Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16

Similar documents
Docker : devops, shared registries, HPC and emerging use cases. François Moreews & Olivier Sallou

Use Cases for Docker in Enterprise Linux Environment CloudOpen North America, 2014 Linda Wang Sr. Software Engineering Manager Red Hat, Inc.

WHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security

Cisco Application-Centric Infrastructure (ACI) and Linux Containers

Virtual Hosting & Virtual Machines

Cloud Security with Stackato

Cloud Simulator for Scalability Testing

Platform as a Service and Container Clouds

Building Docker Cloud Services with Virtuozzo

RED HAT CONTAINER STRATEGY

The Software Container pattern

Intro to Docker and Containers

What new with Informix Software as a Service and Bluemix? Brian Hughes IBM

The Definitive Guide To Docker Containers

Linstantiation of applications. Docker accelerate

The Bro Network Security Monitor

lxc and cgroups in practice sesja linuksowa 2012 wojciech wirkijowski wojciech /at/ wirkijowski /dot/ pl

Why Does CA Platform Use OpenShift?

Network Virtualization Tools in Linux PRESENTED BY: QUAMAR NIYAZ & AHMAD JAVAID

Protecting the Cloud from Inside

Virtualization analysis

Deciphering The Buzzwords. Duncan

The Art of Virtualization with Free Software

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Virtualization. Pradipta De

Building a Kubernetes Cluster with Ansible. Patrick Galbraith, ATG Cloud Computing Expo, NYC, May 2016

The Virtualization Practice

An Analysis of Container-based Platforms for NFV

STRATEGIC WHITE PAPER. The next step in server virtualization: How containers are changing the cloud and application landscape

OpenShift. OpenShift platform features. Benefits Document. openshift. Feature Benefit OpenShift. Enterprise

Virtualization. Types of Interfaces

The State of Containers and the Docker Ecosystem: Anna Gerber

Virtualization in Linux

Next Generation Now: Red Hat Enterprise Linux 6 Virtualization A Unique Cloud Approach. Jeff Ruby Channel Manager jruby@redhat.com

ISLET: Jon Schipp, Ohio Linux Fest An Attempt to Improve Linux-based Software Training

Practical Applications of Virtualization. Mike Phillips IAP 2008 SIPB IAP Series

A lap around Team Foundation Server 2015 en Visual Studio 2015

Using Chroot to Bring Linux Applications to Android

Red Hat Enterprise Linux The original cloud operating system

Linux OS-Level Security Nikitas Angelinas MSST 2015

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Practical Guide to Platform as a Service.

Architecture (SOSP 2011) 11/11/2011 Minsung Jang

Linux Kernel Namespaces (an intro to soft-virtualization) kargig [at] GPG: 79B B8F6 803B EC C E02C

Microservices a security nightmare? GOTO Berlin - Dec 2, 2015 Maximilian Schöfmann Container Solutions Switzerland

Enhancing Hypervisor and Cloud Solutions Using Embedded Linux Iisko Lappalainen MontaVista

Containers, Docker, and Security: State of the Union

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

How Bigtop Leveraged Docker for Build Automation and One-Click Hadoop Provisioning

OpenStack in the Enterprise: From Strategy to Real Life. Radhesh Balakrishnan General Manager OpenStack

Type-C Ubuntu Product & Strategy Canonical Ltd.

Scaling the S in SDN at Azure. Albert Greenberg Distinguished Engineer & Director of Engineering Microsoft Azure Networking

A Complete Open Cloud Storage, Virt, IaaS, PaaS. Dave Neary Open Source and Standards, Red Hat

Wayland Full-Screen Shell

Cloud Computing #6 - Virtualization

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

Private Cloud Management

KVM, OpenStack, and the Open Cloud

REDEFINING THE ENTERPRISE OS RED HAT ENTERPRISE LINUX 7

Distributed and Cloud Computing

Lightweight Virtualization with Linux Containers (LXC)

FROM LXC TO DOCKER: Containers Get Portable. Hongchuan Li, Xuewei Zhang, Xiang Li

Containerization and the PaaS Cloud

APPLICATION VIRTUALIZATION TECHNOLOGIES WHITEPAPER

Safety measures in Linux

Getting Started Using Project Photon on VMware Fusion/Workstation

How To Achieve Pca Compliance With Redhat Enterprise Linux

Container Clusters on OpenStack

OPEN CLOUD INFRASTRUCTURE BUILT FOR THE ENTERPRISE

Build & Manage Clouds with Red Hat Cloud Infrastructure Products. TONI WILLBERG Solution Architect Red Hat toni@redhat.com

Data Centers and Cloud Computing. Data Centers. MGHPCC Data Center. Inside a Data Center

Satish Mohan. Head Engineering. AMD Developer Conference, Bangalore

A Security Assessment of Virtualized Residential Gateways:

RED HAT CLOUD SUITE FOR APPLICATIONS

COM 444 Cloud Computing

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

OpenShift and Cloud Foundry PaaS: High-level Overview of Features and Architectures

Secure Containers. Jan Imagination Technologies HGI Dec, 2014 p1

Anh Quach, Matthew Rajman, Bienvenido Rodriguez, Brian Rodriguez, Michael Roefs, Ahmed Shaikh

Red Hat Enterprise Linux 7 Platform without Boundaries

Stackato PaaS Architecture: How it works and why.

Data Centers and Cloud Computing. Data Centers

Using Docker in Cloud Networks

MontaVista Linux Carrier Grade Edition

}w!"#$%&'()+,-./012345<ya

The Road To enterprise paas

Cloud Computing for SCADA

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

KVM, OpenStack, and the Open Cloud

Transcription:

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16

Overview What are Containers? Containers and The Cloud Containerization vs. H/W Virtualization Behind The Scenes: Docker Behind The Scenes: Warden Let s Talk Security Conclusion Q&A

What are Containers? chroot.

What are Containers? Containerization aka OS-Level Virtualization kernel allows multiple isolated user-space instances each instance = a Container One way to implement PaaS Containers: Virtualization Engines (VE) or Virtual Private Servers (VPS) or Jails encapsulate applications + act as interface to the surrounding system chroot on steroids kernel provided resource-management limits impact of a container s activities on others

What are Containers? Uses: useful for allocating finite hardware resources separation of several applications for improved hardware independence and added resource management common in virtual hosting security? Modern implementations make containers easier to use (e.g. Docker, Warden)

Containers and The Cloud Cloud Computing requires an isolation mechanism: Physical separation Hardware Virtualization (aka virtualization) Containerization (aka OS-level virtualization) Multi-user accounts Containerization provides an isolation mechanism required for cloud computing

Containerization vs. H/W Virtualization Containers share the same OS kernel faster, more portable, scale more efficiently Single OS kernels provide file-system access, application process controls, and networking (no H/W emulation) + (use of cgroups and namespaces) = lightweight

Containerization vs. H/W Virtualization Containers use namespaces to separate resources PID namespaces Mount namespaces Network namespaces UTS namespaces: nodename & domainname IPC namespaces User namespaces Virtualization: Mature with an extensive ecosystem Allows for mixed kernels on the same platform More secure

Containerization vs. H/W Virtualization Containers share OS kernel and (possibly) binaries and libraries

Behind The Scenes: Docker Open-source, written in Go Automates deployment of applications Can package an app and its dependencies in a container Accesses the Linux Kernel virtualization in many ways

Behind The Scenes: Docker Docker Architecture Docker Architecture

Behind The Scenes: Warden Container technology used by Cloud Foundry Provides a service for managing a set of containers Written in C (core) and Ruby Direct use of kernel primitives for containerization previously used LXC wshd (Warden Shell Daemon) root process for managing the container and launching apps streams standard output and error back to client Garden = Warden re-written in Go separates server and protocol buffer handling from a Garden Linux backend (can have a specific backend for each OS)

Behind The Scenes: Warden Warden and Garden Architectures

Let s Talk Security File-system isolation is implemented typically network and process list isolation as well Lack of user namespace support same user ID across all containers processes running as root have root access everywhere Imperfect design and code increases attack surface namespace leaks present in many containers many containers have had little security analysis

Let s Talk Security Shared Kernel = any vulnerability in Kernel can impact all containers OS Kernels provide much more functionality than Hypervisors: larger attack surface Kernels will always have vulnerabilities and containers directly expose it to programs Containers were not designed to contain security issues

Conclusion Containers are very useful help ease software management Work is being done to address security e.g. implementation of user namespaces Should be used with caution processes in the container should not be given privileged access good for deploying apps that are trusted (e.g. same vendor) other mechanisms such as SELinux, seccomp, and separate user accounts should be used in conjunction

Q&A Q&A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information