isolating processes using docker user namespaces and
play

Isolating Processes using Docker User Namespaces and Seccomp 4 - PowerPoint PPT Presentation

Sep 01, 2023 •364 likes •585 views

Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese Technical Account Manager Docker, Inc. pvn@docker.com @pvn Agenda Preliminaries Container Security Considerations Containment

  1. Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese Technical Account Manager Docker, Inc. pvn@docker.com @pvn

  2. Agenda ● Preliminaries ● Container Security Considerations ● Containment ● Namespaces ● What is Seccomp? ● Demos? 2

  3. 3

  4. The Iceberg Your code Your vendor’s code 4 (Work by Uwe Kils) http://www.ecoscope.com/iceberg/

  5. Containment ● namespaces -> what you can see cgroups -> what you can use ● seccomp -> what you can do ● 5

  6. Containment ...applications deployed in containers are more secure than applications deployed on the bare OS because even if a container is cracked they greatly limit the damage of a successful compromise... https://www.gartner.com/doc/3375717/secure-docker-containers-operation 6

  7. Namespaces 7 https://www.flickr.com/photos/arthurtlabar/4275756092/

  8. Namespaces 8

  9. Namespaces 9

  10. Enabling userns remapping 10

  11. seccomp 11 Photo Credit: Institute for a Resource-Based Economy (IRBE) https://www.flickr.com/photos/toollibrary/14427641289

  12. seccomp profiles 12

  13. How do I get it? ● You already have it! Default profile has been applied to containers since engine 1.10 ● For custom profiles, pass --security-opt option on the command line. ● 13

  14. The Iceberg (again) 14 (Work by Uwe Kils) http://www.ecoscope.com/iceberg/

  15. ENOUGH TALKING LETTUCE DEMO 15

  16. Demo? ● A DIY demo is available ● https://twitter.com/pvn (it will be the pinned tweet) ● If you’re reading this in the distant future and I’ve unpinned the tweet, try this URL instead: https://github.com/pvnovarese/2016-08-ContainerCon-Berlin/blob/master/README.md 16

  17. Further Reading, References, etc ● The definitive presentation on userns support: https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf ● Default seccomp profile: https://github.com/docker/docker/blob/master/profiles/seccomp/default.json ● Seccomp docs: https://github.com/docker/docker/blob/master/docs/security/seccomp.md ● Security non-events: https://docs.docker.com/engine/security/non-events/ ● Gartner Report: How to Secure Docker Containers in Operation https://www.gartner.com/doc/3375717/secure-docker-containers-operation ● Your Software is Safer in Docker Containers: https://blog.docker.com/2016/08/software-security-docker-containers/

  18. Booth D38 @ LinuxCon + ContainerCon Tues Oct 4th ● Build Distributed Systems without Docker, using Docker Plumbing Projects - Patrick Chanezon, David Chung and Captain Phil Estes ● Getting Started with Docker Services - Mike Goelzer ● Swarmkit: Docker’s Simplified Model for Complex Orchestration - Stephen Day ● User Namespace and Seccomp Support in Docker Engine - Paul Novarese ● Build Efficient Parallel Testing Systems with Docker - Docker Captain Laura Frank Wed Oct 5th ● How Secure is your Container? A Docker Engine Security Update - Phil Estes ● Docker Orchestration: Beyond the Basics - Aaron Lehmann ● When the Going gets Tough, get TUF Going - Riyaz Faizullabhoy and Lily Guo Thurs Oct 6th ● Orchestrating Linux Containers while Tolerating Failures - Drew Erny ● Unikernels: When you Should and When you Shouldn’t - Amir Chaudhry ● Berlin Docker Meetup Friday Oct 7th ● Tutorial: Comparing Container Orchestration Tools - Neependra Khare ● Tutorial: Orchestrate Containers in Production at Scale with Docker Swarm - Jerome Petazzoni

  20. Photo credits (all creative commons licensed) ● Iceberg http://www.ecoscope.com/iceberg/ ● Horses https://www.flickr.com/photos/arthurtlabar/4275756092/ ● Catan https://www.flickr.com/photos/bods/6120445526/ ● Workbench https://www.flickr.com/photos/toollibrary/14427641289 ● memegenerator.net obv

Recommend

C++ : An Introduction Lecture 11: Namespaces; Strings again Introducing Namespaces

C++ : An Introduction Lecture 11: Namespaces; Strings again Introducing Namespaces

C++ : An Introduction Lecture 11: Namespaces; Strings again Introducing Namespaces Namespaces are a relatively new C++ feature What problem do namespaces solve? What if you buy two different general-purpose class libraries from two

255 views • 23 slides
Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
RUN groupadd -r user && useradd -r -g user user USER user $ docker run --read-only debian

RUN groupadd -r user && useradd -r -g user user USER user $ docker run --read-only debian

RUN groupadd -r user && useradd -r -g user user USER user $ docker run --read-only debian touch x touch: cannot touch 'x': Read-only file system $ docker run -v $(pwd)/secrets:/secrets:ro \ debian touch /secrets/x touch: cannot touch

780 views • 76 slides
Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer Devops / Golang artist The Docker ecosystem Docker Engine : run containerized processes (aka: containers) Docker Compose : run multi-container

381 views • 13 slides
Templates and Namespaces Visual Computing in OpenCV: Seminar 1 Hannes Ovrn Department of

Templates and Namespaces Visual Computing in OpenCV: Seminar 1 Hannes Ovrn Department of

Templates and Namespaces Visual Computing in OpenCV: Seminar 1 Hannes Ovrn Department of Electrical Engineering Computer Vision Laboratory Linkping University August 23, 2012 Outline 1. Namespaces Introduction Namespaces in your

346 views • 16 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

674 views • 29 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
Namespaces for security Jake Edge, LWN.net, jake@lwn.net Embedded Linux Conference, San Francisco

Namespaces for security Jake Edge, LWN.net, jake@lwn.net Embedded Linux Conference, San Francisco

Namespaces for security Jake Edge, LWN.net, jake@lwn.net Embedded Linux Conference, San Francisco February 21, 2013 What are we going to be talking about? Threats Effects Defenses Namespaces Types of namespaces Creating

259 views • 14 slides
3 - Namespaces Andreas Pieris and Wolfgang Fischl, Summer term 2016 Outline The Need for

3 - Namespaces Andreas Pieris and Wolfgang Fischl, Summer term 2016 Outline The Need for

Semi-structured Data 3 - Namespaces Andreas Pieris and Wolfgang Fischl, Summer term 2016 Outline The Need for Namespaces Namespace Syntax Default Namespace Multiple Namespaces A Common Problem Merging of XML

533 views • 13 slides
FOSDEM 2020 VUOS: Give Your Processes a New VU Renzo Davoli University of Bologna CC-BY-SA 4.0

FOSDEM 2020 VUOS: Give Your Processes a New VU Renzo Davoli University of Bologna CC-BY-SA 4.0

FOSDEM 2020 VUOS: Give Your Processes a New VU Renzo Davoli University of Bologna CC-BY-SA 4.0 Process View VUOS User Space Kernel Space NAMESPACES Bare Linux View What VUOS can do... File system mount (vufuse) Virtual devices

345 views • 13 slides
Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Eric Holm Skyler Manzanares Yuxin (Kelly) Wang http://gerardable.com/wp-content/uploads/2014/12/docker-whale-home-logo.png Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing this Whale! Free,

997 views • 28 slides
Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me Software engineer at Docker Maintainer on SwarmKit and Docker Engine open source projects Focusing on distributed state, task scheduling,

1.29k views • 62 slides
Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner Data Science Consultant accantec group | Alstertor 17 | 20095 Hamburg | Tel.: +49 (40) 67 59 59 0 | Fax.: +49 (40) 67 59 59 29 | www.accantec.de |

664 views • 29 slides
User Interfaces User Interface Design and the Processes

User Interfaces User Interface Design and the Processes

User Interfaces User Interface Design and the Processes Managing Complexity Interaction Models & Camera Models Functionality and input devices

480 views • 15 slides
Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker container ls # list running containers docker run <image_name> # run an image as a container docker exec <container> <command> # run a

1.1k views • 6 slides
Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno cgimeno@bifi.es Instituto de Biocomputacin y Fsica de Sistemas Complejos info@bifi.es http://bifi.es 0. Index Introduction What is Docker? A

401 views • 14 slides
Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the Internet won't shut up about it." (LinuxCon 2014 keynote) *Founder of dotcloud and creator of the Docker project What are Linux containers or

206 views • 19 slides
Isolating Failure Causes Andreas Zeller 1 Isolating Causes Actual world Alternate world

Isolating Failure Causes Andreas Zeller 1 Isolating Causes Actual world Alternate world

Isolating Failure Causes Andreas Zeller 1 Isolating Causes Actual world Alternate world ? Test Mixed world 2 2 Isolating Causes Alternate world Actual world +1.0 How can we automate this? ? Test Mixed world 3

402 views • 16 slides
Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc.

Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc.

Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc. @michael_hrivnak Docker is Popular Deployment gets most of the attention. 1 Developer 1 Laptop 3 Skills Exit Codes $ sudo docker run -it --rm centos:centos7

347 views • 17 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
Containers and Namespaces in the Linux Kernel Kir Kolyshkin <kir@openvz.org> Agenda

Containers and Namespaces in the Linux Kernel Kir Kolyshkin <kir@openvz.org> Agenda

Containers and Namespaces in the Linux Kernel Kir Kolyshkin <kir@openvz.org> Agenda Containers vs Hypervisors Kernel components Namespaces Resource management Checkpoint/restart 2 Hypervisors VMware Xen

545 views • 27 slides
USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY "Containers Don't Contain" Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux "... total systemic

502 views • 48 slides
Module 2 Module 2 XML Basics XML Basics (XML, Namespaces, (XML, Namespaces, Usage scenarios,

Module 2 Module 2 XML Basics XML Basics (XML, Namespaces, (XML, Namespaces, Usage scenarios,

Module 2 Module 2 XML Basics XML Basics (XML, Namespaces, (XML, Namespaces, Usage scenarios, DTDs) Usage scenarios, DTDs) 1 History: SGML vs. HTML vs. History: SGML vs. HTML vs. XML XML SGML (1960) XML(1996) HTML(1990) XHTML(2000)

1.03k views • 49 slides

More recommend