance is encrypted automatically with a LUKS passphrase generated by using the two seeds from the workload
- volumes
and env
- volumes
sections of the contract.
Starting from 2.1.5, Hyper Protect Virtual Servers support integration with the key management service (KMS) Hyper Protect Crypto Services. You can enable the integration by providing KMS configurations in the contract. Your Hyper Protect Virtual Server instance calls Hyper Protect Crypto Services to generate a random value as the third seed and wrap it with your root key. The wrapped seed is stored in the metadata partition of your data volume. The LUKS passphrase is generated by using three seeds - the seed in the metadata partition (unwrapped first) and the two seeds from the contract.
For more information about how the integration works and detailed instructions, see Securing your data.
Deploying multiple containers
In the workload
section, you can define the workload via Pod descriptors. Each pod can contain one or more container definitions. Previously, only one container described by docker compose was supported. For more information about
using Pod descriptors, see the play
subsection. Container images described by Pod descriptors can be validated by RedHat Simple Signing.
Changes to the attestation document
In the attestation document se-checksums.txt, user-data.decrypted
is removed, and Machine Type/Plant/Serial
(the information required to identify the host machine) is added. For more information, see
Attestation.