SlideShare a Scribd company logo

Security of Linux containers in the cloud

Dobrica Pavlinušić
Dobrica Pavlinušić

Linux container (LXC) seems to be preferred technology for deployment of Platform as a service (PaaS) in cloud. Partly because it's easy to install on top of existing visualization platforms (KVM, VMware, VirtualBox), partly because it is lightweight solution to provide separation and process allocations between separate containers running under single kernel. In this talk we will take a look at LXC and try to explain how to combine it with mandatory access control (MAC) mechanisms within Linux kernel to provide secure separation between different users of applications.

Technology
1 of 20
Download to read offline
Security of Linux containers in the cloud Dobrica Pavlinušić http://blog.rot13.org FSEC, FOI Varaždin, 2012-09-20 http://www.flickr.com/photos/21644167@N04/5879497600/
Security of Linux containers in the cloud Linux container (LXC) seems to be preferred technology for deployment of Platform as a service (PaaS) in cloud. Partly because it's easy to install on top of existing visualization platforms (KVM, VMware, VirtualBox), partly because it is lightweight solution to provide separation and process allocations between separate containers running under single kernel. In this talk we will take a look at LXC and try to explain how to combine it with mandatory access control (MAC) mechanisms within Linux kernel to provide secure separation between different users of applications.
Presentation overview ● Containers ○ namespaces ○ cgroups resource management ● Why we need MAC to make LXC secure? ● Overview of security mechanisms ○ SELinux, pam_namespace ○ libvirt-lxc = API + LXC + SELinux ○ libvirt-sandbox, virt-sandbox-service ○ systemd ○ AppArmor ○ Smack ○ OpenVZ ● stackato PaaS with free micro cloud
Linux Namespaces ● Mount - mounting/unmounting filesystems ● UTS - hostname, domainname ● IPC - SysV message queues, semaphore/shared memory segments ● Network - IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sock ● Pid - Own set of pids ● UID - Not implemented yet. chroot is filesystem namespace
cgroups resource management ● limits ○ CPU (sched, cpu account, cpuset) - NUMA ○ Memory ○ Block I/O scheduling, limits ● Used to isolate different chunks of processes ○ Android - application isolation ○ Google Chrome - tabs isolation ○ systemd - services isolation ○ LXC - whole system (devices, network interfaces) ○ libvirt-lxc - incompatible with LXC http://wiki.debian.org/LXC GRUB_CMDLINE_LINUX="cgroup_enable=memory"
LXC security problems ● Root in container with /proc and /sys access ○ echo s > /proc/sysrq-trigger ○ removing capabilities from container ○ Mandatory access control (MAC) based on paths ● filesystem ○ devpts remount, securityfs, debugfs, bitfmt_misc ○ remount / on host if shared with container ● udev storm on host ○ udevadm trigger action=add https://wiki.ubuntu.com/LxcSecurity https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/645625
How to make containers secure? http://kernsec.org/wiki/index.php/Linux_Security_Summit_2012/Schedule
Which MAC to use? And this are not all options! http://kernsec.org/files/CaitSith-en.pdf http://kernsec.org/wiki/index.php/Linux_Security_Summit_2012/Abstracts/Handa
Namespaces in RHEL/Fedora ● pam_namespace - RHEL5/Fedora 6 ● SELinux sandbox - RHEL6/Fedora 8 ● Systemd - Fedora 17 ○ UnitFile: PrivateTmp, PrivateNetwork ● OpenShift - RHEL6 ○ Pam_namespace : Private /tmp http://kernsec.org/wiki/index.php/Linux_Security_Summit_2012/Abstracts/Walsh http://kernsec.org/files/securelinuxcontainers.pdf
libvirt-lxc = API + LXC + SELinux ● Container virtualization ● Boot “init” binary ● sVirt SELinux TE + MCS ● Firewall ebtables/ip[6]tables ● Host FS passthrough bind mounts ● CGroups resource control RadHat based distributions libvirt-sandbox
virt-sandbox-service isolated virtual http server virt-sandbox-service create -C -u httpd.service apache1 ● Config /etc/libvirt-sandbox/service/apache1.sandbox ● Multiple unit files allowed ● SystemD unit file ○ /etc/systemd/system/httpd@apache1.service ● Create state directories or image ○ /var/lib/libvirt/filesystem/apache1 ■ Chroot type directory ○ Examines rpm payload ■ Clone - /var and /etc config ■ Share /usr ● Allocate unique MCS security label
Systemd ● systemctl start httpd@apache1.service ● systemctl reload httpd.service ○ Should trigger reload in all httpd@services ○ ReloadPropagatedFrom=httpd.service ● systemctl start httpd@.service ○ Should start all httpd services ● Systemd for the User Session ○ systemctl --user ○ http://linuxplumbers.ubicast.tv/videos/systemd-for-the-user-session/
AppArmor LSM Update ● basic lxc integration ● lot of userspace work ○ porting to python 3 ○ simple policy language improvements/consistency ○ policy compiler improvements ○ refactoring http://kernsec.org/files/apparmor-update.odp
Smack Veers Mobile Tizen focused # smack_label.py -w -r /srv/lxc/lxc1 lxc1 # echo "lxc1" > /proc/self/current/attr # lxc-start -n lxc1 # echo "_" > /proc/self/current/attr http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf http://osdir.com/ml/lxc-chroot-linux-containers/2011-08/msg00004.html
OpenVZ vs LXC checkpoints, live migration ploop - container in a file VSwap - RHEL-6 based OpenVZ kernel http://openvz.livejournal.com/ 7 years on merging code into mainland kernel!
It's too complicated! * as a service - buzzword bingo containers Infrastructure -> Platform -> Service
Platform as a Service It's not VM you have to administer but (proprietary) REST API and code push into container!
Stackato PaaS ● appliance PaaS, Ubuntu lucid VM ● deploy through web interface from git repo ● Ingy döt Net - Stackato Bringing the Cloud Back Home http://youtu.be/fiGurzlzfvY ● LXC (using liblxc directly) ● aufs for re-use of base installation ● collectd for stats (nothing about containers!) ● no-pay Micro Cloud download ○ http://www.activestate.com/stackato/download_vm ● Commercial licence required for public deployment!
Questions? Are we there yet? containers suffers from too many different incompoatible deployment options http://bit.ly/fsec2012-lxc http://blog.rot13.org http://www.flickr.com/photos/bcnbits/2859509269/
Virtualizations vs Containers different kernels/OS single kernel emulation of devices acl+syscall many fs caches single fs cache limits per machine limits per process legacy consolidation service deployment

Recommended

Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"Maciej Lasyk
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Cohesive Networks
 

Recommended

Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"Maciej Lasyk
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Cohesive Networks
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Boden Russell
 
FreeBSD is not Linux
FreeBSD is not LinuxFreeBSD is not Linux
FreeBSD is not LinuxMuhammad Moinur Rahman
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerMuhammad Moinur Rahman
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepAll Things Open
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Jose Manuel Ortega Candel
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 
Linux Security Myth
Linux Security MythLinux Security Myth
Linux Security MythMackenzie Morgan
 
linux security: interact with linux
linux security: interact with linuxlinux security: interact with linux
linux security: interact with linuxAmmar WK
 

More Related Content

What's hot

Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Boden Russell
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepAll Things Open
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 

What's hot (20)

Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Container security
Container securityContainer security
Container security
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)
 
FreeBSD is not Linux
FreeBSD is not LinuxFreeBSD is not Linux
FreeBSD is not Linux
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grep
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
 

Viewers also liked

linux security: interact with linux
linux security: interact with linuxlinux security: interact with linux
linux security: interact with linuxAmmar WK
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
Linux security (outline)
Linux security (outline)Linux security (outline)
Linux security (outline)R.Harish Navnit
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...
Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...
Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...Dr Stylianos Mystakidis
 
Pubic Diplomacy and Web 2.0
Pubic Diplomacy and Web 2.0Pubic Diplomacy and Web 2.0
Pubic Diplomacy and Web 2.0stefan.geens
 
Free Libre Open Source Software at FFZG library
Free Libre Open Source Software at FFZG libraryFree Libre Open Source Software at FFZG library
Free Libre Open Source Software at FFZG libraryDobrica Pavlinušić
 

Viewers also liked (20)

Linux Security Myth
Linux Security MythLinux Security Myth
Linux Security Myth
 
linux security: interact with linux
linux security: interact with linuxlinux security: interact with linux
linux security: interact with linux
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with Lynis
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
Linux security (outline)
Linux security (outline)Linux security (outline)
Linux security (outline)
 
Linux security
Linux securityLinux security
Linux security
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with Fedora
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09
 
Game cih
Game cihGame cih
Game cih
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...
Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...
Information Literacy and Smart Life-Long Learning: Knowledge Antidotes in the...
 
Pubic Diplomacy and Web 2.0
Pubic Diplomacy and Web 2.0Pubic Diplomacy and Web 2.0
Pubic Diplomacy and Web 2.0
 
Intro to Haml
Intro to HamlIntro to Haml
Intro to Haml
 
Free Libre Open Source Software at FFZG library
Free Libre Open Source Software at FFZG libraryFree Libre Open Source Software at FFZG library
Free Libre Open Source Software at FFZG library
 
Ppt Demo Slideshare
Ppt Demo SlidesharePpt Demo Slideshare
Ppt Demo Slideshare
 

Similar to Security of Linux containers in the cloud

Linuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best PracticesLinuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best Practiceschristophm
 
Lightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesLightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesWerner Fischer
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
Linux Containers & Docker
Linux Containers & DockerLinux Containers & Docker
Linux Containers & DockerJumping Bean
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containersNitish Jadia
 
Docker - Ankara JUG, Nisan 2015
Docker - Ankara JUG, Nisan 2015Docker - Ankara JUG, Nisan 2015
Docker - Ankara JUG, Nisan 2015Mustafa AKIN
 
Why you’re going to fail running java on docker!
Why you’re going to fail running java on docker!Why you’re going to fail running java on docker!
Why you’re going to fail running java on docker!Red Hat Developers
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationWSO2
 
Proxmox Talk - Linux Fest Northwest 2018
Proxmox Talk - Linux Fest Northwest 2018Proxmox Talk - Linux Fest Northwest 2018
Proxmox Talk - Linux Fest Northwest 2018Richard Clark
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installationRobert Bohne
 
Containerization & Docker - Under the Hood
Containerization & Docker - Under the HoodContainerization & Docker - Under the Hood
Containerization & Docker - Under the HoodImesha Sudasingha
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to productionmuayyad alsadi
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesJérôme Petazzoni
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfssuser9e06a61
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and dockerFabio Fumarola
 

Similar to Security of Linux containers in the cloud (20)

Linuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best PracticesLinuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best Practices
 
Lightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesLightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best Practices
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Linux Containers & Docker
Linux Containers & DockerLinux Containers & Docker
Linux Containers & Docker
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
 
Docker - Ankara JUG, Nisan 2015
Docker - Ankara JUG, Nisan 2015Docker - Ankara JUG, Nisan 2015
Docker - Ankara JUG, Nisan 2015
 
Why you’re going to fail running java on docker!
Why you’re going to fail running java on docker!Why you’re going to fail running java on docker!
Why you’re going to fail running java on docker!
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
 
Proxmox Talk - Linux Fest Northwest 2018
Proxmox Talk - Linux Fest Northwest 2018Proxmox Talk - Linux Fest Northwest 2018
Proxmox Talk - Linux Fest Northwest 2018
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
 
Containerization & Docker - Under the Hood
Containerization & Docker - Under the HoodContainerization & Docker - Under the Hood
Containerization & Docker - Under the Hood
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
 

More from Dobrica Pavlinušić

Mainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernels
Mainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernelsMainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernels
Mainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernelsDobrica Pavlinušić
 
Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Dobrica Pavlinušić
 
Let's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionLet's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionDobrica Pavlinušić
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
This is an interesting metadata source. Can I import it into Koha?
This is an interesting metadata source. Can I import it into Koha?This is an interesting metadata source. Can I import it into Koha?
This is an interesting metadata source. Can I import it into Koha?Dobrica Pavlinušić
 
KohaCon11: Integrating Koha with RFID system
KohaCon11: Integrating Koha with RFID systemKohaCon11: Integrating Koha with RFID system
KohaCon11: Integrating Koha with RFID systemDobrica Pavlinušić
 
Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3Dobrica Pavlinušić
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Dobrica Pavlinušić
 
Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...
Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...
Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...Dobrica Pavlinušić
 
Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Dobrica Pavlinušić
 

More from Dobrica Pavlinušić (20)

Mainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernels
Mainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernelsMainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernels
Mainline kernel on ARM Tegra20 devices that are left behind on 2.6 kernels
 
Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !
 
bro - what is in my network?
bro - what is in my network?bro - what is in my network?
bro - what is in my network?
 
Let's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionLet's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 edition
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needs
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component tester
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAG
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
 
Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100
 
This is an interesting metadata source. Can I import it into Koha?
This is an interesting metadata source. Can I import it into Koha?This is an interesting metadata source. Can I import it into Koha?
This is an interesting metadata source. Can I import it into Koha?
 
Web scale monitoring
Web scale monitoringWeb scale monitoring
Web scale monitoring
 
SysAdmin cookbook
SysAdmin cookbookSysAdmin cookbook
SysAdmin cookbook
 
Printing on Linux, simple right?
Printing on Linux, simple right?Printing on Linux, simple right?
Printing on Linux, simple right?
 
KohaCon11: Integrating Koha with RFID system
KohaCon11: Integrating Koha with RFID systemKohaCon11: Integrating Koha with RFID system
KohaCon11: Integrating Koha with RFID system
 
Deploy your own P2P network
Deploy your own P2P networkDeploy your own P2P network
Deploy your own P2P network
 
Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)
 
Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...
Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...
Slobodni softver za digitalne arhive: EPrints u Knjižnici Filozofskog fakulte...
 
Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?
 

Recently uploaded

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Security of Linux containers in the cloud

  • 1. Security of Linux containers in the cloud Dobrica Pavlinušić http://blog.rot13.org FSEC, FOI Varaždin, 2012-09-20 http://www.flickr.com/photos/21644167@N04/5879497600/
  • 2. Security of Linux containers in the cloud Linux container (LXC) seems to be preferred technology for deployment of Platform as a service (PaaS) in cloud. Partly because it's easy to install on top of existing visualization platforms (KVM, VMware, VirtualBox), partly because it is lightweight solution to provide separation and process allocations between separate containers running under single kernel. In this talk we will take a look at LXC and try to explain how to combine it with mandatory access control (MAC) mechanisms within Linux kernel to provide secure separation between different users of applications.
  • 3. Presentation overview ● Containers ○ namespaces ○ cgroups resource management ● Why we need MAC to make LXC secure? ● Overview of security mechanisms ○ SELinux, pam_namespace ○ libvirt-lxc = API + LXC + SELinux ○ libvirt-sandbox, virt-sandbox-service ○ systemd ○ AppArmor ○ Smack ○ OpenVZ ● stackato PaaS with free micro cloud
  • 4. Linux Namespaces ● Mount - mounting/unmounting filesystems ● UTS - hostname, domainname ● IPC - SysV message queues, semaphore/shared memory segments ● Network - IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sock ● Pid - Own set of pids ● UID - Not implemented yet. chroot is filesystem namespace
  • 5. cgroups resource management ● limits ○ CPU (sched, cpu account, cpuset) - NUMA ○ Memory ○ Block I/O scheduling, limits ● Used to isolate different chunks of processes ○ Android - application isolation ○ Google Chrome - tabs isolation ○ systemd - services isolation ○ LXC - whole system (devices, network interfaces) ○ libvirt-lxc - incompatible with LXC http://wiki.debian.org/LXC GRUB_CMDLINE_LINUX="cgroup_enable=memory"
  • 6. LXC security problems ● Root in container with /proc and /sys access ○ echo s > /proc/sysrq-trigger ○ removing capabilities from container ○ Mandatory access control (MAC) based on paths ● filesystem ○ devpts remount, securityfs, debugfs, bitfmt_misc ○ remount / on host if shared with container ● udev storm on host ○ udevadm trigger action=add https://wiki.ubuntu.com/LxcSecurity https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/645625
  • 7. How to make containers secure? http://kernsec.org/wiki/index.php/Linux_Security_Summit_2012/Schedule
  • 8. Which MAC to use? And this are not all options! http://kernsec.org/files/CaitSith-en.pdf http://kernsec.org/wiki/index.php/Linux_Security_Summit_2012/Abstracts/Handa
  • 9. Namespaces in RHEL/Fedora ● pam_namespace - RHEL5/Fedora 6 ● SELinux sandbox - RHEL6/Fedora 8 ● Systemd - Fedora 17 ○ UnitFile: PrivateTmp, PrivateNetwork ● OpenShift - RHEL6 ○ Pam_namespace : Private /tmp http://kernsec.org/wiki/index.php/Linux_Security_Summit_2012/Abstracts/Walsh http://kernsec.org/files/securelinuxcontainers.pdf
  • 10. libvirt-lxc = API + LXC + SELinux ● Container virtualization ● Boot “init” binary ● sVirt SELinux TE + MCS ● Firewall ebtables/ip[6]tables ● Host FS passthrough bind mounts ● CGroups resource control RadHat based distributions libvirt-sandbox
  • 11. virt-sandbox-service isolated virtual http server virt-sandbox-service create -C -u httpd.service apache1 ● Config /etc/libvirt-sandbox/service/apache1.sandbox ● Multiple unit files allowed ● SystemD unit file ○ /etc/systemd/system/httpd@apache1.service ● Create state directories or image ○ /var/lib/libvirt/filesystem/apache1 ■ Chroot type directory ○ Examines rpm payload ■ Clone - /var and /etc config ■ Share /usr ● Allocate unique MCS security label
  • 12. Systemd ● systemctl start httpd@apache1.service ● systemctl reload httpd.service ○ Should trigger reload in all httpd@services ○ ReloadPropagatedFrom=httpd.service ● systemctl start httpd@.service ○ Should start all httpd services ● Systemd for the User Session ○ systemctl --user ○ http://linuxplumbers.ubicast.tv/videos/systemd-for-the-user-session/
  • 13. AppArmor LSM Update ● basic lxc integration ● lot of userspace work ○ porting to python 3 ○ simple policy language improvements/consistency ○ policy compiler improvements ○ refactoring http://kernsec.org/files/apparmor-update.odp
  • 14. Smack Veers Mobile Tizen focused # smack_label.py -w -r /srv/lxc/lxc1 lxc1 # echo "lxc1" > /proc/self/current/attr # lxc-start -n lxc1 # echo "_" > /proc/self/current/attr http://kernsec.org/files/SmackLinuxSecuritySummit2012.pdf http://osdir.com/ml/lxc-chroot-linux-containers/2011-08/msg00004.html
  • 15. OpenVZ vs LXC checkpoints, live migration ploop - container in a file VSwap - RHEL-6 based OpenVZ kernel http://openvz.livejournal.com/ 7 years on merging code into mainland kernel!
  • 16. It's too complicated! * as a service - buzzword bingo containers Infrastructure -> Platform -> Service
  • 17. Platform as a Service It's not VM you have to administer but (proprietary) REST API and code push into container!
  • 18. Stackato PaaS ● appliance PaaS, Ubuntu lucid VM ● deploy through web interface from git repo ● Ingy döt Net - Stackato Bringing the Cloud Back Home http://youtu.be/fiGurzlzfvY ● LXC (using liblxc directly) ● aufs for re-use of base installation ● collectd for stats (nothing about containers!) ● no-pay Micro Cloud download ○ http://www.activestate.com/stackato/download_vm ● Commercial licence required for public deployment!
  • 19. Questions? Are we there yet? containers suffers from too many different incompoatible deployment options http://bit.ly/fsec2012-lxc http://blog.rot13.org http://www.flickr.com/photos/bcnbits/2859509269/
  • 20. Virtualizations vs Containers different kernels/OS single kernel emulation of devices acl+syscall many fs caches single fs cache limits per machine limits per process legacy consolidation service deployment