Technology at a glance
IBM Secure Service Container for IBM Cloud Private is a software offering built on the IBM Secure Service Container framework, and you can run IBM Cloud Private workloads on a secure platform on IBM Z and LinuxONE.
Secure Service Container for IBM Cloud Private provides an encrypted environment (data at rest, data in flight), with peer to peer and peer to host isolation protecting container applications from access via Hardware and Operating System admin credentials, whether access is accidental or malicious, internal or external to an organization.
Secure Service Container for IBM Cloud Private provides these protections while integrating with IBM Cloud Private, a Platform as a Service (PaaS) management stack that delivers rapid innovation and application modernization, investment leverage, enterprise integration, as well as management and compliance to containerized applications.
Figure 1. IBM Secure Service Container for IBM Cloud Private - Full-stack Solution
IBM Secure Service Container
IBM Secure Service Container provides the infrastructure to combine an operating system, middleware, application components together in a single software image. When the software image is deployed on a Secure Service Container partition, it can exploit certain security capabilities in the underlying infrastructure of IBM Z or LinuxONE servers.
By focusing on ease of management, ease of deployment, and security, the Secure Service Container is delivered in a virtual software appliance form factor, which can also isolate the running workload and deliver protections around the access of the environment.
The Secure Service Container is a general framework and serves as the service layer by integrating with IBM Cloud Private to manage the workloads deployed in the IBM Cloud Private.
In the Secure Service Container, a specialized Docker runtime environment called
runq is used to spawn a dedicated
qemu virtual machine (VM) for each instantiated Docker image. This Docker runtime also provides for each
qemu VMs a dedicated guest operating system (OS) kernel.
All these components are packaged together as a software appliance, and can be deployed on a partition of an IBM Z and LinuxONE server in a single step.
Figure 2. IBM Secure Service Container for IBM Cloud Private - Docker Enablement