Skip to content

Secure Docker and Applications 1.2

Docker

VeeaHubs run applications that are based on the open containerd format. The most well-known example of containerd is Docker. If you are not familiar with Docker, there are many tutorials, such as https://docker-curriculum.com/.

Secure Docker

The Veea implementation of Docker, known as Secure Docker, enforces a secure environment. Veea uses enterprise-level cryptography to protect the integrity of applications.

The security restrictions will:

  • Use developer credentials (licenses) to create signed applications.

  • Ensure application integrity.

  • Ensure that applications are only run in the ways intended by the application developer.

  • Ensure that applications share only the data that is intended to be shared (including running processes, environment, data stored on disk, and networked data).

  • Block unauthorized access to the applications.

The security restrictions will not:

  • Prevent reasonable operation of applications.

  • Prevent authorized access to devices and services.

  • Prevent a developer from debugging applications.

Part of the security model on the VeeaHub is a system of licenses. These licenses are provided by Veea for specific purposes, and relate to:

  • Permissions for device and service access.

  • Permissions for elevated execution privileges and capabilities.

Annotated Dockerfile

Secure Docker uses Labels to annotate both the Dockerfile and the generated image. This allows extra information to be embedded in the image without breaking backwards compatibility with the existing Docker image format. This Dockerfile with labels is referred to as an Annotated Dockerfile.

For example:

CODE

LABEL com.veea.vhc.architecture="$ARCH"
LABEL com.veea.vhc.version="1.0.0"
LABEL com.veea.vhc.app.name="vh_golang_web"
LABEL com.veea.vhc.app.version="1.0.0"
LABEL com.veea.vhc.config.proj.version="3"
LABEL com.veea.vhc.config.user.version="3"

These label details are discussed in the sections on configuring, building, and running images.

Universally Unique Identifiers

Veea relies on Universally Unique Identifiers (UUID) to uniquely identify Partners and Images. Each signed image must have a UUID that uniquely identifies it in the Veea Cloud.

Applications

Veea has created the concept of an Application. Applications are a bundle of one or more images along with signed meta-data that can be used to authenticate and control the instantiation of the images on a VeeaHub.

Docker Swarm

Veea uses Docker Swarm to orchestrate applications across a Veea Mesh (vMesh). All images in an application bundle have an associated service file, which is used to control:

  • The nodes in the mesh can run the image (MEN and/or MN).

  • The mapping of host port to container port for all exposed ports.

Image Release Archives

An Image Release Archive is a Veea-specific enhanced Image Archive file that has the Swarm service file, plus signed meta-data that can be used to authenticate the image.

Application Release Archives

An Application Release Archive is a combination of one or more Image Release Archives that can be deployed as a single entity.

Devices and Services

Applications running on a VeeaHub can access many of the devices and services that are made available by the Veea Middleware and Secure Docker. Access is controlled via feature licenses, which are described in the Veea Partner Overview.

Sideloading

The VHC tool is used to build an Image that can be saved as an Image Archive and then uploaded to a VeeaHub via Sideloading.

Sideloading refers to the act of uploading a Docker image archive to a development VeeaHub using vhc for the purpose of testing it. It’s the same term that is used by smartphone application developers where it refers to loading development images using Eclipse for Android phones or XCode for iPhones.