SlideShare uma empresa Scribd logo

Rootless Containers

A
Akihiro Suda

In this talk we will discuss how to build and run containers without root privileges. As part of the discussion, we will introduce new programs like fuse-overlayfs and slirp4netns and explain how it is possible to do this using user namespaces. fuse-overlayfs allows to use the same storage model as "root" containers and use layered images. slirp4netns emulates a TCP/IP stack in userland and allows to use a network namespace from a container and let it access the outside world (with some limitations). We will also introduce Usernetes, and how to run Kubernetes in an unprivileged user namespace https://sched.co/Jcgg

Software
1 de 54
Baixar para ler offline
Rootless Containers Giuseppe Scrivano / Red Hat (@gscrivano) Akihiro Suda / NTT (@_AkihiroSuda_) DevConf.CZ (Jan 25, 2019) 1
Who are we? Akihiro Suda • Software Engineer at NTT (the largest telco in Japan) • Maintainer of Moby (former Docker Engine), BuildKit, containerd, and etc... Giuseppe Scrivano • Software Engineer at Red Hat • Works on Podman, Buildah, CRI-O 2
Demo: “Usernetes” Kubernetes as a non-root user 3
Introduction 4
Rootless Containers • “Rootless containers refers to the ability for an unprivileged user (i.e. non-root user) to create, run and otherwise manage containers.” (https://rootlesscontaine.rs/ ) • Not just about running containers as an unprivileged user • Also entails running container runtimes and orchestrators as an unprivileged user 5
Don’t confuse with.. • docker run --user foo – Executes the process in the container as a non-root – dockerd, containerd, and runc still running as the root • USER instruction in Dockerfile – same as above – Notably you can’t RUN dnf install ... 6
Don’t confuse with.. • usermod -aG docker foo – Allows a non-root user to connect to /var/run/docker.sock – Equivalent to allow the user to gain the root! (docker run --privileged -v /:/host …) • sudo docker or chmod +s dockerd – Nope! 7
Don’t confuse with.. • dockerd --userns-remap – Execute containers as a non-root user (dockremap), using user namespaces • Inside the containers, dockremap can behave as if it were the root – Most similar to Rootless Containers, but still requires dockerd, containerd, and runc to run as the root 8
Motivation of Rootless Containers • To mitigate potential vulnerability of container runtimes and orchestrator (the primary motivation) • To allow users of shared machines (e.g. HPC) to run containers without the risk of breaking other users environments • To isolate nested containers, e.g. “Docker-in-Docker” 9
Runtime vulnerabilities • Docker “Shocker” (2014) – A malicious container was allowed to access the host file system, as CAP_DAC_READ_SEARCH was effective by default • Docker CVE-2014-9357 – A malicious docker build container could run arbitrary binary on the host as the root due to an LZMA archive issue • containerd #2001 (2018) – A malicious container image could remove /tmp on the host when the image was pulled (not when actually launched!) 10
Runtime vulnerabilities • runc #1962 (2019, found by Akihiro, analyzed and fixed by Giuseppe) – A malicious container could gain the write access to /proc and /sys when the host root filesystem is initrd (DOCKER_RAMDISK) • Results in arbitrary command execution as the root on the host, via /proc/sys/kernel/core_pattern or /sys/kernel/uevent_helper – Minikube is known to be affected (fixed in v0.33.1) 11 $ kubectl run -it --image busybox foo # unshare -mrfp # mount -t proc none /proc
Other vulnerabilities • Kubernetes CVE-2017-1002101, CVE-2017-1002102 – A malicious container was allowed to access the host filesystem via vulnerabilities related to volumes • Kubernetes CVE-2018-1002105 – A malicious API call could be used to gain cluster-admin (and hence the root privileges on the nodes) • Git CVE-2018-11235 (affected Kubernetes gitRepo volumes) – A malicious repo could execute an arbitrary binary as the root when it was cloned 12
Play-with-Docker.com vulnerability • Play-with-Docker.com: Online Docker playground, implemented using Docker-in-Docker with custom AppArmor profiles • Malicious kernel module was loadable due to AppArmor misconfiguration (revealed on Jan 14, 2019) – Not really an issue of Docker 13https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/
Caveat: Not a panacea • Although Rootless Containers could mitigate these vulnerabilities, it is not a panacea , especially it is powerless against kernel (and hardware) vulnerabilities – CVE 2013-1858, CVE-2015-1328, CVE-2018-18955 • Castle approach : it should be used in conjunction with other security layers such as seccomp and SELinux 14
Implementation details 15
User Namespaces • The key component of rootless containers. – Map UIDs/GIDs in the guest to different UIDs/GIDs on the host. – Unprivileged users can have (limited) root inside a user namespace! • Root in a user namespace has UID 0 and full capabilities, but obvious restrictions apply. – Inaccessible files, inserting kernel modules, rebooting, ... 16
User Namespaces • To allow multi-user mappings, shadow-utils provides newuidmap and newgidmap (packaged by most distributions). – SETUID binaries writing mappings configured in /etc/sub[ug]id /etc/subuid: 1000:420000:65536 /proc/42/uid_map: 0 1000 1 1 420000 65536 Provided by the admin (real root) User can configure map UIDs after unsharing a user namespace 17
User Namespaces Problems: • SETUID binary can be dangerous – newuidmap & newgidmap had two CVEs so far: • CVE-2016-6252 (CVSS v3: 7.8): integer overflow issue • CVE-2018-7169 (CVSS v3: 5.3): supplementary GID issue • Hard to maintain subuid & subgid – Having 65536 sub-IDs should be ok for most cases, but to allow nesting user namespaces, an enormous number of sub-IDs would be needed • Potential sub-ID starvation 18
User Namespaces Alternative way: Single-mapping mode • Single-mapping mode does not require newuidmap/newgidmap • There is only one UID/GID available in the container Limit the privileges of newuidmap/newgidmap • Install them using file capabilities rather than SETUID bit – Only CAP_SETUID and CAP_SETGID are needed 19
Network Namespaces • An unprivileged user can create network namespaces along with user namespaces • With network namespaces, the user can – create iptables rules – isolate abstract (pathless) UNIX sockets – set up overlay networking with VXLAN – run tcpdump – ... 20
Network Namespaces • But an unprivileged user cannot set up veth pairs across the host and namespaces, i.e. No internet connection 21 The Internet Host UserNS + NetNS
Network Namespaces Prior work: LXC uses SETUID binary (lxc-user-nic) for setting up the veth pair across the the host and containers Problem: SETUID binary can be dangerous! • CVE-2017-5985 (CVSS v3: 3.3): netns privilege escalation • CVE-2018-6556 (CVSS v3: 3.3): arbitrary file open(2) 22
Network Namespaces Our approach: use completely unprivileged usermode network (“Slirp”) with a TAP device TAP “Slirp” TAPFD send fd as SCM_RIGHTS cmsg via an UNIX socket The Internet Host UserNS + NetNS
Network Namespaces Benchmark of several “Slirp” implementations: • slirp4netns (our own implementation based on QEMU Slirp) is the fastest because it avoids copying packets across the namespaces MTU=1500 MTU=4000 MTU=16384 MTU=65520 vde_plug 763 Mbps Unsupported Unsupported Unsupported VPNKit 514 Mbps 526 Mbps 540 Mbps Unsupported slirp4netns 1.07 Gbps 2.78 Gbps 4.55 Gbps 9.21 Gbps cf. rootful veth 52.1 Gbps 45.4 Gbps 43.6 Gbps 51.5 Gbps Benchmark: iperf3 (netns -> host), measured on Travis CI. See rootless-containers/rootlesskit#12 24
Port forwarding • Usermode port forwarder (inbound connection) can be implemented independently of Slirp (outbound connection) • slirp4netns: 7.01 Gbps (still has extra packet copy) • socat+nsenter: 9.64 Gbps • Our WIP implementation with SCM_RIGHTS optimization: 28.5 Gbps (still flaky) 25 https://github.com/rootless-containers/rootlesskit/pull/33#issuecomment-448992291 https://github.com/rootless-containers/slirp4netns/pull/29#issuecomment-449626896
Multi-node networking • Flannel VXLAN is known to work – Encapsulates Ethernet packets in UDP packets – Provides L2 connectivity across rootless containers on different nodes • Other protocols should work as well, except ones that require access to raw Ethernet 26
Root Filesystems Your container root filesystem has to live somewhere. Many filesystem features used by “rootful” container runtimes aren’t available. • Ubuntu allows overlayfs in a user namespace, but this isn't supported upstream (due to security concerns). • Btrfs allows unprivileged subvolume management, but requires privileges to set it up beforehand. • Devicemapper is completely locked away from us. 27
Root Filesystems A “simple” work-around is to just extract images to a directory! • It works … but people want storage deduplication. Alternatives: • Reflinks to a "known good" extracted image (inode exhaustion). – (Can use on XFS, btrfs, ... but not ext4.) • Unprivileged userspace overlayfs using FUSE (Kernel 4.18+). 28
fuse-overlayfs ● Overlayfs implementation using FUSE ● Layers deduplication as for root containers ● Fast setup for a new container ● Built-in support for shifting UIDs/GIDs ● Adds complexity ● Temporary solution until unprivileged users can safely use overlay 29
fuse-overlayfs UIDs/GIDs shifting ● When creating a user namespace, we must ensure proper ownership of the files in the RO layers. ● the file system “lies” about the owner, so that it has the correct UID/GID in the user namespace and the same layer on disk can be used by different user namespaces. ● Less expensive alternative to cp -r and chown’ing the entire image and layers. 30
cgroups /sys/fs/cgroup is a roadblock to many features we want in rootless containers (accounting, pause and resume, even getting a list of PIDs!). • By default completely owned by root (and managed by systemd). Some workarounds: • LXC’s pam_cgfs requires installation of a PAM module (and only works for logged-in users). It needs to be used carefully as it gives cgroupv1 write access to unprivileged users. • cgroup namespaces (with nsdelegate) only work in cgroupv2. 31
Current adoption status: Runtimes 32
runc • Supports rootless mode since 1.0.0-rc4 (merged March 2017). • Since 1.0.0-rc5 (Feb 2018): – /sys/fs/cgroup can be used if they are set up to be writable. – Multi-user mappings are supported if they are set up with /etc/sub[ug]id. 33
• Podman, daemonless alternative to Docker: – Uses slirp4netns – Uses fuse-overlayfs – rootless storage under the user home directory – No CLI differences between root and rootless mode 34
Podman containers • When running directly a container, each container runs in its own user namespace. • No mounts/resources leak in the host • A container cannot join namespaces of another container as they are owned by different user namespaces 35
Podman pods • Similar concept to Kubernetes pods • A group of containers that share resources • Deploy as a single unit • Rootless containers in a Pod share the same user namespace 36
Docker • Docker v19.03 is likely to support Rootless mode – PR: #38050 • Unlike Podman, fuse-overlayfs is not yet supported 37
LXC • Supports unprivileged (what we call “Rootless”) containers since 2013 • Unlike our work, a SETUID binary is required for setting up network namespaces • LXD still requires the daemon to be executed as the root 38
Singularity • Popular in HPC community, as it supports Rootless mode – Default configuration uses a SETUID helper (which we don’t call “Rootless”), but Rootless mode (--userns) can be enabled optionally • Unlike our work, Rootless mode does not support creating network namespaces (with Internet connection) 39
CloudFoundry Garden • Supports rootless mode using runc • Unlike our work, SETUID binaries are required for setting up network namespaces 40https://github.com/cloudfoundry/garden-runc-release/blob/master/docs/articles/rootless-containers.md
runROOTLESS and umoci • runROOTLESS: runc-based OCI runtime (Akihiro’s work) • umoci: OCI image manipulation tool • No subuid/subgid configuration is needed – Emulates subuid/subgid with ptrace and xattr – Suitable for LDAP environments • Current implementation has significant overhead due to ptrace – Future work: replace ptrace with Tycho Andersen’s new seccomp framework (Kernel 5.X ?) 41
udocker • Docker-like CLI • Supports both ptrace mode and runc mode – Unlike runROOTLESS, ptrace mode lacks support for persistent chown (also, ptrace mode isn’t used in conjunction with runc) 42
Current adoption status: Image builders 43
• Buildah: daemonless tool for building OCI images – User namespaces for rootless mode or root in a not privileged container – Uses slirp4netns – dnf/yum/apt/apk works – Can use fuse-overlayfs – Share configuration and storage with Podman – Different isolation modes 44
Buildah isolation modes • Can be controlled with --isolation=ISOLATION – OCI (default): OCI compatible configuration – rootless: It is similar to OCI but uses a configuration that is usable for non privileged users – chroot: creates an environment that looks more like a chroot than a container. 45
BuildKit and img • BuildKit: modern backend for docker build – Integrated to Docker since v18.06, but can be also used as a standalone and rootless daemon – Rootless BuildKit has been used in OpenFaaS cloud • img: Jessie Frazelle’s image builder based on BuildKit – Same as BuildKit but daemonless 46
BuildKit and img • Rootless BuildKit/img can be launched as an unprivileged user on the host without any extra configuration • However, containerized deployment of rootless BuildKit/img had required securityContext.procMount=Unmasked – Unmask /proc/* (e.g. kcore) so that build containers can mount procfs with dedicated PID namespaces – Not real concern as long as running in rootless mode – BuildKit v0.4+ no longer requires securityContext configuration • But no PID namespace isolation across the BuildKit daemon container and build containers 47
Kaniko • Google’s unprivileged container image builder • Different from our approach – Kaniko itself needs to be executed in a container (No securityContext configuration needed) – Dockerfile RUN instructions are executed without creating nested containers inside the Kaniko container • A RUN instruction gains the root in the Kaniko container • Seems inappropriate for malicious Dockerfiles due to the lack of isolation – Potential cloud credential leakage: #106 48
Makisu • Uber’s unprivileged container image builder • Same design as Kaniko, with regard to unprivileged execution 49
Current adoption status: Kubernetes 50
Kubernetes • kubelet and kube-proxy require a bunch of hacks for running without cgroups and sysctl – No hack needed for kube-apiserver and kube-scheduler – POC available; Planning to propose KEP to SIG-node soon – Future work: kubeadm integration • CRI: Both CRI-O and containerd supports rootless mode • CNI: Flannel VXLAN is known to work without any modification 51
“Usernetes” Experimental binary distribution of rootless Kubernetes, installable under $HOME without mess https://github.com/rootless-containers/usernetes $ tar xjvf usernetes-x86_64.tbz $ cd usernetes $ ./run.sh $ ./kubectl.sh run -it --image.. 52
“Usernetes” • docker-compose.yml is included for demonstrating pseudo multi-node cluster POC – Mix of dockershim + CRI-O + containerd – Flannel VXLAN is enabled by default – FIXME: TLS is not enabled yet (contribution wanted!) • Usernetes-on-Kubernetes YAML is coming soon 53
Any questions? 54

Recomendados

The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterThe overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterKohei Tokunaga
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlP2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlKohei Tokunaga
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesAkihiro Suda
 
Containerd + buildkit breakout
Containerd + buildkit breakoutContainerd + buildkit breakout
Containerd + buildkit breakoutDocker, Inc.
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes waysparkfabrik
 
PGOを用いたPostgreSQL on Kubernetes入門(PostgreSQL Conference Japan 2022 発表資料)
PGOを用いたPostgreSQL on Kubernetes入門(PostgreSQL Conference Japan 2022 発表資料)PGOを用いたPostgreSQL on Kubernetes入門(PostgreSQL Conference Japan 2022 発表資料)
PGOを用いたPostgreSQL on Kubernetes入門(PostgreSQL Conference Japan 2022 発表資料)NTT DATA Technology & Innovation
 
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動するStargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動するKohei Tokunaga
 

Recomendados

The overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterThe overview of lazypull with containerd Remote Snapshotter & Stargz Snapshotter
The overview of lazypull with containerd Remote Snapshotter & Stargz SnapshotterKohei Tokunaga
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlP2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlKohei Tokunaga
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesAkihiro Suda
 
Containerd + buildkit breakout
Containerd + buildkit breakoutContainerd + buildkit breakout
Containerd + buildkit breakoutDocker, Inc.
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes waysparkfabrik
 
PGOを用いたPostgreSQL on Kubernetes入門(PostgreSQL Conference Japan 2022 発表資料)
PGOを用いたPostgreSQL on Kubernetes入門(PostgreSQL Conference Japan 2022 発表資料)PGOを用いたPostgreSQL on Kubernetes入門(PostgreSQL Conference Japan 2022 発表資料)
PGOを用いたPostgreSQL on Kubernetes入門(PostgreSQL Conference Japan 2022 発表資料)NTT DATA Technology & Innovation
 
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動するStargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動する
Stargz Snapshotter: イメージのpullを省略しcontainerdでコンテナを高速に起動するKohei Tokunaga
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Crevise Technologies
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containersGiuseppe Scrivano
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdKohei Tokunaga
 
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsMeetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsVietnam Open Infrastructure User Group
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...Akihiro Suda
 
Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)
Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)
Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)NTT DATA Technology & Innovation
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能Kohei Tokunaga
 
CentOS Linux 8 の EOL と対応策の検討
CentOS Linux 8 の EOL と対応策の検討CentOS Linux 8 の EOL と対応策の検討
CentOS Linux 8 の EOL と対応策の検討Masahito Zembutsu
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能Kohei Tokunaga
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesAkihiro Suda
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitWeaveworks
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Stanislav Pogrebnyak
 
OCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰するOCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰するKohei Tokunaga
 
Continuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIContinuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIDavid Hahn
 
OpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfOpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfssuser1490e8
 
Harbor RegistryのReplication機能
Harbor RegistryのReplication機能Harbor RegistryのReplication機能
Harbor RegistryのReplication機能Masanori Nara
 
CI with Gitlab & Docker
CI with Gitlab & DockerCI with Gitlab & Docker
CI with Gitlab & DockerJoerg Henning
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands OnBrice Fernandes
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless ContainersAkihiro Suda
 
Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless KubernetesAkihiro Suda
 

Mais conteúdo relacionado

Mais procurados

Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdKohei Tokunaga
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...Akihiro Suda
 
Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)
Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)
Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)NTT DATA Technology & Innovation
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能Kohei Tokunaga
 
CentOS Linux 8 の EOL と対応策の検討
CentOS Linux 8 の EOL と対応策の検討CentOS Linux 8 の EOL と対応策の検討
CentOS Linux 8 の EOL と対応策の検討Masahito Zembutsu
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能Kohei Tokunaga
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesAkihiro Suda
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitWeaveworks
 
OCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰するOCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰するKohei Tokunaga
 
Continuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIContinuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIDavid Hahn
 
OpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfOpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfssuser1490e8
 
Harbor RegistryのReplication機能
Harbor RegistryのReplication機能Harbor RegistryのReplication機能
Harbor RegistryのReplication機能Masanori Nara
 
CI with Gitlab & Docker
CI with Gitlab & DockerCI with Gitlab & Docker
CI with Gitlab & DockerJoerg Henning
 

Mais procurados (20)

Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
 
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsMeetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOps
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
 
Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)
Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)
Prometheus Operator 入門(Kubernetes Novice Tokyo #26 発表資料)
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
 
CentOS Linux 8 の EOL と対応策の検討
CentOS Linux 8 の EOL と対応策の検討CentOS Linux 8 の EOL と対応策の検討
CentOS Linux 8 の EOL と対応策の検討
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
OCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰するOCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰する
 
Continuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIContinuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CI
 
OpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfOpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdf
 
Harbor RegistryのReplication機能
Harbor RegistryのReplication機能Harbor RegistryのReplication機能
Harbor RegistryのReplication機能
 
CI with Gitlab & Docker
CI with Gitlab & DockerCI with Gitlab & Docker
CI with Gitlab & Docker
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
 

Semelhante a Rootless Containers

The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless ContainersAkihiro Suda
 
Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless KubernetesAkihiro Suda
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
 
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root userUsernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root userAkihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless PodmanAkihiro Suda
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisorChing-Hsuan Yen
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDocker, Inc.
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
Docking postgres
Docking postgresDocking postgres
Docking postgresrycamor
 

Semelhante a Rootless Containers (20)

The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless Containers
 
Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless Kubernetes
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
 
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root userUsernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root user
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless mode
 
Exploring Docker Security
Exploring Docker SecurityExploring Docker Security
Exploring Docker Security
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Docker_AGH_v0.1.3
Docker_AGH_v0.1.3Docker_AGH_v0.1.3
Docker_AGH_v0.1.3
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
Docking postgres
Docking postgresDocking postgres
Docking postgres
 

Mais de Akihiro Suda

20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdfAkihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdfAkihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilionAkihiro Suda
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilionAkihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdfAkihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...Akihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilionAkihiro Suda
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilionAkihiro Suda
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with DockerfileAkihiro Suda
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] LimaAkihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Akihiro Suda
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10Akihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into ContainerdAkihiro Suda
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較Akihiro Suda
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep DiveAkihiro Suda
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless ModeAkihiro Suda
 

Mais de Akihiro Suda (20)

20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
 

Último

Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 

Último (20)

Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 

Rootless Containers

  • 1. Rootless Containers Giuseppe Scrivano / Red Hat (@gscrivano) Akihiro Suda / NTT (@_AkihiroSuda_) DevConf.CZ (Jan 25, 2019) 1
  • 2. Who are we? Akihiro Suda • Software Engineer at NTT (the largest telco in Japan) • Maintainer of Moby (former Docker Engine), BuildKit, containerd, and etc... Giuseppe Scrivano • Software Engineer at Red Hat • Works on Podman, Buildah, CRI-O 2
  • 5. Rootless Containers • “Rootless containers refers to the ability for an unprivileged user (i.e. non-root user) to create, run and otherwise manage containers.” (https://rootlesscontaine.rs/ ) • Not just about running containers as an unprivileged user • Also entails running container runtimes and orchestrators as an unprivileged user 5
  • 6. Don’t confuse with.. • docker run --user foo – Executes the process in the container as a non-root – dockerd, containerd, and runc still running as the root • USER instruction in Dockerfile – same as above – Notably you can’t RUN dnf install ... 6
  • 7. Don’t confuse with.. • usermod -aG docker foo – Allows a non-root user to connect to /var/run/docker.sock – Equivalent to allow the user to gain the root! (docker run --privileged -v /:/host …) • sudo docker or chmod +s dockerd – Nope! 7
  • 8. Don’t confuse with.. • dockerd --userns-remap – Execute containers as a non-root user (dockremap), using user namespaces • Inside the containers, dockremap can behave as if it were the root – Most similar to Rootless Containers, but still requires dockerd, containerd, and runc to run as the root 8
  • 9. Motivation of Rootless Containers • To mitigate potential vulnerability of container runtimes and orchestrator (the primary motivation) • To allow users of shared machines (e.g. HPC) to run containers without the risk of breaking other users environments • To isolate nested containers, e.g. “Docker-in-Docker” 9
  • 10. Runtime vulnerabilities • Docker “Shocker” (2014) – A malicious container was allowed to access the host file system, as CAP_DAC_READ_SEARCH was effective by default • Docker CVE-2014-9357 – A malicious docker build container could run arbitrary binary on the host as the root due to an LZMA archive issue • containerd #2001 (2018) – A malicious container image could remove /tmp on the host when the image was pulled (not when actually launched!) 10
  • 11. Runtime vulnerabilities • runc #1962 (2019, found by Akihiro, analyzed and fixed by Giuseppe) – A malicious container could gain the write access to /proc and /sys when the host root filesystem is initrd (DOCKER_RAMDISK) • Results in arbitrary command execution as the root on the host, via /proc/sys/kernel/core_pattern or /sys/kernel/uevent_helper – Minikube is known to be affected (fixed in v0.33.1) 11 $ kubectl run -it --image busybox foo # unshare -mrfp # mount -t proc none /proc
  • 12. Other vulnerabilities • Kubernetes CVE-2017-1002101, CVE-2017-1002102 – A malicious container was allowed to access the host filesystem via vulnerabilities related to volumes • Kubernetes CVE-2018-1002105 – A malicious API call could be used to gain cluster-admin (and hence the root privileges on the nodes) • Git CVE-2018-11235 (affected Kubernetes gitRepo volumes) – A malicious repo could execute an arbitrary binary as the root when it was cloned 12
  • 13. Play-with-Docker.com vulnerability • Play-with-Docker.com: Online Docker playground, implemented using Docker-in-Docker with custom AppArmor profiles • Malicious kernel module was loadable due to AppArmor misconfiguration (revealed on Jan 14, 2019) – Not really an issue of Docker 13https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/
  • 14. Caveat: Not a panacea • Although Rootless Containers could mitigate these vulnerabilities, it is not a panacea , especially it is powerless against kernel (and hardware) vulnerabilities – CVE 2013-1858, CVE-2015-1328, CVE-2018-18955 • Castle approach : it should be used in conjunction with other security layers such as seccomp and SELinux 14
  • 16. User Namespaces • The key component of rootless containers. – Map UIDs/GIDs in the guest to different UIDs/GIDs on the host. – Unprivileged users can have (limited) root inside a user namespace! • Root in a user namespace has UID 0 and full capabilities, but obvious restrictions apply. – Inaccessible files, inserting kernel modules, rebooting, ... 16
  • 17. User Namespaces • To allow multi-user mappings, shadow-utils provides newuidmap and newgidmap (packaged by most distributions). – SETUID binaries writing mappings configured in /etc/sub[ug]id /etc/subuid: 1000:420000:65536 /proc/42/uid_map: 0 1000 1 1 420000 65536 Provided by the admin (real root) User can configure map UIDs after unsharing a user namespace 17
  • 18. User Namespaces Problems: • SETUID binary can be dangerous – newuidmap & newgidmap had two CVEs so far: • CVE-2016-6252 (CVSS v3: 7.8): integer overflow issue • CVE-2018-7169 (CVSS v3: 5.3): supplementary GID issue • Hard to maintain subuid & subgid – Having 65536 sub-IDs should be ok for most cases, but to allow nesting user namespaces, an enormous number of sub-IDs would be needed • Potential sub-ID starvation 18
  • 19. User Namespaces Alternative way: Single-mapping mode • Single-mapping mode does not require newuidmap/newgidmap • There is only one UID/GID available in the container Limit the privileges of newuidmap/newgidmap • Install them using file capabilities rather than SETUID bit – Only CAP_SETUID and CAP_SETGID are needed 19
  • 20. Network Namespaces • An unprivileged user can create network namespaces along with user namespaces • With network namespaces, the user can – create iptables rules – isolate abstract (pathless) UNIX sockets – set up overlay networking with VXLAN – run tcpdump – ... 20
  • 21. Network Namespaces • But an unprivileged user cannot set up veth pairs across the host and namespaces, i.e. No internet connection 21 The Internet Host UserNS + NetNS
  • 22. Network Namespaces Prior work: LXC uses SETUID binary (lxc-user-nic) for setting up the veth pair across the the host and containers Problem: SETUID binary can be dangerous! • CVE-2017-5985 (CVSS v3: 3.3): netns privilege escalation • CVE-2018-6556 (CVSS v3: 3.3): arbitrary file open(2) 22
  • 23. Network Namespaces Our approach: use completely unprivileged usermode network (“Slirp”) with a TAP device TAP “Slirp” TAPFD send fd as SCM_RIGHTS cmsg via an UNIX socket The Internet Host UserNS + NetNS
  • 24. Network Namespaces Benchmark of several “Slirp” implementations: • slirp4netns (our own implementation based on QEMU Slirp) is the fastest because it avoids copying packets across the namespaces MTU=1500 MTU=4000 MTU=16384 MTU=65520 vde_plug 763 Mbps Unsupported Unsupported Unsupported VPNKit 514 Mbps 526 Mbps 540 Mbps Unsupported slirp4netns 1.07 Gbps 2.78 Gbps 4.55 Gbps 9.21 Gbps cf. rootful veth 52.1 Gbps 45.4 Gbps 43.6 Gbps 51.5 Gbps Benchmark: iperf3 (netns -> host), measured on Travis CI. See rootless-containers/rootlesskit#12 24
  • 25. Port forwarding • Usermode port forwarder (inbound connection) can be implemented independently of Slirp (outbound connection) • slirp4netns: 7.01 Gbps (still has extra packet copy) • socat+nsenter: 9.64 Gbps • Our WIP implementation with SCM_RIGHTS optimization: 28.5 Gbps (still flaky) 25 https://github.com/rootless-containers/rootlesskit/pull/33#issuecomment-448992291 https://github.com/rootless-containers/slirp4netns/pull/29#issuecomment-449626896
  • 26. Multi-node networking • Flannel VXLAN is known to work – Encapsulates Ethernet packets in UDP packets – Provides L2 connectivity across rootless containers on different nodes • Other protocols should work as well, except ones that require access to raw Ethernet 26
  • 27. Root Filesystems Your container root filesystem has to live somewhere. Many filesystem features used by “rootful” container runtimes aren’t available. • Ubuntu allows overlayfs in a user namespace, but this isn't supported upstream (due to security concerns). • Btrfs allows unprivileged subvolume management, but requires privileges to set it up beforehand. • Devicemapper is completely locked away from us. 27
  • 28. Root Filesystems A “simple” work-around is to just extract images to a directory! • It works … but people want storage deduplication. Alternatives: • Reflinks to a "known good" extracted image (inode exhaustion). – (Can use on XFS, btrfs, ... but not ext4.) • Unprivileged userspace overlayfs using FUSE (Kernel 4.18+). 28
  • 29. fuse-overlayfs ● Overlayfs implementation using FUSE ● Layers deduplication as for root containers ● Fast setup for a new container ● Built-in support for shifting UIDs/GIDs ● Adds complexity ● Temporary solution until unprivileged users can safely use overlay 29
  • 30. fuse-overlayfs UIDs/GIDs shifting ● When creating a user namespace, we must ensure proper ownership of the files in the RO layers. ● the file system “lies” about the owner, so that it has the correct UID/GID in the user namespace and the same layer on disk can be used by different user namespaces. ● Less expensive alternative to cp -r and chown’ing the entire image and layers. 30
  • 31. cgroups /sys/fs/cgroup is a roadblock to many features we want in rootless containers (accounting, pause and resume, even getting a list of PIDs!). • By default completely owned by root (and managed by systemd). Some workarounds: • LXC’s pam_cgfs requires installation of a PAM module (and only works for logged-in users). It needs to be used carefully as it gives cgroupv1 write access to unprivileged users. • cgroup namespaces (with nsdelegate) only work in cgroupv2. 31
  • 33. runc • Supports rootless mode since 1.0.0-rc4 (merged March 2017). • Since 1.0.0-rc5 (Feb 2018): – /sys/fs/cgroup can be used if they are set up to be writable. – Multi-user mappings are supported if they are set up with /etc/sub[ug]id. 33
  • 34. • Podman, daemonless alternative to Docker: – Uses slirp4netns – Uses fuse-overlayfs – rootless storage under the user home directory – No CLI differences between root and rootless mode 34
  • 35. Podman containers • When running directly a container, each container runs in its own user namespace. • No mounts/resources leak in the host • A container cannot join namespaces of another container as they are owned by different user namespaces 35
  • 36. Podman pods • Similar concept to Kubernetes pods • A group of containers that share resources • Deploy as a single unit • Rootless containers in a Pod share the same user namespace 36
  • 37. Docker • Docker v19.03 is likely to support Rootless mode – PR: #38050 • Unlike Podman, fuse-overlayfs is not yet supported 37
  • 38. LXC • Supports unprivileged (what we call “Rootless”) containers since 2013 • Unlike our work, a SETUID binary is required for setting up network namespaces • LXD still requires the daemon to be executed as the root 38
  • 39. Singularity • Popular in HPC community, as it supports Rootless mode – Default configuration uses a SETUID helper (which we don’t call “Rootless”), but Rootless mode (--userns) can be enabled optionally • Unlike our work, Rootless mode does not support creating network namespaces (with Internet connection) 39
  • 40. CloudFoundry Garden • Supports rootless mode using runc • Unlike our work, SETUID binaries are required for setting up network namespaces 40https://github.com/cloudfoundry/garden-runc-release/blob/master/docs/articles/rootless-containers.md
  • 41. runROOTLESS and umoci • runROOTLESS: runc-based OCI runtime (Akihiro’s work) • umoci: OCI image manipulation tool • No subuid/subgid configuration is needed – Emulates subuid/subgid with ptrace and xattr – Suitable for LDAP environments • Current implementation has significant overhead due to ptrace – Future work: replace ptrace with Tycho Andersen’s new seccomp framework (Kernel 5.X ?) 41
  • 42. udocker • Docker-like CLI • Supports both ptrace mode and runc mode – Unlike runROOTLESS, ptrace mode lacks support for persistent chown (also, ptrace mode isn’t used in conjunction with runc) 42
  • 44. • Buildah: daemonless tool for building OCI images – User namespaces for rootless mode or root in a not privileged container – Uses slirp4netns – dnf/yum/apt/apk works – Can use fuse-overlayfs – Share configuration and storage with Podman – Different isolation modes 44
  • 45. Buildah isolation modes • Can be controlled with --isolation=ISOLATION – OCI (default): OCI compatible configuration – rootless: It is similar to OCI but uses a configuration that is usable for non privileged users – chroot: creates an environment that looks more like a chroot than a container. 45
  • 46. BuildKit and img • BuildKit: modern backend for docker build – Integrated to Docker since v18.06, but can be also used as a standalone and rootless daemon – Rootless BuildKit has been used in OpenFaaS cloud • img: Jessie Frazelle’s image builder based on BuildKit – Same as BuildKit but daemonless 46
  • 47. BuildKit and img • Rootless BuildKit/img can be launched as an unprivileged user on the host without any extra configuration • However, containerized deployment of rootless BuildKit/img had required securityContext.procMount=Unmasked – Unmask /proc/* (e.g. kcore) so that build containers can mount procfs with dedicated PID namespaces – Not real concern as long as running in rootless mode – BuildKit v0.4+ no longer requires securityContext configuration • But no PID namespace isolation across the BuildKit daemon container and build containers 47
  • 48. Kaniko • Google’s unprivileged container image builder • Different from our approach – Kaniko itself needs to be executed in a container (No securityContext configuration needed) – Dockerfile RUN instructions are executed without creating nested containers inside the Kaniko container • A RUN instruction gains the root in the Kaniko container • Seems inappropriate for malicious Dockerfiles due to the lack of isolation – Potential cloud credential leakage: #106 48
  • 49. Makisu • Uber’s unprivileged container image builder • Same design as Kaniko, with regard to unprivileged execution 49
  • 51. Kubernetes • kubelet and kube-proxy require a bunch of hacks for running without cgroups and sysctl – No hack needed for kube-apiserver and kube-scheduler – POC available; Planning to propose KEP to SIG-node soon – Future work: kubeadm integration • CRI: Both CRI-O and containerd supports rootless mode • CNI: Flannel VXLAN is known to work without any modification 51
  • 52. “Usernetes” Experimental binary distribution of rootless Kubernetes, installable under $HOME without mess https://github.com/rootless-containers/usernetes $ tar xjvf usernetes-x86_64.tbz $ cd usernetes $ ./run.sh $ ./kubectl.sh run -it --image.. 52
  • 53. “Usernetes” • docker-compose.yml is included for demonstrating pseudo multi-node cluster POC – Mix of dockershim + CRI-O + containerd – Flannel VXLAN is enabled by default – FIXME: TLS is not enabled yet (contribution wanted!) • Usernetes-on-Kubernetes YAML is coming soon 53