Namespaces and Capabilities Overview and Recent Developments
|
|
|
- Theodore Baker
- 5 years ago
- Views:
Transcription
1 Namespaces and Capabilities Overview and Recent Developments Linux Security Summit Europe Edinburgh, Scotland Christian Brauner @brau_ner
2 Capabilities - splitting root into units of privilege - libcap(3) - libcap 2.26 released on 10 September 2018 with full ambient capability and namespaced filesystem capability support - libcap has moved to and Andrew Morgan is back maintaining it
3 Namespaces mount, PID, UTS, IPC, cgroup, network, user (time, device*, ima**) * technically not a real namespace ** will likely not be a namespace but tied to a namespace
4 User namespace no real privilege separation for most ns introduce ns for privilege separation
5 User namespace requirements - separate host ids from userns ids - userns root id privileged over userns - nesting should be possible - userns root id not privileged over any resources it does not own - unprivileged user should be able to safely create a userns
6 User namespace - capabilities - owning user namespace - resources
7 (user,mnt) infrastructure to enable unprivileged mount - 412ac77a9d3ec015524dacea905471d66480b7ac - (user) added a user_ns owner to mm_struct so you can have sensible ptrace permissions checks across user namespace boundaries on e.g. exec - bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 - (net) SIOCGSKNS: add an ioctl to get a socket network namespace - c62cce2caee558e18aa05c01c2fd3b40f07174f2
8 (user) limit inotify instances inside a user namespace - 1cce1eea0aff fcaca421df825b0813b6 - (user) addition of namespace ioctl()s to query hierarchy and properties of namespaces - d95fa3c76a66b6d76b1e109ea505c55e66360f3c (NS_GET_OWNER_UID) - e5ff5ce6e20ee bb31fb912466cf82a36 (NS_GET_PARENT, NS_GET_USERNS) - (user,mnt) infrastructure to enable unprivileged mounts - 93faccbbfa958a9668d3ab4e30f38dd205cee8d8
9 (pidns) expose pidns_for_children in /proc/<pid>/ns/ - eaa0d190bfe1ed891b814a52712dcd852554cb08 - (pidns) add pid namespace support to fuse takes care to translate pids when the userspace process servicing fuse requests is running in a pid namespace - 0b6e9ea041e6c932f5b3a86fae2d60cbcfad4dd2 - (all) include namespace info in perf output via PERF_RECORD_NAMESPACES - e cd319e2695a535e47c5b1feeac45eb
10 (mnt) improve umount performance dramatically (0.06s vs 60s with overlapping mount propagation trees) deb389c7da21c ba244dc1badf5 - (cgroup) add "nsdelegate" to allow cgroup delegation by considering cgroup namespaces delegation boundaries f6365ce3eace5a926e10f16ed2a233db5ba9
11 (user) introduce namespaced file capabilities - 8db6c34f1dbc8e06aa016a9b829b06902c3e1340
12 (user) bump limit of allowed user namespace mappings from 5 to aa4bf44dc851c6bdd4f7b61b5f2c56c84dfe2ff0-6397fac4915ab3002dc15aae751455da1a852f25-11a8b9270e16e36d5fb607ba4b60db2958b7c625-3edf652fa16562fb57a5a4b996ba72e2d7cdc38b - d5e7b3c5f51fc6d34e12b6d87bfd30ab277c ece b211324cc6aff b425243d2-3fda0e737e906ce73220b20c27e7f792d0aac6a8
13 (net) query peer network namespaces (RTM_NEWLINK, RTM_DELLINK, RTM_SETLINK) - 7c4f63ba d6 - c310bfcb6e1be993629c5747accf8e1c65fbb255 - b61ad68a9fe85d29d5363eb a049723cf - 5bb8ed075428b af66230aa0c07fcc bfd8758d05c85ee32052a3d7d5d0549e91b4-4ff66cae7f10b65b028dc3bdaaad9cc2989ef6ae
14 (user,mnt) make unprivileged fuse mounts work with ima - dbf107b2a7f36fa635b40e0b554514f599c75b33 - c9582eb0ff7d2b560be60eafab cdc82b - 8cb08329b bc12aa912be34355bcb66-73f03c2b4b c711c2734dbff3442b139-57b56ac6fecb05c e dd13d972de - (user,mnt) devpts: resolve devpts bind-mounts - a319b01d9095da6f6c54bd20c1f (user,net) uevent injection (device namespaces) - 94e5e3087a67c765be98592b36d8d d5-692ec06d7c92af8ca841a b9b fd
15 (user,mnt) finalize infrastructure to enable unprivileged mounts (aka getting away with regressing userspace) - 593d1ce854dff93b3c9066e897192eb676b09c b59df336f6738da916dbb520b6e37df9fbd c49ca94b14b11f08e447f40c6ebc842a4 - bc6155d f4c29fe05a32b d88e - b1d749c5c34112fab5902c43b2a37a0ba1e5f0f1 - f3f1a18330ac1b717cd7a32adff38d965f365aa2
16 (user,mnt) enable unprivileged fuse mounts - e45b2546e23c2d10f a15c745a7603fac9-4ad769f3c346ec3d458e255548dec26ca5284cf6 - (user,net) uevent namespacing (device namespaces) a7b14bc7a5455e411d820110f66557d a b3a0f8ec289e6847e1de40b4123e1639
17 Current Patchsets - (time) introduce time namespaces (mnt) AT_{BENEATH, NO_PROCLINKS, NO_SYMLINKS, THIS_ROOT, XDEV} (net) query peer network namespaces (RTM_GETADDR) (mnt) new mount api -
18 Future Patchsets - (mnt) recursive read-only bind mounts for old and new mount api - (new mount api) - (old mount api) (MS_REC_RDONLY) - (mnt) make umount{2}() reversible (tucked mounts) (mnt) handle mount propagation in statfs() syscall (user) introduce new ns ioctl()s NS_{IS_INIT,ACCESS} -
19 Future Patchsets - (lsm) lsm namespacing/stacking (seccomp) seccomp trap from userspace -
20 New things to argue about - (capabilities) split CAP_SYS_ADMIN - likely a major task, very hard to convince the right people, likely requires a whole new kernel config option (e.g. CONFIG_CAPABILITY_V2=y)
21 Namespaces and Capabilities Overview and Recent Developments Linux Security Summit Europe Edinburgh, Scotland Christian Brauner @brau_ner
Landlock LSM: toward unprivileged sandboxing
Landlock LSM: toward unprivileged sandboxing Mickaël Salaün ANSSI September 14, 2017 1 / 21 Secure user-space software How to harden an application? secure development follow the least privilege principle
File access-control per container with Landlock
File access-control per container with Landlock Mickaël Salaün ANSSI February 4, 2018 1 / 20 Secure user-space software How to harden an application? secure development follow the least privilege principle
Linux Kernel Security Overview
Linux Kernel Security Overview Linux Security Summit Europe 2018 Edinburgh, UK James Morris jmorris@namei.org $ whoami Linux kernel security subsystem maintainer Linux kernel engineer at Microsoft Previously
Flatpak a technical walk-through. Alexander Larsson, Red Hat
Flatpak a technical walk-through Alexander Larsson, Red Hat What is Flatpak? apps for the Linux Desktop Distribute your app Run it anywhere Build in anywhere Run it sandboxed How is this different from
THE ROUTE TO ROOTLESS
THE ROUTE TO ROOTLESS THE ROUTE TO ROOTLESS BILL AND TED'S ROOTLESS ADVENTURE THE ROUTE TO ROOTLESS WHAT SECURITY PROBLEM IS GARDEN SOLVING IN CLOUD FOUNDRY? THE PROBLEM IN CLOUD FOUNDRY Public Multi-Tenant
OS Containers. Michal Sekletár November 06, 2016
OS Containers Michal Sekletár msekleta@redhat.com November 06, 2016 whoami Senior Software Engineer @ Red Hat systemd and udev maintainer Free/Open Source Software contributor Michal Sekletár msekleta@redhat.com
1 Virtualization Recap
1 Virtualization Recap 2 Recap 1 What is the user part of an ISA? What is the system part of an ISA? What functionality do they provide? 3 Recap 2 Application Programs Libraries Operating System Arrows?
Understanding user namespaces
Understanding user namespaces Understanding user namespaces Michael Kerrisk, man7.org c 2018 mtk@man7.org 31 January 2018, San Jose, CA, USA Outline 1 Introduction 3 2 Some background: capabilities 6 3
What s new in control groups (cgroups) v2
Open Source Summit Europe 2018 What s new in control groups (cgroups) v2 Michael Kerrisk, man7.org c 2018 mtk@man7.org Open Source Summit Europe 21 October 2018, Edinburgh, Scotland Outline 1 Introduction
Containers and isolation as implemented in the Linux kernel
Containers and isolation as implemented in the Linux kernel Technical Deep Dive Session Hannes Frederic Sowa Senior Software Engineer 13. September 2016 Outline Containers and isolation
Rootless Containers with runc. Aleksa Sarai Software Engineer
Rootless Containers with runc Aleksa Sarai Software Engineer asarai@suse.de Who am I? Software Engineer at SUSE. Student at University of Sydney. Physics and Computer Science. Maintainer of runc. Long-time
FOSDEM 18. LTTng: The road to container awareness.
FOSDEM 18 LTTng: The road to container awareness mjeanson@efficios.com Who am I? Michael Jeanson Software developer @ EfficiOS Debian Developer What s LTTng? 2 tracers Kernel : lttng-modules Userspace
Linux Kernel Security Update LinuxCon Europe Berlin, 2016
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999
LXC(Linux Container) Lightweight virtual system mechanism Gao feng
LXC(Linux Container) Lightweight virtual system mechanism Gao feng gaofeng@cn.fujitsu.com 1 Outline Introduction Namespace System API Libvirt LXC Comparison Problems Future work 2 Introduction Container:
Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat
Linux Containers Roadmap Red Hat Enterprise Linux 7 RC Bhavna Sarathy Senior Technology Product Manager, Red Hat Linda Wang Senior Eng. Manager, Red Hat Bob Kozdemba Principal Soln. Architect, Red Hat
Docker Security. Mika Vatanen
Docker Security Mika Vatanen 13.6.2017 About me Mika Vatanen, Solution Architect @ Digia 18 years at the industry, 6 months at Digia Established ii2 a Finnish MySpace, top-5 most used web service in Finland
Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING
Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING Agenda Intro / Prep Environments Day 1: Docker Deep Dive Day 2: Kubernetes Deep Dive Day 3: Advanced Kubernetes: Concepts, Management, Middleware Day 4:
Container mechanics in Linux and rkt FOSDEM 2016
Container mechanics in Linux and rkt FOSDEM 2016 Alban Crequy github.com/alban Jonathan Boulle github.com/jonboulle @baronboulle a modern, secure, composable container runtime an implementation of appc
深 入解析 Docker 背后的 Linux 内核技术. 孙健波浙江 大学 SEL/VLIS 实验室
深 入解析 Docker 背后的 Linux 内核技术 孙健波浙江 大学 SEL/VLIS 实验室 www.sel.zju.edu.cn Agenda Namespace ipc uts pid network mount user Cgroup what are cgroups? usage concepts implementation What is Namespace? Lightweight
PROCESS MANAGEMENT Operating Systems Design Euiseong Seo
PROCESS MANAGEMENT 2016 Operating Systems Design Euiseong Seo (euiseong@skku.edu) Definition A process is a program in execution Context Resources Specifically, Register file state Address space File and
Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018
Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!
Practical Techniques to Obviate Setuid-to-Root Binaries
Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain, Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science
Overview. Wait, which firmware? Threats Update methods request_firmware() hooking Regression testing Future work
http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook (pronounced Case ) Overview Wait, which firmware? Threats Update methods request_firmware()
Is it safe to run applications in Linux Containers?
Is it safe to run applications in Linux Containers? Jérôme Petazzoni @jpetazzo Docker Inc. @docker Is it safe to run applications in Linux Containers? And, can Docker do anything about it? Question: Is
High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute
High Performance Containers Convergence of Hyperscale, Big Data and Big Compute Christian Kniep Technical Account Manager, Docker Brief Recap of Container Technology Brief History of Container Technology
Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He
Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He Containers are amazing! Year 2013: Docker Inc. released its container engine Million downloads and about 8,000 docker
User Namespaces. Linux Capabilities and Namespaces. Outline. Michael Kerrisk, man7.org c 2018 March 2018
Linux Capabilities and Namespaces User Namespaces Michael Kerrisk, man7.org c 2018 mtk@man7.org March 2018 Outline 9 User Namespaces 9-1 9.1 Introduction 9-3 9.2 Creating and joining a user NS 9-9 9.3
See Docker from the Perspective of Linux Process. Allen Hangzhou Docker Meetup
See Docker from the Perspective of Linux Process Allen Sun@DaoCloud Hangzhou Docker Meetup 2015.03.14 Agenda 1. Prerequisite Linux Process (do_fork / copy_process ) Namespaces 2. How Docker deals process
Linux-CR: Transparent Application Checkpoint-Restart in Linux
Linux-CR: Transparent Application Checkpoint-Restart in Linux Oren Laadan Columbia University orenl@cs.columbia.edu Linux Kernel Summit, November 2010 1 orenl@cs.columbia.edu Linux Kernel Summit, November
Various Versioning & Snapshot FileSystems
Various Versioning & Snapshot FileSystems Our FileSystem versioning requirements, as I understand: A. Frequency of versioning at specified points-in-time B. Granularity of versioning a single or collection
RDMA Container Support. Liran Liss Mellanox Technologies
RDMA Container Support Liran Liss Mellanox Technologies Agenda Containers 101 RDMA isolation Namespace support Controller support Putting it all together Status Conclusions March 15 18, 2015 #OFADevWorkshop
Allowing Users to Run Services at the OLCF with Kubernetes
Allowing Users to Run Services at the OLCF with Kubernetes Jason Kincl Senior HPC Systems Engineer Ryan Adamson Senior HPC Security Engineer This work was supported by the Oak Ridge Leadership Computing
Docker and Security. September 28, 2017 VASCAN Michael Irwin
Docker and Security September 28, 2017 VASCAN Michael Irwin Quick Intro - Michael Irwin 2011 - Graduated (CS@VT); started full-time at VT Sept 2015 - Started using Docker for QA June 2016 - Attended first
Container Security. Daniel J Walsh Consulting Engineer Blog: danwalsh.livejournal.com
Container Security Daniel J Walsh Consulting Engineer Twitter: @rhatdan Blog: danwalsh.livejournal.com Email: dwalsh@redhat.com Container Security Container Security As explained by the three pigs Chapter
Kubernetes The Path to Cloud Native
Kubernetes The Path to Cloud Native Eric Brewer VP, Infrastructure @eric_brewer August 28, 2015 ACM SOCC Cloud Na*ve Applica*ons Middle of a great transition unlimited ethereal resources in the Cloud an
The State of Rootless Containers
The State of Rootless Containers Aleksa Sarai / SUSE Akihiro Suda / NTT @lordcyphar @_AkihiroSuda_ Who are we? Aleksa Sarai Senior Software Engineer at SUSE. Maintainer of runc and several other Open Container
ISSN (Online)
Build Minimal Docker Container Using Golang [1] Biradar Sangam.M, [2] R.Shekhar [1][2] Department of Computer Science & Engineering, Alliance University, Bangalore, INDIA Abstract: - Docker container is
State of Containers. Convergence of Big Data, AI and HPC
State of Containers Convergence of Big Data, AI and HPC Technology ReCap Comparison of Hypervisor and Container Virtualization VM1 VM2 appa appb Userland Userland Kernel Kernel Operational Abstraction
For personnal use only
Network Namespaces in RHEL7 Finnbarr P. Murphy (fpm@fpmurphy.com) Linux namespaces are somewhat like Solaris zones in many ways from a user perspective but have significant differences under the hood.
Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016
Introduction to Container Technology Patrick Ladd Technical Account Manager April 13, 2016 Container Technology Containers 3 "Linux Containers" is a Linux kernel feature to contain a group of processes
Security Namespace: Making Linux Security Frameworks Available to Containers
Security Namespace: Making Linux Security Frameworks Available to Containers Yuqiong Sun, Symantec Research Labs; David Safford, GE Global Research; Mimi Zohar, Dimitrios Pendarakis, and Zhongshu Gu, IBM
Security Assurance Requirements for Linux Application Container Deployments
Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli This publication is available free of charge from: https://doi.org/10.6028/nist.ir.8176 Security Assurance
Outline. Cgroup hierarchies
Outline 4 Cgroups 4-1 4.1 Introduction 4-3 4.2 Cgroups v1: hierarchies and controllers 4-16 4.3 Cgroups v1: populating a cgroup 4-24 4.4 Cgroups v1: a survey of the controllers 4-38 4.5 Cgroups /proc files
DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Naming WHAT IS NAMING? Name: Entity: Slide 3. Slide 1. Address: Identifier:
![DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Naming WHAT IS NAMING? Name: Entity: Slide 3. Slide 1. Address: Identifier:](/thumbs/89/100181269.jpg "DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Naming WHAT IS NAMING? Name: Entity: Slide 3. Slide 1. Address: Identifier:")
BASIC CONCEPTS DISTRIBUTED SYSTEMS [COMP9243] Name: String of bits or characters Refers to an entity Slide 1 Lecture 9a: Naming ➀ Basic Concepts ➁ Naming Services ➂ Attribute-based Naming (aka Directory
SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG
SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG 1 WHO ARE THOSE GUYS Accela Zhao, Technologist at EMC OCTO, active Openstack community contributor, experienced in cloud scheduling
Securing Containers on the High Seas. Jack OWASP Belgium September 2018
Securing Containers on the High Seas Jack Mannino @ OWASP Belgium September 2018 Who Am I? Jack Mannino CEO at nvisium, since 2009 Former OWASP Northern Virginia chapter leader Hobbies: Scala, Go and Kubernetes
July 14, EPITA Systems/Security Laboratory (LSE) Code sandboxing. Alpha Abdoulaye - Pierre Marsais. Introduction. Solutions.
EPITA Systems/Security Laboratory (LSE) July 14, 2017 1 / 34 2 / 34 What do we want? Limit usage of some resources such as system calls and shared object functions But not from the whole program (we trust
Container Security. Docker London July 20, Everything You Probably Should Know
Docker London July 20, 2016 Container Security Everything You Probably Should Know...but most of which I m neither an expert on nor could we ever cover in the time allotted... 1 Who am I? (skipping the
Seccomp, network and namespaces. Francesco Tornieri <francesco.tornieri AT kiratech.it>
Seccomp, network and namespaces Francesco Tornieri VM vs Container 2 Namespaces ecc 3 Namespaces ecc man namespaces: A namespaces wraps a global system resource in a
Container Security and new container technologies. Dan
Container Security and new container technologies Dan Walsh @rhatdan Please Stand Please read out loud all text in RED I Promise To say Container Registries Rather than Docker registries I Promise To say
DYNAMIC DEVICE MANAGEMENT FOR LXC. Michael J Coss Oct 15, 2014
DYNAMIC DEVICE MANAGEMENT FOR LXC Michael J Coss Oct 15, 2014 OUR ORIGINAL GOAL To provide a virtual desktop environment that Has performance as close as possible to the nonvirtualized environment Lets
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux James Morris jmorris@namei.org FOSS.my 2009 Kuala Lumpur, Malaysia Overview Sandboxing SELinux Sandbox design and implementation Use examples Status and future directions
STING: Finding Name Resolution Vulnerabilities in Programs
STING: Finding Name Resolution ulnerabilities in Programs Hayawardh ijayakumar, Joshua Schiffman, Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department
Linux-CR: Transparent Application Checkpoint-Restart in Linux
Linux-CR: Transparent Application Checkpoint-Restart in Linux Oren Laadan Columbia University orenl@cs.columbia.edu Serge E. Hallyn IBM serge@hallyn.com Linux Symposium, July 2010 1 orenl@cs.columbia.edu
OS Security III: Sandbox and SFI
1 OS Security III: Sandbox and SFI Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 VMs on lab machine Extension? 3 Users and processes FACT: although ACLs use users as subject, the OS
SE Linux Implementation LINUX20
SE Linux Implementation LINUX20 Russell Coker IBM eserver pseries, Linux, Grid Computing and Storage Technical University 7/7/2004 Licensed under the GPL Topic Objectives In this topic students will learn
The failure of Operating Systems,
The failure of Operating Systems, and how we can fix it. Glauber Costa Lead Software Engineer August 30th, 2012 Linuxcon Opening Notes I'll be doing Hypervisors vs Containers here. But: 2 2 Opening Notes
Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft
Azure Sphere: Fitting Linux Security in 4 MiB of RAM Ryan Fairfax Principal Software Engineering Lead Microsoft Agenda o o o o Intro to Azure Sphere Kernel Customizations User mode services / App Model
Vx32: Lightweight User-Level Sandboxing on the x86
Vx32: Lightweight User-Level Sandboxing on the x86 Bryan Ford and Russ Cox MIT CSAIL Presented by: Ashwin Chaugule 26th Sept 2008 Area Systems security: Application Virtualization USENIX 08 - Best Student
Samba and Chrome OS the Start of a beautiful Friendship
Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaxp, Göttingen June 06, 2018 Topics Chrome OS and Chromebooks Active Directory Integration How it works, management,
13th ANNUAL WORKSHOP 2017 VERBS KERNEL ABI. Liran Liss, Matan Barak. Mellanox Technologies LTD. [March 27th, 2017 ]
![13th ANNUAL WORKSHOP 2017 VERBS KERNEL ABI. Liran Liss, Matan Barak. Mellanox Technologies LTD. [March 27th, 2017 ]](/thumbs/74/71171855.jpg "13th ANNUAL WORKSHOP 2017 VERBS KERNEL ABI. Liran Liss, Matan Barak. Mellanox Technologies LTD. [March 27th, 2017 ]")
13th ANNUAL WORKSHOP 2017 VERBS KERNEL ABI Liran Liss, Matan Barak Mellanox Technologies LTD [March 27th, 2017 ] AGENDA System calls and ABI The RDMA ABI challenge Usually abstract HW details But RDMA
Memory Externalization With userfaultfd Red Hat, Inc.
Memory Externalization With userfaultfd Red Hat, Inc. Andrea Arcangeli aarcange at redhat.com Germany, Düsseldorf 15 Oct 2014 Memory Externalization Memory externalization is about running a program with
Introduction to Containers
Introduction to Containers Shawfeng Dong Principal Cyberinfrastructure Engineer University of California, Santa Cruz What are Containers? Containerization, aka operating-system-level virtualization, refers
Intro to Container Security. Thomas Cameron Global Cloud Strategy Evangelist Mrunal Patel Principal Software Engineer
Intro to Container Security Thomas Cameron Global Cloud Strategy Evangelist Mrunal Patel Principal Software Engineer Agenda INTRODUCTION Who are we and why should you care? RED HAT AND CONTAINERS A brief
Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center
Container Adoption for NFV Challenges & Opportunities Sriram Natarajan, T-Labs Silicon Valley Innovation Center Virtual Machine vs. Container Stack KVM Container-stack Libraries Guest-OS Hypervisor Libraries
How to build and run OCI containers
How to build and run OCI containers A shallow dive on the OCI container configuration and an overview of the available tools whoami Spyros Trigazis Computing Engineer at CERN s cloud team Project Team
Zdeněk Kubala Senior QA
(Kernel) Isolation PV, HVM, OS-V technologies in Linux Introduction and description of the isolation diferences between HM, PV and OS-level virt. technologies. Zdeněk Kubala Senior QA Engineer zkubala@suse.com
Replacing Docker With Podman. By Dan
Replacing Docker With Podman By Dan Walsh @rhatdan dnf install -y podman dnf install -y podman alias docker=podman Questions Blog: https://podman.io/blogs Github: https://github.com/projectatomic/libpod
Container Detection and Forensics, Gotta catch them all!
Container Detection and Forensics, Gotta catch them all! Cem Gürkök Detection Infra Summary Docker? What is osquery and Docker capabilities What is Volatility and Docker capabilities Use cases How to detect
Security of OS-level virtualization technologies
Security of OS-level virtualization technologies Elena Reshetova 1, Janne Karhunen 2, Thomas Nyman 3, N. Asokan 4 1 Intel OTC, Finland 2 Ericsson, Finland 3 University of Helsinki, Finland 4 Aalto University
ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017
ECE 550D Fundamentals of Computer Systems and Engineering Fall 2017 The Operating System (OS) Prof. John Board Duke University Slides are derived from work by Profs. Tyler Bletsch and Andrew Hilton (Duke)
TEN LAYERS OF CONTAINER SECURITY
TEN LAYERS OF CONTAINER SECURITY A Deeper Dive 2 WHAT ARE CONTAINERS? It depends on who you ask... INFRASTRUCTURE APPLICATIONS Sandboxed application processes on a shared Linux OS kernel Simpler, lighter,
Secure Architecture Principles
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel 1 Secure
Making Applications Mobile
Making Applications Mobile using containers Ottawa Linux Symposium, July 2006 Cedric Le Goater Daniel Lezcano Clement Calmels Dave Hansen
MINCS - The Container in the Shell (script) Masami Hiramatsu
MINCS The Container in the Shell (script) Masami Hiramatsu Tech Lead, Linaro Ltd. Open Source Summit Japan 2017 LEADING COLLABORATION IN THE ARM ECOSYSTEM Who am I... Masami
OS security mechanisms:
OS security mechanisms: Memory Protection: One of the important aspects of Operating system security is Memory Protection. Memory provides powerful indirect way for an attacker to circumvent security mechanism,
Travis Cardwell Technical Meeting
.. Introduction to Docker Travis Cardwell Tokyo Linux Users Group 2014-01-18 Technical Meeting Presentation Motivation OS-level virtualization is becoming accessible Docker makes it very easy to experiment
System Calls. A contract between processes and the operating system. Michael E. Locasto. Department of Computer Science UofC CPSC 457
System Calls A contract between processes and the operating system Michael E. Locasto Department of Computer Science UofC CPSC 457 September 24, 2014 Agenda Learning Objective (1 minute) understand the
Introduction to Virtualization and Containers Phil Hopkins
Introduction to Virtualization and Containers Phil Hopkins @twitterhandle Virtualization What is it? Introduction to Virtualization and Containers What the heck is a hypervisor? Why are there so many of
Fakultät Informatik Institut für Systemarchitektur, Betriebssysteme THE NOVA KERNEL API. Julian Stecklina
Fakultät Informatik Institut für Systemarchitektur, Betriebssysteme THE NOVA KERNEL API Julian Stecklina (jsteckli@os.inf.tu-dresden.de) Dresden, 5.2.2012 00 Disclaimer This is not about OpenStack Compute.
Control Groups (cgroups)
LinuxCon Europe 2016 Control Groups (cgroups) c 2016 Michael Kerrisk man7.org Training and Consulting http://man7.org/training/ @mkerrisk mtk@man7.org 4 October 2016 Berlin, Germany Outline 1 Introduction
DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION
DOUG GOLDSTEIN STAR LAB XEN SUMMIT 2016 25 AUG 2016 ATTACK SURFACE REDUCTION OVERVIEW TOPICS Define attack surface Discuss parts of Xen s attack surface Attack surface metrics for Xen Define attack surface
Design Overview of the FreeBSD Kernel CIS 657
Design Overview of the FreeBSD Kernel CIS 657 Organization of the Kernel Machine-independent 86% of the kernel (80% in 4.4BSD) C code Machine-dependent 14% of kernel Only 0.6% of kernel in assembler (2%
Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?
Design Overview of the FreeBSD Kernel CIS 657 Organization of the Kernel Machine-independent 86% of the kernel (80% in 4.4BSD) C C code Machine-dependent 14% of kernel Only 0.6% of kernel in assembler
Hypervisors on ARM Overview and Design choices
Hypervisors on ARM Overview and Design choices Julien Grall Root Linux Conference 2017 ARM 2017 About me Working on ARM virtualization for the past 4 years With ARM since 2016 Co-maintaining
Security features for UBIFS. Richard Weinberger sigma star gmbh
Richard Weinberger sigma star gmbh /me Richard Weinberger Co-founder of sigma star gmbh Linux kernel developer and maintainer Strong focus on Linux kernel, lowlevel components, virtualization, security
ECE 598 Advanced Operating Systems Lecture 19
ECE 598 Advanced Operating Systems Lecture 19 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 7 April 2016 Homework #7 was due Announcements Homework #8 will be posted 1 Why use
A Userspace Packet Switch for Virtual Machines
SHRINKING THE HYPERVISOR ONE SUBSYSTEM AT A TIME A Userspace Packet Switch for Virtual Machines Julian Stecklina OS Group, TU Dresden jsteckli@os.inf.tu-dresden.de VEE 2014, Salt Lake City 1 Motivation
An introduction to Docker
An introduction to Docker Ing. Vincenzo Maffione Operating Systems Security Container technologies on Linux Several light virtualization technologies are available for Linux They build on cgroups, namespaces
Linux Security Summit Europe 2018
Linux Security Summit Europe 2018 Kernel Hardening: Protecting the Protection Mechanisms Igor Stoppa - igor.stoppa@huawei.com Cyber Security & Privacy Protection Labs - Huawei introduction memory classification
STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID
The WLCG Motivation and benefits Container engines Experiments status and plans Security considerations Summary and outlook STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID SWISS EXPERIENCE
The File Systems Evolution. Christian Bandulet, Sun Microsystems
The s Evolution Christian Bandulet, Sun Microsystems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations
CS 5460/6460 Operating Systems
CS 5460/6460 Operating Systems Fall 2009 Instructor: Matthew Flatt Lecturer: Kevin Tew TAs: Bigyan Mukherjee, Amrish Kapoor 1 Join the Mailing List! Reminders Make sure you can log into the CADE machines
HTCondor: Virtualization (without Virtual Machines)
HTCondor: Virtualization (without Virtual Machines) Brian Bockelman HTCondor Week 2013 Dictionary Definition vir tu al ize [vur-choo-uh-lahyz] verb to create a virtual version of (a computer, operating
ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project
ViryaOS RFC: Secure Containers for Embedded and IoT A proposal for a new Xen Project sub-project Stefano Stabellini @stabellinist The problem Package applications for the target Contain all dependencies
OS Virtualization. Linux Containers (LXC)
OS Virtualization Emulate OS-level interface with native interface Lightweight virtual machines No hypervisor, OS provides necessary support Referred to as containers Solaris containers, BSD jails, Linux
Outline. Cgroup hierarchies
Outline 15 Cgroups 15-1 15.1 Introduction to cgroups v1 and v2 15-3 15.2 Cgroups v1: hierarchies and controllers 15-17 15.3 Cgroups v1: populating a cgroup 15-24 15.4 Cgroups v1: a survey of the controllers
File System. Computadors Grau en Ciència i Enginyeria de Dades. Xavier Verdú, Xavier Martorell
File System Computadors Grau en Ciència i Enginyeria de Dades Xavier Verdú, Xavier Martorell Facultat d Informàtica de Barcelona (FIB) Universitat Politècnica de Catalunya (UPC) 2017-2018 Q2 Creative Commons
Docker Deep Dive. Daniel Klopp
Docker Deep Dive Daniel Klopp The Talk I m not telling you what fishing rod to use The Talk I m not telling you what fishing rod to use I m helping you understand the fishing rod The Talk I m not telling
Design and development of a distributed, secure and resilient vault management system
Design and development of a distributed, secure and resilient vault management system Mathonet G. University of Liège, Belgium June 2017 Mathonet G. (University of Liège, Belgium) Design and development