From Kernel to Cloud: Open Source Takes On Security Trade-Offs

Recent developments — including hardened Linux distributions, live patching for government-grade systems, container image hardening, and hypervisor-level isolation — reflect a broader industry push to meet rising compliance demands without sacrificing uptime.

Specialized live patching services for government-grade Linux distributions, combined with hardened containers and hypervisor-based isolation, demonstrate how open-source security is evolving rapidly in response to the increasing scrutiny of software supply chains, particularly from the U.S. Department of Defense.

On June 5, TuxCare made headlines by extending its KernelCare service for enterprise AlmaLinux editions 9.2 through 9.6, uniquely positioning this distribution as the sole FIPS 140-3 validated distribution capable of years of rebootless patching. This critical enhancement enables organizations, particularly those providing cloud services to U.S. government agencies under FedRAMP, to achieve continuous uptime and meet stringent security requirements without the operational burden of frequent reboots.

Other live patching tools only delay the inevitable reboot. TuxCare's solution eliminates reboots while offering up to 100% vulnerability coverage in stark contrast to the typical 5-10% patched by alternative solutions.

FIPS is a set of standards developed by the National Institute of Standards and Technology (NIST) to ensure secure, interoperable systems across the U.S. federal government.

FedRAMP-Ready Security for AlmaLinux

The company has also recently announced its new TuxCare FedRAMP Bundle for AlmaLinux, providing a streamlined path toward meeting stringent compliance requirements. It eliminates the hurdles associated with FedRAMP’s strict security, cryptography, and reporting standards.

“This new KernelCare service for AlmaLinux is TuxCare’s latest step in ensuring that enterprise-grade reliability and security are continually available for the growing number of AlmaLinux users,” Michael Canavan, chief revenue officer at TuxCare, told LinuxInsider. “We’re pleased to bring a rock-solid path for compliance and performance to the AlmaLinux community.”

AlmaLinux has gained traction in enterprise circles since it emerged in early 2021 as a direct response to Red Hat's decision to shift CentOS Linux from a stable, downstream rebuild of Red Hat Enterprise Linux (RHEL) to CentOS Stream, an upstream rolling release. Many users needed a free, stable, and RHEL-compatible alternative for production environments.

Canavan noted that TuxCare ensures a secure and straightforward upgrade path to strengthen deployments via its painless and highly cost-effective, pre-certified AlmaLinux FIPS packages.

AlmaLinux 9.6 Release Highlights

Close behind TuxCare's latest announcement, the AlmaLinux OS Foundation released version 9.6 of AlmaLinux, codenamed SageMargay, available here. According to Andrew Lukoshko, lead architect at AlmaLinux, the release was a result of improved development testing, increased build speeds, and minimal changes between beta and stable releases.

AlmaLinux emerged as a replacement for CentOS after Red Hat ended its original downstream development path. Organizations that had relied on CentOS for long-term RHEL compatibility without the cost of a Red Hat subscription needed a free, stable alternative.

It offers enhanced performance, expanded development tools, and improved security. Updated module streams enhance support for web applications, and new compiler versions introduce optimizations for improved performance, according to Benny Vasquez, chair of the AlmaLinux OS Foundation. It also updates elfutils, Valgrind, SystemTap, and PCP, improving system debugging and performance monitoring.

A second option to avoid the RHEL and CentOS directional shifts is a more secure release of an existing enterprise-class Linux distribution. Rocky Linux, by CIQ, has emerged as a significant player in the enterprise Linux circles.

Earlier this year, CIQ announced the technical preview of Rocky Linux - Hardened (RLC-H), optimized for environments with stringent security requirements. This hardened version of Rocky Linux is now available. CIQ still supports several non-hardened Rocky Linux versions for more general use.

Virtualization and Debugging Enhancements

AlmaLinux OS 9.6 includes a tech preview of KVM virtualization support for the IBM Power architecture. Although it has been unavailable upstream since version 9.0, it is fundamental for several AlmaLinux users, including the Oregon State University Open Source Lab, which submitted the RFC to the AlmaLinux Engineering Steering Committee for consideration in February.

The new release includes networking improvements with updated versions of NetworkManager and iproute. Security updates include new SELinux policy and SSSD versions. Containerization and virtualization have updated Podman, Buildah, libvirt, and QEMU-KVM. Additionally, the new snpguest and snphost packages enhance virtualization capabilities.

"AlmaLinux 9.6 marks another milestone release as the enterprise open-source Linux distro continues to deliver AlmaLinux using the same upstream that Red Hat uses to build Red Hat Enterprise Linux," Vasquez told LinuxInsider. The distro matches release and software versions with RHEL and builds from the same sources as RHEL, ensuring complete compatibility.

RLC-H enhances standard Rocky Linux to meet key security and general enterprise requirements. Hardened features include beefed-up packages with validation, additional security tools, proactive security, and customizable security controls.

WizOS: Hardened Alternative to Cloud Platforms

In the open-source cloud security space, security platform Wiz is developing key innovations with WizOS, an APK-based distribution that is a glibc-based fork of Alpine, similar to Bellsoft’s Alpaquita. The May release focuses on enhancing cloud security from the ground up. WizOS provides container-based images with hardened, minimal, and near-zero CVE (Common Vulnerabilities and Exposures).

The new cloud OS offers a hardened, minimal, and near-zero-CVE container image that reduces the attack surface and streamlines development — making it a secure, efficient foundation for containerized applications. Unlike traditional platforms such as AWS or Azure, WizOS is a distribution, not an infrastructure provider, giving it a distinct position in the cloud security landscape.

It represents a fundamental shift to the left for container security, thanks to its proactive versus reactive nature. Its hardened design includes stricter security guardrails.

Like Alpine Linux's small footprint, WizOS employs more stringent security controls and a rigorous build pipeline, leveraging glibc's ability to support a broader range of applications without compromising its minimal nature. All internal components are sourced from open-source code, with signing and tracking that ensure transparency and traceability to enhance supply chain security.

Edera Boosts Container Isolation Security

Edera recently launched its first live demo environment for cloud container users at the KubeCon + CloudNativeCon Europe gathering. The portal allows users to interact directly with Edera Protect, test its functionality, and observe how hypervisor technology works.

The developers conducted a benchmark report that counters the premise that container security often comes at the expense of performance. The results challenge this assumption by providing strong workload isolation through a container-native hypervisor that assigns each container its own kernel, while maintaining performance comparable to that of native containers.

Edera tested comparative benchmarks on an Optimistic Virtual Machine (OVM) with hardware virtualization extensions. Benchmarks were run five times per platform in identical environments, with average values reported.

The comparison included Docker with runc, Edera Protect's hypervisor-based isolation solution, Google's userspace kernel container runtime gVisor, Kata Containers with Dragonball/KVM hypervisor, and Firecracker (using firecracker-containerd runtime on Firecracker/KVM).

The results show:

• Docker and Edera Protect deliver nearly identical performance
• Kata Containers follows closely behind
• gVisor shows moderate performance degradation
• Firecracker demonstrates significant performance limitations, likely due to thread utilization issues

According to Edera, the negligible difference between Edera and Docker (less than 1%) confirms that Edera's isolation approach adds virtually no computational overhead.

Edera stated that its container-native hypervisor validates its architectural approach, which provides strong isolation between containers while leveraging hardware virtualization extensions to maintain optimal performance. With Edera Protect, organizations no longer have to choose between security and performance.