SlideShare uma empresa Scribd logo

Docker: Aspects of Container Isolation

Transferir como PPTX, PDF
A
allingeek

Presentation on the Linux namespaces and system calls used to provide container isolation with Docker. Presented in March 2015 at http://www.meetup.com/Docker-Phoenix/ in Tempe, Arizona.

Tecnologia
1 de 16
Docker: Aspects of Container Isolation By Jeff Nickoloff
Eight Aspects of Isolation  PID – Process ID and capabilities  UTS – Host and domain name  MNT – File system access and structure  IPC – Communication over shared memory  NET – Network access and structure  USR – (New in PR) Map host users/uids to container users  chroot() – Set the root of a file system for a process  Cgroups – Resource protection
PID Namespace  Process IDs  Newbies should learn that processes have IDs  The PID Namespace lets you reuse PIDs  Each container has its own PID 1  Process capabilities  Process capabilities are specified at runtime  Isolation benefit: Process IDs leak all sort of information and being able to reference processes outside of a container opens several attack vectors. Capabilities are awesome.
PID Namespace Example $ docker run --rm --name bob busybox:latest ps PID USER COMMAND 1 root ps $ docker run --rm --name tom --cap-add NET_ADMIN busybox:latest ps PID USER COMMAND 1 root ps
UTS Namespace  Host name  Domain name  Processes in a specific UTS namespace will see identify the host they are running on with the same host and domain name.  Isolation benefit: Combined with the NET namespace the UTS namespace allows processes to identify their container by name in addition to its virtual network address. Self- identification breaks dependency on the host identification.
UTS Namespace Example $ hostname name.of.the.host $ docker run --rm --hostname something.specific.per.container busybox:latest hostname something.specific.per.container
chroot()  Linux system call  Sets the root of the file system for a process  Part of Unix since the 70’s  A core component of any container or jail strategy  Isolation benefit: If a process cannot reference part of a file system, that process cannot use or modify the part which is beyond its scope.
MNT Namespace  File system access and structure  Combined with chroot() to build and abstract the details of a contained file system  Provides us features like Volumes  Isolation benefit: Build effectively full file systems in a subtree. Augment simple chroot with bind mounted subtrees.
IPC Namespace  IPC Namespace  SysV shared memory blocks  POSIX queues  POSIX Semaphores  Container Types  Closed – No access to shared memory pools outside of the container.  Joined – Reuse a namespace created for another container.  Open – Full access to the shared memory pools on the host.  Isolation Benefit: Protect from snooping on the shared memory of other processes.
IPC Namespace Example $ docker run --rm --name bob myserver $ docker run --rm --ipc container:bob myclient
NET Namespace  Logical network devices  IP 4/6 network stacks  IP routing tables  Firewalls  /proc/net  Port numbers (sockets)  Isolation benefit: Containers can be treated like hosts.
NET Namespace Example $ docker run --net none --name roy --expose 8080 busybox:latest nc -l 0.0.0.0:8080 $ docker run --net container:roy busybox:latest nc 127.0.0.1 8080
Cgroups - Resource Protection  Memory Limits  Hard byte limits. No checking for limits that exceed the available memory on the host.  CPU Weight  Proportionality of container weights determines the percentage of CPU time made available for each container.  Processes may burst beyond that proportion if the CPU is otherwise idle.  CPU Set Restrictions  Limit the process to executing on a specific set of CPUs.  Device Access  Mount devices in containers (think specialized hardware)
Cgroups – Resource Protection Example $ docker run -d -P --name my_wordpress --memory 512m --cpu-shares 512 --user nobody --cap-drop net_raw --link ch6_mariadb wordpress:4.1
USR Namespace  … Docker interface has yet to be implemented  But support has been built in LXC and libcontainer  Let’s talk about how it works now and how it could work using the USR namespace to map users…
Bonus Round  Extreme Isolation Systems  SELinux – Labeling ALL THE THINGS!  AppArmor – Build an execution profile (file path based)  GRSEC Kernel “Grsecurity is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration.”

Recomendados

Docker allocating resources
Docker allocating resourcesDocker allocating resources
Docker allocating resources
Mohammadreza Amini
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101
inside-BigData.com
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
Boden Russell
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containers
Google
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
dotCloud
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)
Boden Russell
 

Recomendados

Docker allocating resources
Docker allocating resourcesDocker allocating resources
Docker allocating resources
Mohammadreza Amini
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101
inside-BigData.com
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
Boden Russell
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containers
Google
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
dotCloud
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)
Boden Russell
 
Docker internals
Docker internalsDocker internals
Docker internals
Rohit Jnagal
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 
Lxc- Introduction
Lxc- IntroductionLxc- Introduction
Lxc- Introduction
Luís Eduardo
 
Docker Architecture (v1.3)
Docker Architecture (v1.3)Docker Architecture (v1.3)
Docker Architecture (v1.3)
rajdeep
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Boden Russell
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7
Etsuji Nakai
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the Cloud
Pavel Odintsov
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any container
Docker, Inc.
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Jérôme Petazzoni
 
LXC
LXCLXC
LXC
Wu Fan-Cheng
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
Docker: the road ahead
Docker: the road aheadDocker: the road ahead
Docker: the road ahead
shykes
 
Docker Internals - Twilio talk November 14th, 2013
Docker Internals - Twilio talk November 14th, 2013Docker Internals - Twilio talk November 14th, 2013
Docker Internals - Twilio talk November 14th, 2013
Guillaume Charmes
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
Docker, Inc.
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Docker Tours Meetup #1 - Introduction à Docker
Docker Tours Meetup #1 - Introduction à DockerDocker Tours Meetup #1 - Introduction à Docker
Docker Tours Meetup #1 - Introduction à Docker
Thibaut Marmin
 

Mais conteúdo relacionado

Mais procurados

Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7
Etsuji Nakai
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the Cloud
Pavel Odintsov
 
Docker Internals - Twilio talk November 14th, 2013
Docker Internals - Twilio talk November 14th, 2013Docker Internals - Twilio talk November 14th, 2013
Docker Internals - Twilio talk November 14th, 2013
Guillaume Charmes
 

Mais procurados (20)

Docker internals
Docker internalsDocker internals
Docker internals
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
Lxc- Introduction
Lxc- IntroductionLxc- Introduction
Lxc- Introduction
 
Docker Architecture (v1.3)
Docker Architecture (v1.3)Docker Architecture (v1.3)
Docker Architecture (v1.3)
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the Cloud
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any container
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
LXC
LXCLXC
LXC
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
 
Docker: the road ahead
Docker: the road aheadDocker: the road ahead
Docker: the road ahead
 
Docker Internals - Twilio talk November 14th, 2013
Docker Internals - Twilio talk November 14th, 2013Docker Internals - Twilio talk November 14th, 2013
Docker Internals - Twilio talk November 14th, 2013
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 

Destaque

5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Load Balancing Apps in Docker Swarm with NGINX
Load Balancing Apps in Docker Swarm with NGINXLoad Balancing Apps in Docker Swarm with NGINX
Load Balancing Apps in Docker Swarm with NGINX
NGINX, Inc.
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
Boden Russell
 
Docker en Production (Docker Paris)
Docker en Production (Docker Paris)Docker en Production (Docker Paris)
Docker en Production (Docker Paris)
Jérôme Petazzoni
 

Destaque (13)

5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Docker Tours Meetup #1 - Introduction à Docker
Docker Tours Meetup #1 - Introduction à DockerDocker Tours Meetup #1 - Introduction à Docker
Docker Tours Meetup #1 - Introduction à Docker
 
OpenVZ, Virtuozzo and Docker
OpenVZ, Virtuozzo and DockerOpenVZ, Virtuozzo and Docker
OpenVZ, Virtuozzo and Docker
 
OpenStack Log Mining
OpenStack Log MiningOpenStack Log Mining
OpenStack Log Mining
 
Introduction à docker.io
Introduction à docker.ioIntroduction à docker.io
Introduction à docker.io
 
Présentation Docker
Présentation DockerPrésentation Docker
Présentation Docker
 
Setting up Kubernetes with tectonic
Setting up Kubernetes with tectonicSetting up Kubernetes with tectonic
Setting up Kubernetes with tectonic
 
Load Balancing Apps in Docker Swarm with NGINX
Load Balancing Apps in Docker Swarm with NGINXLoad Balancing Apps in Docker Swarm with NGINX
Load Balancing Apps in Docker Swarm with NGINX
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
 
Docker en Production (Docker Paris)
Docker en Production (Docker Paris)Docker en Production (Docker Paris)
Docker en Production (Docker Paris)
 
Docker du mythe à la réalité
Docker du mythe à la réalitéDocker du mythe à la réalité
Docker du mythe à la réalité
 
Docker - YaJUG
Docker - YaJUGDocker - YaJUG
Docker - YaJUG
 

Semelhante a Docker: Aspects of Container Isolation

Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 

Semelhante a Docker: Aspects of Container Isolation (20)

Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
The building blocks of docker.
The building blocks of docker.The building blocks of docker.
The building blocks of docker.
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Hadoop HDFS Concepts
Hadoop HDFS ConceptsHadoop HDFS Concepts
Hadoop HDFS Concepts
 
Endocode Kubernetes Meetup: Architecture Patterns for Microservices in Kubern...
Endocode Kubernetes Meetup: Architecture Patterns for Microservices in Kubern...Endocode Kubernetes Meetup: Architecture Patterns for Microservices in Kubern...
Endocode Kubernetes Meetup: Architecture Patterns for Microservices in Kubern...
 
LXC NSAttach
LXC NSAttachLXC NSAttach
LXC NSAttach
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
Docker Container: isolation and security
Docker Container: isolation and securityDocker Container: isolation and security
Docker Container: isolation and security
 
Container security
Container securityContainer security
Container security
 
What You Should Know About Container Security
What You Should Know About Container SecurityWhat You Should Know About Container Security
What You Should Know About Container Security
 
Autentia OS - 20180210 - Docker y las películas de chinos
Autentia OS - 20180210 - Docker y las películas de chinosAutentia OS - 20180210 - Docker y las películas de chinos
Autentia OS - 20180210 - Docker y las películas de chinos
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Introduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersIntroduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & Containers
 

Mais de allingeek

Retiring Service Interfaces: A Retrospective on Two 10+ Year Old Services
Retiring Service Interfaces: A Retrospective on Two 10+ Year Old ServicesRetiring Service Interfaces: A Retrospective on Two 10+ Year Old Services
Retiring Service Interfaces: A Retrospective on Two 10+ Year Old Services
allingeek
 

Mais de allingeek (6)

Why we got to Docker
Why we got to DockerWhy we got to Docker
Why we got to Docker
 
Retiring Service Interfaces: A Retrospective on Two 10+ Year Old Services
Retiring Service Interfaces: A Retrospective on Two 10+ Year Old ServicesRetiring Service Interfaces: A Retrospective on Two 10+ Year Old Services
Retiring Service Interfaces: A Retrospective on Two 10+ Year Old Services
 
Getting Deep on Orchestration - Nickoloff - DockerCon16
Getting Deep on Orchestration - Nickoloff - DockerCon16Getting Deep on Orchestration - Nickoloff - DockerCon16
Getting Deep on Orchestration - Nickoloff - DockerCon16
 
Docker for Development
Docker for DevelopmentDocker for Development
Docker for Development
 
Single Host Docker Networking
Single Host Docker NetworkingSingle Host Docker Networking
Single Host Docker Networking
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Docker: Aspects of Container Isolation

  • 1. Docker: Aspects of Container Isolation By Jeff Nickoloff
  • 2. Eight Aspects of Isolation  PID – Process ID and capabilities  UTS – Host and domain name  MNT – File system access and structure  IPC – Communication over shared memory  NET – Network access and structure  USR – (New in PR) Map host users/uids to container users  chroot() – Set the root of a file system for a process  Cgroups – Resource protection
  • 3. PID Namespace  Process IDs  Newbies should learn that processes have IDs  The PID Namespace lets you reuse PIDs  Each container has its own PID 1  Process capabilities  Process capabilities are specified at runtime  Isolation benefit: Process IDs leak all sort of information and being able to reference processes outside of a container opens several attack vectors. Capabilities are awesome.
  • 4. PID Namespace Example $ docker run --rm --name bob busybox:latest ps PID USER COMMAND 1 root ps $ docker run --rm --name tom --cap-add NET_ADMIN busybox:latest ps PID USER COMMAND 1 root ps
  • 5. UTS Namespace  Host name  Domain name  Processes in a specific UTS namespace will see identify the host they are running on with the same host and domain name.  Isolation benefit: Combined with the NET namespace the UTS namespace allows processes to identify their container by name in addition to its virtual network address. Self- identification breaks dependency on the host identification.
  • 6. UTS Namespace Example $ hostname name.of.the.host $ docker run --rm --hostname something.specific.per.container busybox:latest hostname something.specific.per.container
  • 7. chroot()  Linux system call  Sets the root of the file system for a process  Part of Unix since the 70’s  A core component of any container or jail strategy  Isolation benefit: If a process cannot reference part of a file system, that process cannot use or modify the part which is beyond its scope.
  • 8. MNT Namespace  File system access and structure  Combined with chroot() to build and abstract the details of a contained file system  Provides us features like Volumes  Isolation benefit: Build effectively full file systems in a subtree. Augment simple chroot with bind mounted subtrees.
  • 9. IPC Namespace  IPC Namespace  SysV shared memory blocks  POSIX queues  POSIX Semaphores  Container Types  Closed – No access to shared memory pools outside of the container.  Joined – Reuse a namespace created for another container.  Open – Full access to the shared memory pools on the host.  Isolation Benefit: Protect from snooping on the shared memory of other processes.
  • 10. IPC Namespace Example $ docker run --rm --name bob myserver $ docker run --rm --ipc container:bob myclient
  • 11. NET Namespace  Logical network devices  IP 4/6 network stacks  IP routing tables  Firewalls  /proc/net  Port numbers (sockets)  Isolation benefit: Containers can be treated like hosts.
  • 12. NET Namespace Example $ docker run --net none --name roy --expose 8080 busybox:latest nc -l 0.0.0.0:8080 $ docker run --net container:roy busybox:latest nc 127.0.0.1 8080
  • 13. Cgroups - Resource Protection  Memory Limits  Hard byte limits. No checking for limits that exceed the available memory on the host.  CPU Weight  Proportionality of container weights determines the percentage of CPU time made available for each container.  Processes may burst beyond that proportion if the CPU is otherwise idle.  CPU Set Restrictions  Limit the process to executing on a specific set of CPUs.  Device Access  Mount devices in containers (think specialized hardware)
  • 14. Cgroups – Resource Protection Example $ docker run -d -P --name my_wordpress --memory 512m --cpu-shares 512 --user nobody --cap-drop net_raw --link ch6_mariadb wordpress:4.1
  • 15. USR Namespace  … Docker interface has yet to be implemented  But support has been built in LXC and libcontainer  Let’s talk about how it works now and how it could work using the USR namespace to map users…
  • 16. Bonus Round  Extreme Isolation Systems  SELinux – Labeling ALL THE THINGS!  AppArmor – Build an execution profile (file path based)  GRSEC Kernel “Grsecurity is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration.”

Notas do Editor

  1. Fire@@23900