F3.3 Contain Challenges

Question 1

What is one aspect VMs are better than Containers?

Answer 1

VMs are more secure

Question 2

Are containers or VMs more suitable for micro-services, why?

Answer 2

Containers. They are lightweight and do NOT require a full OS image for each copy like VMs do

Question 3

What are some threats that containers can come across?

Answer 3

• Applications inside containers taking control over the container

-Containers taking over other containers

• Containers taking over host

Question 4

____ perform the job of isolating and virtualizing system resources for a collection of processes. _____ can solve the ‘inter-container protection’ and ‘protecting the
host from containers’ security issues

Answer 4

Linux kernel features
- Namespaces

Question 5

_____ are Linux features that control the accountability and limitation of resource usage.
_____ solve ‘inter-container protection’ and ‘protecting the host from containers’ security
issues

Answer 5

Linux kernel features
- CGroups

Question 6

______ are Linux features that turn the root and non-root dichotomy into fine-grained
access control. This poses a great danger because an attacker will be able to control the
entire system. Using ______, containers will not need to have full root privilege

Answer 6

Linux kernel features
- Capabilities

Question 7

_____ is a Linux kernel feature that filters system calls
to the kernel. ______ is more fine-grained than capabilities since different _______ profiles can be applied to different filters. This helps reduce the number of system calls
coming from containers

Answer 7

Linux kernel features
- Seccomp (Secure Computation Mode)

Question 8

____ allow a wide variety of security models to be implemented on the Linux
kernel. This means that a user can select the preferred implementation rather
than being forced to use the one that came with the OS.

Answer 8

Software-based solutions
- Linux security modules (LSMs)
LSMs

Question 9

____ seamlessly protects containers from the underlying layers (e.g., cloud provider or host machine).

Answer 9

Hardware-based solutions
- Intel SGX

Question 10

_____ exploits the out-of-order execution in modern processors to extract information about the OS and other containers

Answer 10

Meltdown

Question 11

____ is another serious threat to containers, as it tricks other applications into accessing arbitrary locations in their memory

Answer 11

Spectre

Question 12

Researchers showed that _____ contain many high-risk vulnerabilities
(30% to 90%), indicating a real issue with such images.

Answer 12

Docker images

Question 13

As we have seen earlier, many of the security issues in containers arise from using unverified images. For example, Docker default installation does not check for image authenticity.
Notary can be used to verify Docker images’ authenticity; it is, however, a centralized solution

What could be a solution?

Answer 13

A better solution is to use decentralized verification, which could be done using BLOCKCHAIN

Question 14

A _____________ is part of the architecture that is used to orchestrate
multiple container-based applications on heterogeneous computing nodes

Answer 14

Container Scheduler

Question 15

There are two distinct types of container placement approaches, explain them

Answer 15

• Queuing: The queuing approach can be abstracted as a FIRST-IN-FIRST-OUT or priority-based method, where the container placement decision is made on a container-by-container basis.
• Concurrent: Computing requests are first shared and then placement decision is made

Question 16

What are 3 reasons to migrate a container?

Answer 16

• An end device/user has changed location,
• To balance the workload within the cluster of edge nodes, or
• An edge node can suddenly become unavailable, such as an unexpected shutdown, and a running application needs to be migrated to continue an
  already started computation.

Question 17

What are the two types of container migration?

Answer 17

Cold and Warm

Question 18

Explain Cold container migration

Answer 18

The container(s) and base images are together transferred
to another node in a SINGLE-STEP process

Question 19

What is container migration?

Answer 19

Relocating an already running service to another edge nodeE

Question 20

Explain Warm container migration

Answer 20

Images are first replicated on the target node ahead of the migration in a timely manner. Afterward, the running applications are frozen, saved on the source node disk, and then offloaded to the target node
on top of the already deployed images, making a MULTI-STEP process

Question 21

The container placement and migration problem in edge computing can be modeled
using ______________, as it consists of a set of decision variables, decision constraints, objective functions, and model assumptions

Answer 21

Optimization Modeling

Question 22

The _______ problem exists when there are more container applications than
the edge node CPU capacity can accommodate

Answer 22

Knapsack

Question 23

Container placement can be viewed as a queuing system where containers are
queued or buffered before placement.
- This type of system can be modeled using the queuing-aware ______ optimization framework.
- The ______ optimization framework has proven to be useful when dealing with
NETWORK QUEUES

-The state of a system at an instant in time can be described using a non-negative
multidimensional function called a ______- function. The function is defined in such
a way that it grows when the system moves towards undesirable and unstable states

Answer 23

Lyapunov

Question 24

What kind of algorithm does the Kubernetes scheduler use?

Answer 24

Greedy

Question 25

• _________ refers to an approach that seeks an optimal or near-optimal solution as quickly as
  possible but does not guarantee that it is the most optimal.
• ______ algorithms assist to balance the trade-off between time complexity of computation and accuracy

Answer 25

Heuristic