Technology at a glance
IBM Hyper Protect Virtual Servers is a software solution built on the IBM Secure Service Container framework, which enables users to run containerized Linux workloads in the secure virtual server containers on IBM Z and LinuxONE.
IBM Hyper Protect Virtual Servers provides an encrypted environment (data at rest, data in flight), with peer to peer and peer to host isolation protecting container applications from access via privileged credentials, whether access is accidental or malicious, internal or external to an organization.
IBM Hyper Protect Virtual Servers ensures your applications can be deployed and managed from trusted sources without the infrastructure team being able to access the data, secrets or application.
IBM Secure Service Container
IBM Secure Service Container is a software appliance infrastructure that combines an operating system, middleware, and application components into a single software image. Software images deployed to a Secure Service Container partition can exploit the underlying security capabilities of the IBM Z and LinuxONE infrastructure.
By focusing on ease of management, ease of deployment, and security, the Secure Service Container is delivered in a virtual software appliance form factor, which can also isolate the running workload and deliver protections around the access of the environment.
In the Secure Service Container, a specialized Docker runtime environment called runq is used to spawn a dedicated qemu virtual server (VS) instance for each Docker image, including a guest operating system (OS) kernel for each
qemu virtual server, and during deployment, a runtime environment of the workloads.
All these components are packaged together as the hosting appliance, and can be deployed on a partition of an IBM Z and LinuxONE server in a single step.
Figure 1. IBM Secure Service Container framework - Docker Enablement