docker file system isolation
play

Docker File System Isolation By Darrin Schmitz David Huff - PowerPoint PPT Presentation

Jan 08, 2023 •273 likes •523 views

Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911 Specifications HP ProLiant DL380p Gen8 servers Head node has 32 cores and 32 GB RAM 10 child nodes have 24 cores and 24 GB RAM

  1. Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911

  2. Specifications • HP ProLiant DL380p Gen8 servers • Head node has 32 cores and 32 GB RAM • 10 child nodes have 24 cores and 24 GB RAM • Operating system: CentOS 6.6 • Containers: Docker version 1.6 2 LA-UR-15-25911

  3. Abstract Overview ● Our goal ● Technical difficulties ● Overall, we believe Docker is a good security option, even though there are some security risks involved 3 LA-UR-15-25911

  4. What is a Container? ● Between a virtual machine and a chroot ● Native hardware utilization ● Able to run different operating systems 4 LA-UR-15-25911

  5. Why use Docker? 1. Pre-configures its network bridges 2. Available documentation 3. Portable and recoverable images 5 LA-UR-15-25911

  6. Docker Normal Setup ● Docker bridge directly connected to node ● IP forwarding use ● The IP ranges for the containers are 172.17.0.0/20 ● Daemon configures iptables 6 LA-UR-15-25911

  7. Docker Normal Setup Diagram 7 LA-UR-15-25911

  8. Problems With Default Setup ● Same IP addresses are assigned to different containers on different nodes ● Iptables and bridges are not cleaned up by Docker 8 LA-UR-15-25911

  9. Steps to Create a Docker Network With OpenMPI 1. Install Docker 2. Set up the bridge manually 3. Set up SSH-keys 4. Set up OpenMPI 5. Set up the Docker daemon to give out unique IP-addresses 9 LA-UR-15-25911 https://www.linkedin.com/pulse/docker-containers-kubernetes-smart-ecosystem-solution-yasser-emam

  10. Bridge 10 LA-UR-15-25911

  11. SSH-Keys & OpenMPI & Mounting ● Generate the SSH-keys and place the public key into the authorized-keys file ● Set up the /etc/openmpi/default-openmpi - hostnames file, and set the path to the OpenMPI libraries ● Mounting is as simple as using Dockers –v flag 11 LA-UR-15-25911

  12. Docker Daemon ● The Docker Daemon sets up the bridge ● The IP range for the containers is set up by the daemon ● There is a flag to assign a custom bridge to the daemon 12 LA-UR-15-25911

  13. Docker Hub 13 LA-UR-15-25911 http://jenkins-ci.org/content/official-jenkins-lts-docker-image

  14. Problems With Docker ● Docker’s bridge needs to connect to the switch directly ● Services do not start at the start of the terminal ● Environment variables are not permanent ● IP-addresses cannot be statically set ● /etc/hosts file is constantly being overwritten 14 LA-UR-15-25911

  15. Benchmarks Write dd if=/dev/urandom of=/Yellow/File bs=1024 count=1024000 dd if=/dev/urandom of=/home/File bs=1024 count=1024000 Read dd if=/Yellow/File of=/dev/null bs=1024 dd if=/home/File of=/dev/null bs=1024 15 LA-UR-15-25911

  16. Benchmark Results Relative Read Performance 1.05 1.00 0.95 0.90 0.85 0.80 0.75 0.70 0.65 0.60 Dir on Host Dir mounted in Cont File in /home using Mounted file in / NFS home using NFS 16 LA-UR-15-25911

  17. Benchmark Results Relative Write Performance 1.05 1.00 0.95 0.90 0.85 0.80 0.75 0.70 0.65 0.60 Dir on Host Dir mounted in Cont File in /home using Mounted file in / NFS home using NFS 17 LA-UR-15-25911

  18. CVE’s ● Insecure opening of file-descriptor 1 leading to privilege escalation (CVE-2015-3627) ● Symlink traversal on container respawn allows local privilege escalation (CVE-2015-3629) ● Read/write proc paths allow host modification & information disclosure (CVE-2015-3630) 18 LA-UR-15-25911

  19. Security Risks ● The current version of Docker fixes these security holes ● As of the 14 th of July, 1.7.1 is compatible with CentOS 6.6 ● The isolation provided by Docker is not as robust as the segregation established by hypervisors for virtual machines 19 LA-UR-15-25911

  20. Security Recommendations ● Use containers only on unclassified data/file systems ● Containers run with a whitelisted root ● Access control via SSH Keys ● Set up a password between data locations ● Don’t give root to the user ● Set up user account in the container 20 LA-UR-15-25911

  21. Future Research ● Write a launch script that works with SLURM/Moab to automatically provision the container environment. ● Investigate bind mounts using Lustre and Panasas. ● Investigate using containers in an SELinux environment. 21 LA-UR-15-25911 https://docs.docker.com/

  22. Conclusion ● We met the goal of our project by proving Docker is a lightweight security option ● Although there are some security holes to be concerned about, we’ve provided some security recommendations for Docker ● Docker would be a useful option for separating Yellow and Turquoise data 22 LA-UR-15-25911

  23. References 1. https://sites.google.com/a/ probe.newmexicoconsortium.org/cscnsi-2015- vermilion/ 2. https://www.docker.com/ 3. https://hub.docker.com/ 4. https://nvd.nist.gov/ 23 LA-UR-15-25911

  24. Questions? 24 LA-UR-15-25911

Recommend

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau Remzi H. Arpaci-Dusseau University of Wisconsin - Madison 1 File-System Availability Is Critical 2 File-System Availability Is Critical Main

1.76k views • 171 slides
Wharf: Sharing Docker Image in a Distributed File System Chao Zheng, Lukas Rupprecht, Vasily

Wharf: Sharing Docker Image in a Distributed File System Chao Zheng, Lukas Rupprecht, Vasily

Wharf: Sharing Docker Image in a Distributed File System Chao Zheng, Lukas Rupprecht, Vasily Tarasov, Douglas Thain, Mohamed Mohamed, Dimitrios Skourtis, Amit S. Warke and Dean Hildebrand 1 Problem High Network and Storage Overheads 2

759 views • 18 slides
Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

674 views • 29 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Unit OS8: File System 8.6. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Windows File System Efficiency and Stability of a file system are contradicting requirements. How can the

279 views • 11 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk class it is using It issues block read/write requests to the generic block layer Provide an abstraction Goals Implement an abstraction (files) for

389 views • 37 slides
FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion 11. Outline File-System Structure

516 views • 51 slides
Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Eric Holm Skyler Manzanares Yuxin (Kelly) Wang http://gerardable.com/wp-content/uploads/2014/12/docker-whale-home-logo.png Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing this Whale! Free,

997 views • 28 slides
Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary Software is not perfect Bugs in kernel (File system, VM, Device Driver code) Hardware is not perfect Disk errors Memory errors File

613 views • 24 slides
Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure File System Mounting File Sharing Protection Operating System Concepts Silberschatz, Galvin and Gagne 2002 11.1 File Concept

387 views • 15 slides
Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me Software engineer at Docker Maintainer on SwarmKit and Docker Engine open source projects Focusing on distributed state, task scheduling,

1.29k views • 62 slides
File-System: Implementation Summer 2013 Cornell University 1 Today How is the file system

File-System: Implementation Summer 2013 Cornell University 1 Today How is the file system

CS 4410 Operating Systems File-System: Implementation Summer 2013 Cornell University 1 Today How is the file system implemented? Layered file system Directory implementation Allocation methods Free-space management 2

453 views • 18 slides
Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner Data Science Consultant accantec group | Alstertor 17 | 20095 Hamburg | Tel.: +49 (40) 67 59 59 0 | Fax.: +49 (40) 67 59 59 29 | www.accantec.de |

664 views • 29 slides

More recommend