Containerise this: RHEL 9.1 is GA, bakes in sigstore, Keylime
The ability to remotely verify the integrity of OS boot environment? Why thanks, Keylime
Whether containers are an esoteric “future of IT” thing seen from a great distance or a core part of your existing enterprise architecture, they’re here to stay; software providers are increasingly recognising that those working with them need better visibility and security, without having to juggle 1001 different tools to get it.
Red Hat Enterprise Linux 9.1 (GA today) makes some good steps in that direction for customers, baking the software signing service, “sigstore” into its native container tools and adding visibility tools; a welcome move that neatly reflects both a broader “shift left” drive and a push by CIOs towards tooling consolidation.
These examples are among the updates to the widely used RHEL, which ships with a focus on meeting the needs of companies that are continuing to adopt a more microservices + containers approach to their architectures, including the Containers-as-a-Service (CaaS) model that’s becoming a popular default for many.
RHEL 9.1 -- What else is new?
New containerised application performance diagnostics via the RHEL web console were also touted with the release. This function aims to help users “understand where hardware bottlenecks exist and what processes or applications are consuming the most resources, even if those processes exist in a container” as Red Hat put it.
(That’s something that many will be doing through dedicated third-party tools.)
RHEL 9.1 also introduces Keylime, an open source tool born in the security lab at MIT, that lets users monitor remote nodes using a hardware based cryptographic root of trust.
As Red Hat put it in the RHEL 9.1 release notes, Keylime lets users “verify and continuously monitor the integrity of remote systems. You can also specify encrypted payloads that Keylime delivers to the monitored machines, and define automated actions that trigger whenever a system fails the integrity test.
For RHEL fanbois, all the new features are here.
(Do check “ensuring system integrity with Keylime£ in the RHEL 9 Security hardening document for details.)
Other updates include the ability to push RHEL for Edge container images directly to a container registry after it has been built, using the image builder CLI; a new set of command-line utilities querying, validating, and editing XML files – a package that gives a simple set of shell commands that you can use in a similar way as you use UNIX commands for plain text files such as grep, sed, awk, diff, patch, join, and other – and
What’s sigstore again?
sigstore, first released in March 2021, includes a number of signing, verification and provenance techniques that let developers securely sign software artifacts such as release files, container images and binaries, with signatures stored in a tamper-proof public log. As Red Hat puts it, its integration “helps users to sign and verify code signatures using local keys, improving software security stances in hybrid environments.”
Its integration into RHEL 9.1 comes after Kubernetes standardised on sigstore (as reported by The Stack here). Kubernetes 1.24 — released May 3 — and all releases thereafter will include cryptographically signed sigstore certificates, giving its developer community the ability to verify signatures and “have greater confidence in the origin of each and every deployed Kubernetes binary, source code bundle and container image”.
RHEL 9.1’s focus is to “add and refine capabilities for a wide range of enterprise IT needs, from helping to streamline complex infrastructure environments to improving the security stance of containerized applications” said Red Hat – pointing to Forrester prediction for 2023 that “forty percent of firms will take a cloud-native-first strategy” and that “rather than plow resources into VMs, organizations will accelerate investment in Kubernetes as a distributed compute backbone for current applications as well as new workloads that can run more efficiently in K8s environments in a range of technology domains…”