Abstract: A computer-implemented method of providing security for a software container, according to an example of the present disclosure includes, receiving a software container image with a software application and security agent that is separate from the software application. An execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent. The method includes receiving a request to instantiate the software container image as a software container, launching the security agent based on the request, authenticating the contents of the software container image, and controlling operation of the software application based on the authenticating.

Abstract: An example method of sharing a resource between software containers includes detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the host computing device. The method also includes accepting or rejecting the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application. An example host computing device configured to share resources between software containers is also disclosed.

Abstract: An example method of sharing a resource between software containers includes detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the host computing device. The method also includes accepting or rejecting the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application. An example host computing device configured to share resources between software containers is also disclosed.

Abstract: An example method of sharing a resource between software containers includes detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the host computing device. The method also includes accepting or rejecting the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application. An example host computing device configured to share resources between software containers is also disclosed.

Abstract: A computer-implemented method of providing security for a software container according to an example of the present disclosure includes receiving a software container image having a software application layer that is encrypted and includes a software application, and having a separate security agent layer that includes a security agent. The method includes receiving a request to instantiate the software container image as a software container. The method also includes, based on the request: launching the security agent and utilizing the security agent to decrypt and authenticate the software application layer, and control operation of the software application based on the authentication.

Abstract: A computer-implemented method of providing security for a software container, according to an example of the present disclosure includes, receiving a software container image with a software application and security agent that is separate from the software application. An execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent. The method includes receiving a request to instantiate the software container image as a software container, launching the security agent based on the request, authenticating the contents of the software container image, and controlling operation of the software application based on the authenticating.

Abstract: A computer-implemented method of providing security for a software container according to an example of the present disclosure includes receiving a software container image having a software application layer that is encrypted and includes a software application, and having a separate security agent layer that includes a security agent. The method includes receiving a request to instantiate the software container image as a software container. The method also includes, based on the request: launching the security agent and utilizing the security agent to decrypt and authenticate the software application layer, and control operation of the software application based on the authentication.

Abstract: A computer-implemented method of providing security for a software container, according to an example of the present disclosure includes, receiving a software container image with a software application and security agent that is separate from the software application. An execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent. The method includes receiving a request to instantiate the software container image as a software container, launching the security agent based on the request, authenticating the contents of the software container image, and controlling operation of the software application based on the authenticating.

Abstract: A computer-implemented method of providing security for a software container according to an example of the present disclosure includes receiving a software container image having a software application layer that is encrypted and includes a software application, and having a separate security agent layer that includes a security agent. The method includes receiving a request to instantiate the software container image as a software container. The method also includes, based on the request: launching the security agent and utilizing the security agent to decrypt and authenticate the software application layer, and control operation of the software application based on the authentication.

Abstract: A computer-implemented method of providing security for a software container, according to an example of the present disclosure includes, receiving a software container image with a software application and security agent that is separate from the software application. An execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent. The method includes receiving a request to instantiate the software container image as a software container, launching the security agent based on the request, authenticating the contents of the software container image, and controlling operation of the software application based on the authenticating.

Abstract: An example method of sharing a resource between software containers includes detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the host computing device. The method also includes accepting or rejecting the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application. An example host computing device configured to share resources between software containers is also disclosed.

Abstract: According to one aspect of the present disclosure, resource requests between software containers are accepted or rejected based on whether the software containers are part of a same logical software application. According to another aspect of the present disclosure, a request to start a software container is accepted or rejected based on whether the software container is digitally signed. According to another aspect of the present disclosure, a request to perform a container operational action for a first software container is accepted or rejected based on whether a security registry includes a rule governing the requested container operational action for the first software container, and if the software container is already running, based also on what entity started the software container.

Abstract: According to one aspect of the present disclosure, resource requests between software containers are accepted or rejected based on whether the software containers are part of a same logical software application. According to another aspect of the present disclosure, a request to start a software container is accepted or rejected based on whether the software container is digitally signed. According to another aspect of the present disclosure, a request to perform a container operational action for a first software container is accepted or rejected based on whether a security registry includes a rule governing the requested container operational action for the first software container, and if the software container is already running, based also on what entity started the software container.