Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
docker file system isolation

Docker File System Isolation By Darrin Schmitz David Huff - PowerPoint PPT Presentation

Jan 08, 2023 •273 likes •529 views

Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911 Specifications HP ProLiant DL380p Gen8 servers Head node has 32 cores and 32 GB RAM 10 child nodes have 24 cores and 24 GB RAM

  1. Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911

  2. Specifications • HP ProLiant DL380p Gen8 servers • Head node has 32 cores and 32 GB RAM • 10 child nodes have 24 cores and 24 GB RAM • Operating system: CentOS 6.6 • Containers: Docker version 1.6 2 LA-UR-15-25911

  3. Abstract Overview ● Our goal ● Technical difficulties ● Overall, we believe Docker is a good security option, even though there are some security risks involved 3 LA-UR-15-25911

  4. What is a Container? ● Between a virtual machine and a chroot ● Native hardware utilization ● Able to run different operating systems 4 LA-UR-15-25911

  5. Why use Docker? 1. Pre-configures its network bridges 2. Available documentation 3. Portable and recoverable images 5 LA-UR-15-25911

  6. Docker Normal Setup ● Docker bridge directly connected to node ● IP forwarding use ● The IP ranges for the containers are 172.17.0.0/20 ● Daemon configures iptables 6 LA-UR-15-25911

  7. Docker Normal Setup Diagram 7 LA-UR-15-25911

  8. Problems With Default Setup ● Same IP addresses are assigned to different containers on different nodes ● Iptables and bridges are not cleaned up by Docker 8 LA-UR-15-25911

  9. Steps to Create a Docker Network With OpenMPI 1. Install Docker 2. Set up the bridge manually 3. Set up SSH-keys 4. Set up OpenMPI 5. Set up the Docker daemon to give out unique IP-addresses 9 LA-UR-15-25911 https://www.linkedin.com/pulse/docker-containers-kubernetes-smart-ecosystem-solution-yasser-emam

  10. Bridge 10 LA-UR-15-25911

  11. SSH-Keys & OpenMPI & Mounting ● Generate the SSH-keys and place the public key into the authorized-keys file ● Set up the /etc/openmpi/default-openmpi - hostnames file, and set the path to the OpenMPI libraries ● Mounting is as simple as using Dockers –v flag 11 LA-UR-15-25911

  12. Docker Daemon ● The Docker Daemon sets up the bridge ● The IP range for the containers is set up by the daemon ● There is a flag to assign a custom bridge to the daemon 12 LA-UR-15-25911

  13. Docker Hub 13 LA-UR-15-25911 http://jenkins-ci.org/content/official-jenkins-lts-docker-image

  14. Problems With Docker ● Docker’s bridge needs to connect to the switch directly ● Services do not start at the start of the terminal ● Environment variables are not permanent ● IP-addresses cannot be statically set ● /etc/hosts file is constantly being overwritten 14 LA-UR-15-25911

  15. Benchmarks Write dd if=/dev/urandom of=/Yellow/File bs=1024 count=1024000 dd if=/dev/urandom of=/home/File bs=1024 count=1024000 Read dd if=/Yellow/File of=/dev/null bs=1024 dd if=/home/File of=/dev/null bs=1024 15 LA-UR-15-25911

  16. Benchmark Results Relative Read Performance 1.05 1.00 0.95 0.90 0.85 0.80 0.75 0.70 0.65 0.60 Dir on Host Dir mounted in Cont File in /home using Mounted file in / NFS home using NFS 16 LA-UR-15-25911

  17. Benchmark Results Relative Write Performance 1.05 1.00 0.95 0.90 0.85 0.80 0.75 0.70 0.65 0.60 Dir on Host Dir mounted in Cont File in /home using Mounted file in / NFS home using NFS 17 LA-UR-15-25911

  18. CVE’s ● Insecure opening of file-descriptor 1 leading to privilege escalation (CVE-2015-3627) ● Symlink traversal on container respawn allows local privilege escalation (CVE-2015-3629) ● Read/write proc paths allow host modification & information disclosure (CVE-2015-3630) 18 LA-UR-15-25911

  19. Security Risks ● The current version of Docker fixes these security holes ● As of the 14 th of July, 1.7.1 is compatible with CentOS 6.6 ● The isolation provided by Docker is not as robust as the segregation established by hypervisors for virtual machines 19 LA-UR-15-25911

  20. Security Recommendations ● Use containers only on unclassified data/file systems ● Containers run with a whitelisted root ● Access control via SSH Keys ● Set up a password between data locations ● Don’t give root to the user ● Set up user account in the container 20 LA-UR-15-25911

  21. Future Research ● Write a launch script that works with SLURM/Moab to automatically provision the container environment. ● Investigate bind mounts using Lustre and Panasas. ● Investigate using containers in an SELinux environment. 21 LA-UR-15-25911 https://docs.docker.com/

  22. Conclusion ● We met the goal of our project by proving Docker is a lightweight security option ● Although there are some security holes to be concerned about, we’ve provided some security recommendations for Docker ● Docker would be a useful option for separating Yellow and Turquoise data 22 LA-UR-15-25911

  23. References 1. https://sites.google.com/a/ probe.newmexicoconsortium.org/cscnsi-2015- vermilion/ 2. https://www.docker.com/ 3. https://hub.docker.com/ 4. https://nvd.nist.gov/ 23 LA-UR-15-25911

  24. Questions? 24 LA-UR-15-25911

Recommend

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

689 views • 34 slides
Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

483 views • 4 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

555 views • 34 slides
Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker container ls # list running containers docker run <image_name> # run an image as a container docker exec <container> <command> # run a

1.1k views • 6 slides
Going D/S/K Prod Like A Pro BRET FISHER Docker Captain, DevOps Dude, Creator of Docker Mastery

Going D/S/K Prod Like A Pro BRET FISHER Docker Captain, DevOps Dude, Creator of Docker Mastery

Going D/S/K Prod Like A Pro BRET FISHER Docker Captain, DevOps Dude, Creator of Docker Mastery bretfisher.com/docker @bretfisher Going D/S/K Prod Like A Pro BRET FISHER Docker Captain, DevOps Dude, Creator of Docker Mastery

1.51k views • 127 slides
Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike Goelzer & Victor Vieux Docker Orchestration Overview Mike Goelzer / mgoelzer@docker.com / gh: mgoelzer Orchestration in Docker Orchestration

602 views • 39 slides
Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner Data Science Consultant accantec group | Alstertor 17 | 20095 Hamburg | Tel.: +49 (40) 67 59 59 0 | Fax.: +49 (40) 67 59 59 29 | www.accantec.de |

664 views • 29 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

677 views • 29 slides
Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me Software engineer at Docker Maintainer on SwarmKit and Docker Engine open source projects Focusing on distributed state, task scheduling,

1.29k views • 62 slides
File Management What is a file? Elements of file management File organization

File Management What is a file? Elements of file management File organization

CPSC 410 / 611 : Operating Systems File Management File Management What is a file? Elements of file management File organization Directories File allocation What is a File? A file is a collection of data elements, grouped

824 views • 38 slides
Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau Remzi H. Arpaci-Dusseau University of Wisconsin - Madison 1 File-System Availability Is Critical 2 File-System Availability Is Critical Main

1.76k views • 171 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

925 views • 60 slides
Click on M odel File for CAD Click on M odel File for CAD Click on Model File for CAD Click

Click on M odel File for CAD Click on M odel File for CAD Click on Model File for CAD Click

Click on M odel File for CAD Click on M odel File for CAD Click on Model File for CAD Click on Model File for CAD Click on File for CAD Click on Size File for CAD Click on Size File for CAD Click on Size File for CAD

643 views • 39 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

342 views • 33 slides
Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Eric Holm Skyler Manzanares Yuxin (Kelly) Wang http://gerardable.com/wp-content/uploads/2014/12/docker-whale-home-logo.png Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing this Whale! Free,

999 views • 28 slides
USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY "Containers Don't Contain" Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux "... total systemic

505 views • 48 slides
Presentation Q1(19) Jonas Jarvius, CEO Anders Lundin, CFO STRICTLY PRIVATE AND CONFIDENTIAL

Presentation Q1(19) Jonas Jarvius, CEO Anders Lundin, CFO STRICTLY PRIVATE AND CONFIDENTIAL

Presentation Q1(19) Jonas Jarvius, CEO Anders Lundin, CFO STRICTLY PRIVATE AND CONFIDENTIAL Disclaimer DISCLAIMER THIS PRESENTATION AND ITS CONTENTS ARE CONFIDENTIAL AND ARE NOT FOR RELEASE, PUBLICATION OR DISTRIBUTION, IN WHOLE OR IN PART,

835 views • 12 slides
D8.9 Educational Material for University Studies Sustainable Refurbishing of Historic Buildings

D8.9 Educational Material for University Studies Sustainable Refurbishing of Historic Buildings

D8.9 Educational Material for University Studies Sustainable Refurbishing of Historic Buildings and Relevant Building Physical Aspects based on Case Study 5: Secondary School Htting Innsbruck, Austria The research leading to these results

900 views • 72 slides
OVER ERVIEW IEW OF OF ISO ISO 90 9001 01, , ISO ISO 14 1400 001 1 & & OH OHSA

OVER ERVIEW IEW OF OF ISO ISO 90 9001 01, , ISO ISO 14 1400 001 1 & & OH OHSA

OVER ERVIEW IEW OF OF ISO ISO 90 9001 01, , ISO ISO 14 1400 001 1 & & OH OHSA SAS S 18001 18001 COURSE OBJECTIVES ISO 9001, ISO 14001 & OHSAS 18001 in brief: ISO 9001, ISO 14001 & OHSAS 18001 are among the

179 views • 15 slides
I SO Managem ent system standards - An overview - I SO Managem ent system s W hat are they? W

I SO Managem ent system standards - An overview - I SO Managem ent system s W hat are they? W

I SO Managem ent system standards - An overview - I SO Managem ent system s W hat are they? W hy use them ? Complying with ISO management standards: increases confidence in business relationships, broadens opportunities

544 views • 33 slides
One Person, One Lock Control of Hazardous Energy H&S Program Standard 7-45 Course Code

One Person, One Lock Control of Hazardous Energy H&S Program Standard 7-45 Course Code

One Person, One Lock Control of Hazardous Energy H&S Program Standard 7-45 Course Code 600009 TRACCESS Module - 2017 Control of Hazardous Energy Training BU Specific Group BU Competency Lockout Increasing Competency Group

1.07k views • 37 slides
ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xian Jiaotong University Florida State University Software is Complicated and Vulnerable Number of CVEs 17

914 views • 28 slides
PRESENTATION FOR TESTING DIRECTIONS The World Health Organization declared COVID-19 a pandemic on

PRESENTATION FOR TESTING DIRECTIONS The World Health Organization declared COVID-19 a pandemic on

EMERGENCY MANAGEMENT ACT 2005 (WA) ( (a) who enters Westero Australia by disembarking from an afgected aircraft onto land anywhere in Western Australia (including any person who entered Westero Australia in this manner on or afuer 29 June 2020);

268 views • 3 slides
Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge

Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge

Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge 165 Locations and growing Scalability can mean... Traffic (requests) Easy: More locations = more capacity. Tenants (apps) Hard: Every tenant in

814 views • 41 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.