What's new in version 2.1.5

Hyper Protect Secure Build

You can build trusted container images by using the Hyper Protect Secure Build, and push the images to the remote container registry. The Hyper Protect Secure Build also creates a signed manifest file for each successful build for audit purposes. For more information, see Building your applications with Hyper Protect Secure Build.

Updated image

You can get the IBM Hyper Protect Container Runtime version 2.1.5 image from Passport Advantage. For more information, see Downloading the IBM Hyper Protect Container Runtime image.

Package update highlights:

The version 2.1.5 image is based on Ubuntu 22.04 instead of 20.04 in previous releases. Linux kernel is now 5.15.0-72.79 from previous release's 5.4.0-144.161. For other packages, the default versions that go with this kernel are included.

Support for customer-managed keys through integration with Hyper Protect Crypto Services

Without the feature, the data volume that you attach to your instance is encrypted automatically with a LUKS passphrase generated by using the two seeds from the workload - volumes and env - volumes sections of the contract.

Starting from 2.1.5, Hyper Protect Virtual Servers support integration with the key management service (KMS) Hyper Protect Crypto Services. You can enable the integration by providing KMS configurations in the contract. Your Hyper Protect Virtual Server instance calls Hyper Protect Crypto Services to generate a random value as the third seed and wrap it with your root key. The wrapped seed is stored in the metadata partition of your data volume. The LUKS passphrase is generated by using three seeds - the seed in the metadata partition (unwrapped first) and the two seeds from the contract.

For more information about how the integration works and detailed instructions, see Securing your data.

Deploying multiple containers

In the workload section, you can define the workload via Pod descriptors. Each pod can contain one or more container definitions. Previously, only one container described by docker compose was supported. For more information about using Pod descriptors, see the play subsection. Container images described by Pod descriptors can be validated by RedHat Simple Signing.

Changes to the attestation document

In the attestation document se-checksums.txt, user-data.decrypted is removed, and Machine Type/Plant/Serial (the information required to identify the host machine) is added. For more information, see Attestation.