Containers and isolation as implemented in the Linux kernel

Size: px
Start display at page:

Download "Containers and isolation as implemented in the Linux kernel"

Transcription

1 Containers and isolation as implemented in the Linux kernel Technical Deep Dive Session Hannes Frederic Sowa Senior Software Engineer 13. September 2016

2 Outline Containers and isolation as implemented in the Linux kernel Learned from history and enhanced and innovated in Free Software. 2 Overview of not so recent history from other operating systems Representation and control from user space Implementation details in the kernel What to come?

3 History of operating system isolation Plan9 per-process namespaces Distributed computing Architecture specific files mapped via bind/union mounts User space server via 9p protocol 3 Directory vnodes had an append operation Not yet implemented in linux: RPC via AF_UNIX over NFS

4 History of operating system isolation POSIX chroot Available as syscall thus usable in self written applications Provides a new filesystem view thus limited isolation FreeBSD s jails Strongly integrated into the operating system 4 Only small helper library available No operating system control and tuning Limited network isolation only based on IP addresses Solaris Zones Strongly integrated into the operating system (even package manager) Tooling is dictated by Solaris tools

5 Namespace API design in Linux Isolation and resource management completely decoupled API never tightly coupled to any user space library Syscalls openly documented and reusable by 3rd party software Management available on/with already known kernel primitives With rather primitive tools nearly no new tools were needed Fine grain control of primitives to namespace 5 Paved the path to a lot of user space frameworks (e.g. docker) Opt-in model Easy to enhance in user space as well as in the kernel

6 Isolation vs. Resource Management Not completely orthogonal but still... cgroup1 Process 1 Process 2 Process 3 Process 4 cgroups Resource management cgroup2 ns1 ns2 namespaces isolation 6

7 Namespaces in regular use Even on non-servers namespaces see regular use nowadays: Type Type code code snip$ snip$ lsns lsns NS NS TYPE TYPE NPROCS NPROCS pid pid user user uts uts ipc ipc mnt mnt net net pid pid --type=zygote --type=zygote net net --type=zygote --type=zygote pid pid net net user user user user --type=zygote --type=zygote PID PID USER USER COMMAND /usr/lib/systemd/systemd /usr/lib/systemd/systemd --user --user /usr/lib/systemd/systemd /usr/lib/systemd/systemd --user --user /usr/lib/systemd/systemd --user /usr/lib/systemd/systemd --user /usr/lib/systemd/systemd /usr/lib/systemd/systemd --user --user /usr/lib/systemd/systemd --user /usr/lib/systemd/systemd --user /usr/lib/systemd/systemd /usr/lib/systemd/systemd --user --user /opt/google/chrome/chrome /opt/google/chrome/chrome /opt/google/chrome/chrome /opt/google/chrome/chrome /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/nacl_helper /opt/google/chrome/chrome /opt/google/chrome/chrome

8 Namespace API wrap-up No dependencies to 3rd party libraries or tools No design mandated by operating system or distributions Resource management independent from isolation Made several management tools possible (some specialized) 8 Iproute2, systemd, rkt, Docker, LXC, LXD, lmctfy, runc Own choices to use complete distribution or specialized init or maybe just running the application directly in a namespace OpenVZ/Virtuozzo reusing and contributing to namespaces upstream

9 Outline Containers and isolation as implemented in the Linux kernel Learned from history and enhanced and innovated in Free Software. 9 Overview of not so recent history from other operating systems Representation and control from user space Implementation details in the kernel What to come?

10 Representation and control from user Processes are associated with one namespace: ## ls ls -l -l /proc/self/ns/ /proc/self/ns/ total 0 total 0 lrwxrwxrwx. lrwxrwxrwx. 11 root root Sep Sep 22:09 cgroup cgroup -> -> 'cgroup: 'cgroup: [ ]' [ ]' lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:09 ipc ipc -> 'ipc:[ ]' 'ipc:[ ]' lrwxrwxrwx. 1 root root Sep 22:09 mnt -> 'mnt:[ ]' lrwxrwxrwx. 1 root root 12. Sep mnt 'mnt:[ ]' lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:09 net net -> 'net:[ ]' 'net:[ ]' lrwxrwxrwx. 1 root root Sep 22:09 pid -> 'pid:[ ]' lrwxrwxrwx. 1 root root 12. Sep pid 'pid:[ ]' lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:09 user user -> 'user:[ ]' 'user:[ ]' lrwxrwxrwx. 1 root root Sep 22:09 uts -> 'uts:[ ]' lrwxrwxrwx. 1 root root 12. Sep uts 'uts:[ ]' ## unshare unshare -n -n ## -n -n :: :: unshare unshare the network network namespace namespace ## ls ls -l -l /proc/self/ns/net /proc/self/ns/net lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:10 /proc/self/ns/net /proc/self/ns/net -> -> 'net: [ ]' [ ]' ## 10

11 Making namespaces persistent Managing namespaces as a mountpoint: ## unshare unshare -n -n ## -n -n :: :: unshare unshare the network network namespace namespace ## ls -l /proc/self/ns/net ls -l /proc/self/ns/net lrwxrwxrwx. lrwxrwxrwx. 11 root root root root Sep Sep 22:10 /proc/self/ns/net /proc/self/ns/net -> -> 'net: [ ]' [ ]' ## touch touch /run/netns/my_namespace1 /run/netns/my_namespace1 ## mount -o mount -o bind bind /proc/self/ns/net /proc/self/ns/net /run/netns/my_namespace1 /run/netns/my_namespace1 ## ls ls -i -i /run/netns/my_namespace1 /run/netns/my_namespace /run/netns/foo /run/netns/foo ## exit exit ## readlink readlink /proc/self/ns/net /proc/self/ns/net net:[ ] net:[ ] ## nsenter nsenter --net=/run/netns/my_namespace1 --net=/run/netns/my_namespace1 ## readlink readlink /proc/self/ns/net /proc/self/ns/net net:[ ] net:[ ] ## 11

12 User namespaces User namespaces have a special role as they directly influence permission control Allowing to become root inside a user created namespace Disassociate permissions with parent namespace Example: $ id id -u -u $ unshare unshare user user -r -r bash bash # id id -u -u 0 # unshare unshare -n -n # nc nc -l -l ## netcat netcat is is allowed allowed to bind bind to port port

13 Easier management: netns OpenStack already uses a lightweight wrapper around these to manage netns: ## ip ip netns netns add add foo foo ## ip ip netns netns add add bar bar ## ip ip link link add add type type veth veth ## ip ip link link set set dev dev veth0 veth0 netns netns foo foo ## ip ip link link set set dev dev veth1 veth1 netns netns bar bar ## ip ip netns netns exec exec foo foo bash bash ## ip ip ll ll 1: 1: lo: lo: <LOOPBACK> <LOOPBACK> mtu mtu qdisc qdisc noop noop state state DOWN DOWN mode DEFAULT group group default default qlen qlen 11 link/loopback link/loopback 00:00:00:00:00:00 00:00:00:00:00:00 brd brd 00:00:00:00:00:00 2: 2: ip_vti0@none: ip_vti0@none: <NOARP> <NOARP> mtu mtu qdisc noop noop state DOWN mode mode DEFAULT DEFAULT group group default default qlen qlen 11 link/ipip link/ipip brd brd : 47: veth0@if48: veth0@if48: <BROADCAST,MULTICAST> <BROADCAST,MULTICAST> mtu qdisc qdisc noop noop state state DOWN DOWN mode DEFAULT group default qlen 1000 mode DEFAULT group default qlen 1000 link/ether link/ether ce:e5:a7:2f:d5:69 ce:e5:a7:2f:d5:69 brd brd ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff link-netnsid 11 ## exit exit 13

14 Representation wrap-up Namespaces are internally represented via normal inodes living in its own filesystem, which are globally valid 14 Thus filedescriptor passing works as usual Persisting of namespaces simply achieved by bind mounting the representative file to stable location Easy atomic utilities map directly to the representative syscalls unshare(1) unshare(2) or clone(2) nsenter(1) setns(2) mount is really just mounting

15 Outline Containers and isolation as implemented in the Linux kernel Learned from history and enhanced and innovated in Free Software. 15 Overview of not so recent history from other operating systems Representation and control from user space Implementation details in the kernel What to come?

16 Implementation details in the kernel struct user_namespace Establishes own configurable UID and GID mapping struct nsproxy struct uts_namespace struct ipc_namespace Control isolation with network interfaces, routing tables, ip addresses struct cgroup_namespace (recent development) 16 Isolate process tree and pid numbers struct net Abstraction and isolation over the filesystem views struct pid_namespace Isolates (POSIX/svipc) mqueue, semaphores, shared memory struct mnt_namespace isolates hostname and domainname (e.g. for auth purposes) control group namespace, isolates resource management

17 Mount namespace Most important namespace, as they also provide the isolation for /proc and (partially) for sysfs, which should get remounted in a new container Mount namespaces basically form trees in the kernel which can be partially overlapping (mount subtrees) Process attached to one subtree 17 Discovered via nsproxy

18 System configuration (netns) 18 Configuration, Routing tables, firewall etc. are all separated per network namespace, how? System configuration mostly being done via sysctl A lot of sysctls are manageable per namespace netns namespace has own sysctl in struct net Incoming packets use configuration based on the network namespace of the incoming interface Outgoing packets can use socket namespace (locally generated) or the device context

19 Outline Containers and isolation as implemented in the Linux kernel Learned from history and enhanced and innovated in Free Software. 19 Overview of not so recent history from other operating systems Representation and control from user space Implementation details in the kernel What to come?

20 What is coming? Basically the namespace concept is architectural complety implemented New features added to the kernel are already designed in an orthogonal way or can correctly deal with namespaces Network namespace is heavy weight, thus Connecting netns to outside world requires one virtual router or bridge Alternatives exists but are architectural a dead end ipvlan: multiplexes IP addresses on one interface macvlan: multiplexes MAC addresses on one interface Provide isolation on IP layer like FreeBSD jails or Solaris 20 Maybe even extended to act like VRF with sockets

21 THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos

OS Containers. Michal Sekletár November 06, 2016

OS Containers. Michal Sekletár November 06, 2016 OS Containers Michal Sekletár msekleta@redhat.com November 06, 2016 whoami Senior Software Engineer @ Red Hat systemd and udev maintainer Free/Open Source Software contributor Michal Sekletár msekleta@redhat.com

More information

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016 Introduction to Container Technology Patrick Ladd Technical Account Manager April 13, 2016 Container Technology Containers 3 "Linux Containers" is a Linux kernel feature to contain a group of processes

More information

For personnal use only

For personnal use only Network Namespaces in RHEL7 Finnbarr P. Murphy (fpm@fpmurphy.com) Linux namespaces are somewhat like Solaris zones in many ways from a user perspective but have significant differences under the hood.

More information

LXC(Linux Container) Lightweight virtual system mechanism Gao feng

LXC(Linux Container) Lightweight virtual system mechanism Gao feng LXC(Linux Container) Lightweight virtual system mechanism Gao feng gaofeng@cn.fujitsu.com 1 Outline Introduction Namespace System API Libvirt LXC Comparison Problems Future work 2 Introduction Container:

More information

Engineering Robust Server Software

Engineering Robust Server Software Engineering Robust Server Software Containers Isolation Isolation: keep different programs separate Good for security Might also consider performance isolation Also has security implications (side channel

More information

Understanding user namespaces

Understanding user namespaces Understanding user namespaces Understanding user namespaces Michael Kerrisk, man7.org c 2018 mtk@man7.org 31 January 2018, San Jose, CA, USA Outline 1 Introduction 3 2 Some background: capabilities 6 3

More information

Container mechanics in Linux and rkt FOSDEM 2016

Container mechanics in Linux and rkt FOSDEM 2016 Container mechanics in Linux and rkt FOSDEM 2016 Alban Crequy github.com/alban Jonathan Boulle github.com/jonboulle @baronboulle a modern, secure, composable container runtime an implementation of appc

More information

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING Agenda Intro / Prep Environments Day 1: Docker Deep Dive Day 2: Kubernetes Deep Dive Day 3: Advanced Kubernetes: Concepts, Management, Middleware Day 4:

More information

See Docker from the Perspective of Linux Process. Allen Hangzhou Docker Meetup

See Docker from the Perspective of Linux Process. Allen Hangzhou Docker Meetup See Docker from the Perspective of Linux Process Allen Sun@DaoCloud Hangzhou Docker Meetup 2015.03.14 Agenda 1. Prerequisite Linux Process (do_fork / copy_process ) Namespaces 2. How Docker deals process

More information

1 Virtualization Recap

1 Virtualization Recap 1 Virtualization Recap 2 Recap 1 What is the user part of an ISA? What is the system part of an ISA? What functionality do they provide? 3 Recap 2 Application Programs Libraries Operating System Arrows?

More information

Seccomp, network and namespaces. Francesco Tornieri <francesco.tornieri AT kiratech.it>

Seccomp, network and namespaces. Francesco Tornieri <francesco.tornieri AT kiratech.it> Seccomp, network and namespaces Francesco Tornieri VM vs Container 2 Namespaces ecc 3 Namespaces ecc man namespaces: A namespaces wraps a global system resource in a

More information

Docker Networking: From One to Many. Don Mills

Docker Networking: From One to Many. Don Mills Docker Networking: From One to Many Don Mills What we are going to talk about Overview of traditional Docker networking Some demonstrations Questions New Docker features Some more demonstrations Questions

More information

Using Docker with Cisco NX-OS

Using Docker with Cisco NX-OS This chapter contains the following topics: About Docker with Cisco NX-OS, on page 1 Guidelines and Limitations, on page 1 Prerequisites for Setting Up Docker Containers Within Cisco NX-OS, on page 2 Starting

More information

Using Docker with Cisco NX-OS

Using Docker with Cisco NX-OS This chapter contains the following topics: About Docker with Cisco NX-OS, on page 1 Guidelines and Limitations, on page 1 Prerequisites for Setting Up Docker Containers Within Cisco NX-OS, on page 2 Starting

More information

Container's Anatomy. Namespaces, cgroups, and some filesystem magic 1 / 59

Container's Anatomy. Namespaces, cgroups, and some filesystem magic 1 / 59 Container's Anatomy Namespaces, cgroups, and some filesystem magic 1 / 59 Who am I? Jérôme Petazzoni (@jpetazzo) French software engineer living in California I have built and scaled the dotcloud PaaS

More information

深 入解析 Docker 背后的 Linux 内核技术. 孙健波浙江 大学 SEL/VLIS 实验室

深 入解析 Docker 背后的 Linux 内核技术. 孙健波浙江 大学 SEL/VLIS 实验室 深 入解析 Docker 背后的 Linux 内核技术 孙健波浙江 大学 SEL/VLIS 实验室 www.sel.zju.edu.cn Agenda Namespace ipc uts pid network mount user Cgroup what are cgroups? usage concepts implementation What is Namespace? Lightweight

More information

PROCESS MANAGEMENT Operating Systems Design Euiseong Seo

PROCESS MANAGEMENT Operating Systems Design Euiseong Seo PROCESS MANAGEMENT 2016 Operating Systems Design Euiseong Seo (euiseong@skku.edu) Definition A process is a program in execution Context Resources Specifically, Register file state Address space File and

More information

Deep Dive into OpenStack Networking

Deep Dive into OpenStack Networking Deep Dive into OpenStack Networking Damrongsak Reetanon Solutions Architect Red Hat (Thailand) September 22, 2016 Deep Dive into OpenStack Networking Deep Dive into OpenStack

More information

SAINT LOUIS JAVA USER GROUP MAY 2014

SAINT LOUIS JAVA USER GROUP MAY 2014 SAINT LOUIS JAVA USER GROUP MAY 2014 STEVEN BORRELLI steve@borrelli.org @stevendborrelli ABOUT ME FIRST COMPUTER: SYSTEMS ENGINEERING MANAGEMENT FOUNDER, ASTERIS (JAN 2014) @ ORGANIZER OF STL MACHINE LEARNING

More information

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat Linux Containers Roadmap Red Hat Enterprise Linux 7 RC Bhavna Sarathy Senior Technology Product Manager, Red Hat Linda Wang Senior Eng. Manager, Red Hat Bob Kozdemba Principal Soln. Architect, Red Hat

More information

Travis Cardwell Technical Meeting

Travis Cardwell Technical Meeting .. Introduction to Docker Travis Cardwell Tokyo Linux Users Group 2014-01-18 Technical Meeting Presentation Motivation OS-level virtualization is becoming accessible Docker makes it very easy to experiment

More information

Introduction to Containers

Introduction to Containers Introduction to Containers Shawfeng Dong Principal Cyberinfrastructure Engineer University of California, Santa Cruz What are Containers? Containerization, aka operating-system-level virtualization, refers

More information

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute High Performance Containers Convergence of Hyperscale, Big Data and Big Compute Christian Kniep Technical Account Manager, Docker Brief Recap of Container Technology Brief History of Container Technology

More information

The failure of Operating Systems,

The failure of Operating Systems, The failure of Operating Systems, and how we can fix it. Glauber Costa Lead Software Engineer August 30th, 2012 Linuxcon Opening Notes I'll be doing Hypervisors vs Containers here. But: 2 2 Opening Notes

More information

OS Security III: Sandbox and SFI

OS Security III: Sandbox and SFI 1 OS Security III: Sandbox and SFI Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 VMs on lab machine Extension? 3 Users and processes FACT: although ACLs use users as subject, the OS

More information

RDMA Container Support. Liran Liss Mellanox Technologies

RDMA Container Support. Liran Liss Mellanox Technologies RDMA Container Support Liran Liss Mellanox Technologies Agenda Containers 101 RDMA isolation Namespace support Controller support Putting it all together Status Conclusions March 15 18, 2015 #OFADevWorkshop

More information

Kubernetes Essentials

Kubernetes Essentials Kubernetes Essentials Activity guide Release 1 rev46 Component Soft Ltd. January 12, 2018 The contents of this course and all its modules and related materials, including handouts to audience members,

More information

Docker Deep Dive. Daniel Klopp

Docker Deep Dive. Daniel Klopp Docker Deep Dive Daniel Klopp The Talk I m not telling you what fishing rod to use The Talk I m not telling you what fishing rod to use I m helping you understand the fishing rod The Talk I m not telling

More information

January 27, Docker Networking with Linux. Guillaume Urvoy-Keller. Reference Scenario. Basic tools: bridges, VETH

January 27, Docker Networking with Linux. Guillaume Urvoy-Keller. Reference Scenario. Basic tools: bridges, VETH with in with January 27, 2018 Swarm Network 1 / 62 with Sources documents in Laurent Bernaille blog: http://techblog.d2-si.eu/2017/04/25/ deep-dive-into--overlay-networks-part-1. html Cookbook, PacktPub,

More information

OS Virtualization. Linux Containers (LXC)

OS Virtualization. Linux Containers (LXC) OS Virtualization Emulate OS-level interface with native interface Lightweight virtual machines No hypervisor, OS provides necessary support Referred to as containers Solaris containers, BSD jails, Linux

More information

November 11, Docker Networking with Linux. Guillaume Urvoy-Keller. Reference Scenario. Basic tools: bridges, VETH

November 11, Docker Networking with Linux. Guillaume Urvoy-Keller. Reference Scenario. Basic tools: bridges, VETH with in with November 11, 2017 Swarm Network 1 / 58 with Sources documents in Laurent Bernaille blog: http://techblog.d2-si.eu/2017/04/25/ deep-dive-into-docker-overlay-networks-part-1. html Cookbook,

More information

TEN LAYERS OF CONTAINER SECURITY

TEN LAYERS OF CONTAINER SECURITY TEN LAYERS OF CONTAINER SECURITY Tim Hunt Kirsten Newcomer May 2017 ABOUT YOU Are you using containers? What s your role? Security professionals Developers / Architects Infrastructure / Ops Who considers

More information

Rootless Containers with runc. Aleksa Sarai Software Engineer

Rootless Containers with runc. Aleksa Sarai Software Engineer Rootless Containers with runc Aleksa Sarai Software Engineer asarai@suse.de Who am I? Software Engineer at SUSE. Student at University of Sydney. Physics and Computer Science. Maintainer of runc. Long-time

More information

Namespaces and Capabilities Overview and Recent Developments

Namespaces and Capabilities Overview and Recent Developments Namespaces and Capabilities Overview and Recent Developments Linux Security Summit Europe Edinburgh, Scotland Christian Brauner christian@brauner.io christian.brauner@ubuntu.com @brau_ner https://brauner.github.io/

More information

Hardware accelerating Linux network functions Roopa Prabhu, Wilson Kok

Hardware accelerating Linux network functions Roopa Prabhu, Wilson Kok Hardware accelerating Linux network functions Roopa Prabhu, Wilson Kok Agenda Recap: offload models, offload drivers Introduction to switch asic hardware L2 offload to switch ASIC Mac Learning, ageing

More information

Software containers are likely to become a very important tool over the

Software containers are likely to become a very important tool over the MARK LAMOURINE Mark Lamourine is a senior software developer at Red Hat. He s worked for the last few years on the OpenShift project. He s a coder by training, a sysadmin and toolsmith by trade, and an

More information

FOSDEM 18. LTTng: The road to container awareness.

FOSDEM 18. LTTng: The road to container awareness. FOSDEM 18 LTTng: The road to container awareness mjeanson@efficios.com Who am I? Michael Jeanson Software developer @ EfficiOS Debian Developer What s LTTng? 2 tracers Kernel : lttng-modules Userspace

More information

Raw Packet Capture in the Cloud: PF_RING and Network Namespaces. Alfredo

Raw Packet Capture in the Cloud: PF_RING and Network Namespaces. Alfredo Raw Packet Capture in the Cloud: PF_RING and Network Namespaces Alfredo Cardigliano cardigliano@ntop.org @acardigliano About ntop ntop develops high-performance network traffic monitoring technologies

More information

Flatpak a technical walk-through. Alexander Larsson, Red Hat

Flatpak a technical walk-through. Alexander Larsson, Red Hat Flatpak a technical walk-through Alexander Larsson, Red Hat What is Flatpak? apps for the Linux Desktop Distribute your app Run it anywhere Build in anywhere Run it sandboxed How is this different from

More information

$ wget V SOLUTIONS.tar.bz2 \ --user=lftraining --password=penguin2014

$ wget   V SOLUTIONS.tar.bz2 \ --user=lftraining --password=penguin2014 3.5. LABS 1 Exercise 3.1: Install Kubernetes Overview There are several Kubernetes installation tools provided by various vendors. In this lab we will learn to use kubeadm As an independent tool, it is

More information

Introduction to containers

Introduction to containers Introduction to containers Nabil Abdennadher nabil.abdennadher@hesge.ch 1 Plan Introduction Details : chroot, control groups, namespaces My first container Deploying a distributed application using containers

More information

Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft

Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft Azure Sphere: Fitting Linux Security in 4 MiB of RAM Ryan Fairfax Principal Software Engineering Lead Microsoft Agenda o o o o Intro to Azure Sphere Kernel Customizations User mode services / App Model

More information

User Namespaces. Linux Capabilities and Namespaces. Outline. Michael Kerrisk, man7.org c 2018 March 2018

User Namespaces. Linux Capabilities and Namespaces. Outline. Michael Kerrisk, man7.org c 2018 March 2018 Linux Capabilities and Namespaces User Namespaces Michael Kerrisk, man7.org c 2018 mtk@man7.org March 2018 Outline 9 User Namespaces 9-1 9.1 Introduction 9-3 9.2 Creating and joining a user NS 9-9 9.3

More information

OPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat

OPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat 1 OPENSHIFT FOR OPERATIONS Jamie Duncan @jamieeduncan Cloud Guy - US Public Sector at Red Hat 20170504 ABOUT JDUNCAN I've been at Red Hat just over 5 years 2 This is my daughter Elizabeth. #cutestthingever

More information

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training ISLET: An Attempt to Improve Linux-based Software Training Jon Schipp, AIDE 2015 jonschipp@gmail.com, @Jonschipp, jonschipp.com About me: Security Engineer for the National Center for Supercomputing Applications

More information

The State of Rootless Containers

The State of Rootless Containers The State of Rootless Containers Aleksa Sarai / SUSE Akihiro Suda / NTT @lordcyphar @_AkihiroSuda_ Who are we? Aleksa Sarai Senior Software Engineer at SUSE. Maintainer of runc and several other Open Container

More information

Making Applications Mobile

Making Applications Mobile Making Applications Mobile using containers Ottawa Linux Symposium, July 2006 Cedric Le Goater Daniel Lezcano Clement Calmels Dave Hansen

More information

Landlock LSM: toward unprivileged sandboxing

Landlock LSM: toward unprivileged sandboxing Landlock LSM: toward unprivileged sandboxing Mickaël Salaün ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle

More information

A Lightweight OS-Level Virtualization Architecture Based on Android Bo-wen LIU, Nai-jie GU and De-he GU

A Lightweight OS-Level Virtualization Architecture Based on Android Bo-wen LIU, Nai-jie GU and De-he GU 2017 2nd International Conference on Computer, Network Security and Communication Engineering (CNSCE 2017) ISBN: 978-1-60595-439-4 A Lightweight OS-Level Virtualization Architecture Based on Android Bo-wen

More information

ISSN (Online)

ISSN (Online) Build Minimal Docker Container Using Golang [1] Biradar Sangam.M, [2] R.Shekhar [1][2] Department of Computer Science & Engineering, Alliance University, Bangalore, INDIA Abstract: - Docker container is

More information

Advanced IP Routing. Policy Routing QoS RVSP

Advanced IP Routing. Policy Routing QoS RVSP Advanced IP Routing Policy Routing QoS RVSP Traditional Routing What is traditional routing? Best effort. All routing is a destination driven process. Router cares only about the destination address when

More information

What is an L3 Master Device?

What is an L3 Master Device? What is an L3 Master Device? David Ahern Cumulus Networks Mountain View, CA, USA dsa@cumulusnetworks.com Abstract The L3 Master Device (l3mdev) concept was introduced to the Linux networking stack in v4.4.

More information

Network stack virtualization for FreeBSD 7.0. Marko Zec

Network stack virtualization for FreeBSD 7.0. Marko Zec Network stack virtualization for FreeBSD 7.0 Marko Zec zec@fer.hr University of Zagreb Network stack virtualization for FreeBSD 7.0 slide 1 of 18 Talk outline Network stack virtualization what, why, and

More information

Accessing the Networking Stack

Accessing the Networking Stack The Cisco IOS XR Software serves as a networking stack for communication. This section explains how applications on IOS XR can communicate with internal processes, and with servers or outside devices.

More information

Security of OS-level virtualization technologies

Security of OS-level virtualization technologies Security of OS-level virtualization technologies Elena Reshetova 1, Janne Karhunen 2, Thomas Nyman 3, N. Asokan 4 1 Intel OTC, Finland 2 Ericsson, Finland 3 University of Helsinki, Finland 4 Aalto University

More information

Linux Clusters Institute: OpenStack Neutron

Linux Clusters Institute: OpenStack Neutron Linux Clusters Institute: OpenStack Neutron Yale, August 13 th 17 th 2018 John Michael Lowe Senior Cloud Engineer Indiana University jomlowe@iu.edu Neutron SDN or not Network Namespaces Components Security

More information

Introduction to VMs & Containers

Introduction to VMs & Containers Lesson iut.univ-paris8.fr 2018-05 Introduction to VMs & Containers This Document: http://arnaud-nauwynck.github.io/docs/intro-vm-container.pdf arnaud.nauwynck@gmail.com Hardware Software "All problems

More information

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center Container Adoption for NFV Challenges & Opportunities Sriram Natarajan, T-Labs Silicon Valley Innovation Center Virtual Machine vs. Container Stack KVM Container-stack Libraries Guest-OS Hypervisor Libraries

More information

Operating system security models

Operating system security models Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects

More information

Advanced Topics. Network Namespaces CHAPTER 14

Advanced Topics. Network Namespaces CHAPTER 14 CHAPTER 14 Advanced Topics Chapter 13 dealt with the InfiniBand subsystem and its implementation in Linux. This chapter deals with several advanced topics and some topics that didn t fit logically into

More information

Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage

Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage Niels de Vos Senior Software Engineer Red Hat Storage Critical features for both Dev and Ops Self-Service

More information

What s new in control groups (cgroups) v2

What s new in control groups (cgroups) v2 Open Source Summit Europe 2018 What s new in control groups (cgroups) v2 Michael Kerrisk, man7.org c 2018 mtk@man7.org Open Source Summit Europe 21 October 2018, Edinburgh, Scotland Outline 1 Introduction

More information

OPENSTACK AGILITY. RED HAT RELIABILITY.

OPENSTACK AGILITY. RED HAT RELIABILITY. OPENSTACK AGILITY. RED HAT RELIABILITY. Operational Management How is it really done? And what should OpenStack do about it? Anandeep Pannu Senior Principal Product Manager 7 November 2017 Ops Management

More information

STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID

STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID The WLCG Motivation and benefits Container engines Experiments status and plans Security considerations Summary and outlook STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID SWISS EXPERIENCE

More information

Cross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center

Cross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center Cross platform enablement for the yocto project with containers ELC 2017 Randy Witt Intel Open Source Technology Center My personal problems Why d I even do this? THE multiple distro Problem Yocto Project

More information

Introduction to Virtualization and Containers Phil Hopkins

Introduction to Virtualization and Containers Phil Hopkins Introduction to Virtualization and Containers Phil Hopkins @twitterhandle Virtualization What is it? Introduction to Virtualization and Containers What the heck is a hypervisor? Why are there so many of

More information

containerization: more than the new virtualization

containerization: more than the new virtualization containerization: more than the new virtualization Jérôme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Runs everything in containers - Docker-in-Docker

More information

THE STATE OF CONTAINERS

THE STATE OF CONTAINERS THE STATE OF CONTAINERS Engines & Runtimes in RHEL & OpenShift Scott McCarty Principal Technology Product Manager - Containers 10/15/2018 What if... I told you there is container innovation happening in

More information

THE ROUTE TO ROOTLESS

THE ROUTE TO ROOTLESS THE ROUTE TO ROOTLESS THE ROUTE TO ROOTLESS BILL AND TED'S ROOTLESS ADVENTURE THE ROUTE TO ROOTLESS WHAT SECURITY PROBLEM IS GARDEN SOLVING IN CLOUD FOUNDRY? THE PROBLEM IN CLOUD FOUNDRY Public Multi-Tenant

More information

An introduction to Docker

An introduction to Docker An introduction to Docker Ing. Vincenzo Maffione Operating Systems Security Container technologies on Linux Several light virtualization technologies are available for Linux They build on cgroups, namespaces

More information

On the Performance Impact of Virtual Link Types to 5G Networking

On the Performance Impact of Virtual Link Types to 5G Networking On the Performance Impact of Virtual Link Types to 5G Networking Wen-Ping Lai *, Yong-Hsiang Wang Department of Communications Engineering Yuan Ze University Taoyuan, Taiwan, ROC Abstract Virtual links

More information

SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG

SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG 1 WHO ARE THOSE GUYS Accela Zhao, Technologist at EMC OCTO, active Openstack community contributor, experienced in cloud scheduling

More information

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot Sandboxing (1) Motivation Depending on operating system to do access control is not enough. For example: download software, virus or Trojan horse, how to run it safely? Risks: Unauthorized access to files,

More information

TRAINING AND CERTIFICATION UPDATE

TRAINING AND CERTIFICATION UPDATE TRAINING AND CERTIFICATION UPDATE Red Hat Enterprise User Group Twin Cities Steve Bonneville Manager, Curriculum Development / Red Hat November 11, 2015 RED HAT LEARNING SUBSCRIPTION One year access to

More information

FreeBSD Jails vs. Solaris Zones

FreeBSD Jails vs. Solaris Zones FreeBSD Jails vs. Solaris Zones (and OpenSolaris) James O Gorman james@netinertia.co.uk Introduction FreeBSD user since 4.4-RELEASE Started using Solaris ~3.5 years ago Using jails for website hosting

More information

Kubernetes Love at first sight?

Kubernetes Love at first sight? Kubernetes Love at first sight? 15, February 2018 Joost Hofman (Lead Developer @ Albert Heijn IT Online) Milo van der zee (Senior Developer @Albert Heijn IT Online) Agenda Kubernetes Why at AH? How? Questions

More information

Dockercon 2017 Networking Workshop

Dockercon 2017 Networking Workshop Dockercon 2017 Networking Workshop Mark Church, Technical Account Manager @ Docker Lorenzo Fontana, Docker Captain Nico Kabar, Solutions Architect @ Docker Agenda 1. Container Network Model 2. Docker Networking

More information

Red Hat Roadmap for Containers and DevOps

Red Hat Roadmap for Containers and DevOps Red Hat Roadmap for Containers and DevOps Brian Gracely, Director of Strategy Diogenes Rettori, Principal Product Manager Red Hat September, 2016 Digital Transformation Requires an evolution in... 2 APPLICATIONS

More information

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation https://regmedia.co.uk/2017/09/11/shutterstock_containers_in_port.jpg Containers 101 Process

More information

Filesystem Hierarchy and Permissions

Filesystem Hierarchy and Permissions and Linux Prepared by Steven Gordon on 19 April 2017 Common/Reports/linux-file-permissions.tex, r1417 1/15 Multiuser and Server Operating System Linux systems are commonly used as a multi-user system E.g.

More information

Faculty of Computer Science Institute for System Architecture, Operating Systems Group. Naming. Stefan Kalkowski. Dresden,

Faculty of Computer Science Institute for System Architecture, Operating Systems Group. Naming. Stefan Kalkowski. Dresden, Faculty of Computer Science Institute for System Architecture, Operating Systems Group Naming Stefan Kalkowski Dresden, 2007-11-27 So far... Basics: Tasks and Threads Synchronization Memory Communication

More information

OpenStack Neutron. Introduction and project status & Use case ML2 plugin with l2 population

OpenStack Neutron. Introduction and project status & Use case ML2 plugin with l2 population OpenStack Neutron Introduction and project status & Use case ML2 plugin with l2 population Summary 1. OpenStack Neutron Why Neutron? What s Neutron? 2. 2014.1 release Please, stabilize it! Features 3.

More information

Linux Kernel Security Overview

Linux Kernel Security Overview Linux Kernel Security Overview Linux Security Summit Europe 2018 Edinburgh, UK James Morris jmorris@namei.org $ whoami Linux kernel security subsystem maintainer Linux kernel engineer at Microsoft Previously

More information

Lecture 5. Switching

Lecture 5. Switching TEL3214 Computer Communication Networks Lecture 5 Switching 10.10.10.30/24 (eth0.10) Trunk SW_B VLAN 10 (eth0.20) VLAN 20 CEng, FIEI, FIET, CISSP 20.20.20.30/24 diarmuid@obriain.com Bridging Device used

More information

[Docker] Containerization

[Docker] Containerization [Docker] Containerization ABCD-LMA Working Group Will Kinard October 12, 2017 WILL Kinard Infrastructure Architect Software Developer Startup Venture IC Husband Father Clemson University That s me. 2 The

More information

The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure. Albert Law Solution Architect Manager

The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure. Albert Law Solution Architect Manager The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure Albert Law Solution Architect Manager Agenda The Challenges and the trend Bridging the gap Next step 2 FROM

More information

A Design and Implementation of Universal Container

A Design and Implementation of Universal Container , pp.137-143 http://dx.doi.org/10.14257/astl.2016.136.33 A Design and Implementation of Universal Container Xin Li 1, Hee-Kyung Moon 1, Sung-Kook Han 1, 1 Department of Computer Engineering, Wonkwang University

More information

Bringing Security and Multitenancy. Lei (Harry) Zhang

Bringing Security and Multitenancy. Lei (Harry) Zhang Bringing Security and Multitenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry) Zhang #Microsoft MVP in cloud and datacenter management though I m a Linux guy :/ Previous: VMware, Baidu Feature

More information

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC Splunk N Box Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer 9/25/2017 Washington, DC Forward-Looking Statements During the course of this presentation, we may make forward-looking

More information

SQUASH. Debugger for microservices. Idit Levine solo.io

SQUASH. Debugger for microservices. Idit Levine solo.io SQUASH Debugger for microservices Idit Levine solo.io About me Idit Levine Founder and CEO of solo.io @Idit_Levine @ilevine The problem: Debugging microservices applications is hard The problem A monolithic

More information

Is it safe to run applications in Linux Containers?

Is it safe to run applications in Linux Containers? Is it safe to run applications in Linux Containers? Jérôme Petazzoni @jpetazzo Docker Inc. @docker Is it safe to run applications in Linux Containers? And, can Docker do anything about it? Question: Is

More information

Cisco Virtual Update Container networking. Hans Donnerborg, Lars Granberg, Maj 2018

Cisco Virtual Update Container networking. Hans Donnerborg, Lars Granberg, Maj 2018 Cisco Virtual Update Container networking Hans Donnerborg, hdonnerb@cisco.com Lars Granberg, lagranbe@cisco.com Maj 2018 Why ACI for Application Container Platforms Turnkey solution for node and container

More information

Exam LFCS/Course 55187B Linux System Administration

Exam LFCS/Course 55187B Linux System Administration Exam LFCS/Course 55187B Linux System Administration About this course This four-day instructor-led course is designed to provide students with the necessary skills and abilities to work as a professional

More information

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration Jonathan Boulle github.com/jonboulle - @baronboulle Why rkt and Kubernetes? Why rkt and Kubernetes? Why container runtimes

More information

Course 55187B Linux System Administration

Course 55187B Linux System Administration Course Outline Module 1: System Startup and Shutdown This module explains how to manage startup and shutdown processes in Linux. Understanding the Boot Sequence The Grand Unified Boot Loader GRUB Configuration

More information

GL-280: Red Hat Linux 7 Update. Course Description. Course Outline

GL-280: Red Hat Linux 7 Update. Course Description. Course Outline GL-280: Red Hat Linux 7 Update Course Description This is a differences course that focuses on the new technologies and features that made their appearance in Red Hat Enterprise Linux v7. It is intended

More information

Multi-Arch Layered Image Build System

Multi-Arch Layered Image Build System Multi-Arch Layered Image Build System PRESENTED BY: Adam Miller Fedora Engineering, Red Hat CC BY-SA 2.0 Today's Topics Define containers in the context of Linux systems Brief History/Background Container

More information

Security Assurance Requirements for Linux Application Container Deployments

Security Assurance Requirements for Linux Application Container Deployments Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli This publication is available free of charge from: https://doi.org/10.6028/nist.ir.8176 Security Assurance

More information

At course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::

At course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B:: Module Title Duration : 55187B: Linux System Administration : 4 days Overview This four-day instructor-led course is designed to provide students with the necessary skills and abilities to work as a professional

More information

Docker Rocker. Aliyun wzt

Docker Rocker. Aliyun wzt Docker Rocker Aliyun wzt Namespace Unix fork process - task_struct/thread_struct - - - - - - - - - - - / \- - - - - - - - - - - - - - - - - - - fork / fork \ fork thread1 - - - - - - - - - - - - - - -

More information